We’re just 10 days into 2020, and already we have our first critical security flaw. It comes from Mozilla’s popular Firefox browser, and it’s so dangerous, the Homeland Security Cybersecurity and Infrastructure Security Agency is warning users about it.
The good news is that it’s already been patched. The bad news is that it’s already being exploited in the wild. And it’s about as bad as it can get. In technical terms, as Mozilla explains, “Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. That means that an attacker could exploit the Javascript code to surreptitiously hack a user’s PC and install malicious code outside of Firefox. Mozila says it is “aware of targeted attacks in the wild abusing this flaw,” but doesn’t give any information about how widespread the attacks are.
The Department of Homeland Security echoed that warning and urged users to “apply the necessary updates.” The government regularly tracks malware and vulnerabilities, but rarely do consumer apps rise to the level of a cyber alert.
The bug was first detected by Chinese security company Qihoo 360 just two days after the initial update was released, according to TechCrunch. The vulnerability is patched in Firefox 72.0.1 and Firefox Extended Support Release (ESR) 68.4.1. Firefox should check for updates immediately upon launch, but if you’ve disabled that setting, you can update your browser in the General tab inside settings.