Mozilla patches Firefox zero-day reported by Qihoo 360

Chinese security firm claims there's also an accompanying Internet Explorer zero-day.

firefox.png

Image: Mozilla

Mozilla released today Firefox v72.0.1, a new version of the Firefox web browser that fixes a vulnerability that's actively exploited in the wild.

The vulnerability impacts IonMonkey, which is a JavaScript JIT compiler for SpiderMonkey, the main component at Firefox's core that handles JavaScript operations (Firefox's JavaScript engine).

The vulnerability was categorized as a type confusion, a memory bug where a memory input is initially allocated as one type but gets switched to another type during manipulation, causing unexpected consequences to data processing, including the ability to execute code on a vulnerable system.

"Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion," Firefox developers said in a security advisory today.

No information is available on how the vulnerability is being used in the wild.

Mozilla credited Chinese cyber-security firm Qihoo 360 with finding and reporting the bug.

In a now-deleted tweet, Qihoo 360 Core said there is also an accompanying Internet Explorer zero-day that's also under active attacks.

A Qihoo 360 spokesperson did not reply to a request for comment. Microsoft did not issue any out-of-band security updates for Internet Explorer.

This is the third Firefox zero-day that Mozilla has patched over the last year. They previously patched two zero-days last June [1, 2]. The zero-days were used in attacks against Coinbase staffers. Earlier today, Mozilla released Firefox 72, which improves privacy, cuts down on notification spam, and includes its own security fixes.

Firefox users can update to Firefox 72.0.1 by using the browser's built-in updater found in Help --> About Firefox.