Mozilla released a security update for a critical zero-day vulnerability that affects the Firefox browser and the vulnerability fixed in 72.0.1 and Firefox ESR 68.4.1.
The vulnerability affects both Firefox, Firefox ESR and the successful exploitation of the vulnerability could lead an attacker to execute the malicious code remotely or trigger to crashes on machines that running with vulnerable Firefox versions.
The critical zero-day vulnerability was initially discovered by Qihoo 360 ATA researchers and the bug can be tracked as CVE-2019-11707.
The bug Affects Web browsers IonMonkey type confusion with StoreElementHole and FallibleStoreElement, Mozilla said.
It indicates that the attackers attempt to exploit a Type Confusion vulnerability and it can be triggered when incorrect alias information in IonMonkey JIT compiler for setting array elements.
Type confusion vulnerability occurs when a piece of code doesn’t verify the type of object that is passed to it and it could lead to exploit this vulnerability by tricking a user into visiting a malicious web page and execute arbitrary code within the context of the application.
This new Firefox Zero-Day vulnerability affects the browsers Just in Time Compiler and it is currently used for targeted attacks in the wild.
Since the further detailed information was not available at the time, we have reached Qihoo 360 for further information about the exploitation for this Firefox zero-day vulnerability but there is no response at the time of writing.
Mozilla released Firefox 72.0.1 and Firefox ESR 68.4.1. You can download the new Firefox version for all platform here
While this Firefox Zero-Day vulnerability was exploited in targeted attacks, Firefox users are advised to upgrade as soon as possible.