Vulnerability in Mozilla Firefox Could Allow for Arbitrary Code Execution

January 13, 2020

Summary

Mozilla has published an out-of-band patch for Mozilla Firefox and Firefox Extended Support Release (ESR).  It fixes a type confusion vulnerability in Mozilla’s Javascript compiler, IonMonkey. This vulnerability is identified as CVE-2019-17026. [1]

Mozilla’s advisory states they are “aware of targeted attacks in the wild abusing this flaw.” Based on this note in the advisory, it appears the vulnerability was exploited in the wild as a zero-day. [2]

Users should restart their Firefox browsers to receive the Mozilla updates as soon as possible, particularly users who leave their machines active for long sessions.

Impact

  • Execute arbitrary code in the context of the current user

Vulnerable

  • Firefox versions prior to 72.0.1

  • Firefox ESR versions prior to 68.4.1

Recommendations

We recommend the following actions be taken:

  • Apply appropriate updates provided by Mozilla to vulnerable systems, immediately after appropriate testing

  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack

  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources

  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources

  • Apply the Principle of Least Privilege to all systems and services

References

[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17026 

[2] https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/