01-10-2020 , 05:05 PM
Quote:Mozilla released Firefox 72.0.1 and Firefox ESR 68.4.1 to patch a critical and actively exploited severity vulnerability that could potentially allow attackers to execute code or trigger crashes on machines running vulnerable Firefox versions.
As Mozilla's security advisory says, the Firefox developers are "aware of targeted attacks in the wild abusing this flaw" which could make it possible for attackers who successfully exploit it to abuse affected systems.
The Firefox and Firefox ESR zero-day flaw fixed by Mozilla was reported by a research team from Qihoo 360 ATA.
The type confusion vulnerability tracked as CVE-2019-17026 impacts the web browser's IonMonkey Just-In-Time (JIT) compiler and it occurs when incorrect alias information is fed for setting array elements.
This type of security flaw can lead to out-of-bounds memory access in languages without memory safety which, in some circumstances, can lead to code execution or exploitable crashes.
Potential attackers could trigger the type confusion flaw by redirecting users of unpatched Firefox versions to maliciously crafted web pages.
Continue reading HERE