Skip to main content
IT Community Partnerships Indiana University

Zero-Day Vulnerability in Mozilla Firefox

Posted on by mkleine

IT Professionals:

The University Information Security Office would like to make you aware of the following security bulletin of a Zero-Day vulnerability in Mozilla Firefox.

Background

On January 8th, The Mozilla Foundation released a security advisory to address a critical zero-day flaw in Mozilla Firefox, which has been exploited in targeted attacks.[1]

To address CVE-2019-17026, Mozilla released Firefox 72.0.1 and Firefox ESR 68.4.1. Because this vulnerability has been exploited in targeted attacks, Firefox users are advised to upgrade as soon as possible.

Impact

CVE-2019-17026 is a type confusion vulnerability in IonMonkey[2], the JavaScript Just-In-Time (JIT) compiler for SpiderMonkey, Mozilla’s JavaScript engine. According to Mozilla’s advisory, the flaw exists in the JIT compiler due to “incorrect alias information for setting array elements,” specifically in StoreElementHole and FallibleStoreElement.

Users only need to visit a malicious website to be compromised and successful exploitation of this vulnerability could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Platforms Affected

* Firefox versions prior to 72.0.1

* Firefox ESR versions prior to 68.4.1

* Tor Browser versions prior to 9.0.4

Local Observations

SCCM IT Pros have deployed the upgrade in UDT (Leveraged Services) and are planning to expedite the deployment on UDM workstations.

JAMF Pro IT Pros have deployed patches for Firefox

UISO Recommendations

* Apply appropriate updates provided by Mozilla to vulnerable systems, immediately after appropriate testing.

* Upgrade Tor to the latest release[3]

* Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

* Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

* Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.

* Apply the Principle of Least Privilege to all systems and services.

Links:

1: https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/

2: https://wiki.mozilla.org/IonMonkey

3: https://blog.torproject.org/new-release-tor-browser-904

 

Further Reading:

https://www.cisecurity.org/advisory/vulnerability-in-mozilla-firefox-could-allow-for-arbitrary-code-execution_2020-004/

https://www.tenable.com/blog/cve-2019-17026-zero-day-vulnerability-in-mozilla-firefox-exploited-in-targeted-attacks

–IT Community Partnerships on behalf of the University Information Security Office

 

~~~~~ Today’s IT Pro Tip ~~~~~

Would you like to see an infoshare on a specific topic? Send your suggestion to talk2uits@iu.edu – we’ll try to arrange it.

Skip to toolbar