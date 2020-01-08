Loading...

Image: Mozilla

Mozilla today released Firefox v72.0.1, a new version of the Firefox web browser that resolves a vulnerability that is being actively exploited in the wild.

The vulnerability affects IonMonkey, a JavaScript JIT compiler for SpiderMonkey, the main body of Firefox that handles JavaScript operations (the Firefox JavaScript engine).

The vulnerability is categorized as a type of confusion, a memory error where a memory input is initially assigned as one type, but switched to another type during manipulation, which has unexpected consequences for data processing.

“Incorrect alias information in IonMonkey’s JON compiler for setting array elements can lead to confusion of the type,” Firefox developers said today in a security advisory.

There is no information available about how the vulnerability is being used in the wild.

Mozilla has credited the Chinese cyber security company Qihoo 360 for finding and reporting the bug.

In a now deleted tweet, Qihoo 360 Core said that there is also a corresponding zero day for Internet Explorer that is also under active attacks.

A security vendor tweeted about a continuous attack with IE and Firefox zero days … then regretted and removed the tweet.

I’ll see you, buddy! I see you!!! pic.twitter.com/4PMEEbbxnc

– Catalin Cimpanu (@campuscodi) January 7, 2020

A Qihoo 360 spokesperson did not respond to a request for comment. Microsoft has not issued out-of-band security updates for Internet Explorer.

This is the third zero day of Firefox that Mozilla patched over the past year. They have previously patched two zero days last June (1, 2). The zero days were used in attacks on Coinbase staff members. Earlier today, Mozilla released Firefox 72, which improves privacy, reduces notification spam, and includes proprietary security solutions.

Firefox users can update to Firefox 72.0.1 using the browser’s built-in updater Help out -> About Firefox.