Update Firefox now! Zero-day found in the wild

Mozilla has fixed a critical zero-day bug in the latest releases of the Firefox web browser. The flaw allows attackers to run their own code by exploiting the browser with malicious , and are already targeting Firefox in the wild.

The bug affects both Firefox and its enterprise counterpart, Extended Support Release (ESR). According to Mozilla’s advisory:

A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop.

Programmers use JavaScript’s array object to contain a collection of items. pop is a command that they can use to remove the last element of an array.

A type confusion vulnerability happens when a program doesn’t check the type of a data item that is passed to it. It might assume it’s getting a number, for example, when it actually gets a string. If it doesn’t check, then it can mishandle the data item, potentially destabilising its code.

In this case, the effect is catastrophic, the advisory warned:

This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw.

You might also like More from author

Comments are closed.