The Mozilla Foundation issued a security advisory for users of its Firefox web browser on January 8th. Originally reported to Mozilla by the security firm Qihoo 360, CVE-2019-17026 involves Firefox’s IonMonkey JavaScript Just-in-Time (JIT) compiler. A JIT compiler is responsible for compiling JavaScript to run inside the browser which can greatly increase performance. According to Mozilla, “Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw.” The advisory is a brief one for now and offers little detail as to how the flaw is being exploited in the wild or to what extent.
Analyst Notes
Users of Mozilla Firefox should update immediately to Firefox 72.0.1 or Firefox ESR 68.4.1. This can be done through the browser’s built-in update feature but may need to be run manually, depending on set preferences. Always be mindful of clicking links from untrusted sources. Anti-virus products should be kept up-to-date on workstations and personal devices to help protect against any threats that may arise. EDR (endpoint detection and response) or MDR (managed detection and response) solutions can also help to spot threats before they begin to spread.
Source: https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/, https://nakedsecurity.sophos.com/2020/01/09/browser-zero-day-update-your-firefox-right-now/
