Skip to main content

Mozilla patches critical Firefox security flaw

(Image credit: Image Credit: Wright Studio / Shutterstock)

Mozilla has released a new update for Firefox which fixes a serious vulnerability that was allegedly being actively exploited. Firefox version 72.0.1. fixes what’s known as a type confusion vulnerability, a memory bug which, at the end of the day, allows the attacker to execute code on a vulnerable machine.

It impacts IonMoney, SpiderMonkey’s JavaScript JIT compiler - what is essentially the JavaScript engine for Firefox.

"Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion," Firefox developers said in a security advisory today.

“We are aware of targeted attacks in the wild abusing this flaw,” the advisory added, without going into details on how exactly it was being used.

Mozilla thanked Qihoo 360, a Chinese cybersecurity firm, for finding and reporting the flaw.

According to ZDNet, Qihoo 360 Core also tweeted that Internet Explorer has a zero-day that’s being actively used. The tweet has since been deleted, and the company’s spokesperson declined the request to comment. Microsoft is also keeping quiet.

Besides this one, Mozilla has patched two zero-day flaws in Firefox within the last 12 months. Both previous flaws were used to attack employees of cryptocurrency exchange Coinbase.

The new version doesn’t just address this vulnerability, but also fixes other things, as well. Firefox 72 comes with improvements in privacy and in notification spam. Other security fixes have also made it to the patch.

Firefox users interested in updating to the latest version can do so directly through the browser, by navigating to Help>About Firefox.