Update Firefox now! Zero-day found in the wild

Mozilla has fixed a critical zero-day bug in the latest point releases of the Firefox web browser. The security flaw allows attackers to run their own code by exploiting the browser with malicious JavaScript, and people are already targeting Firefox users in the wild.

The bug affects both Firefox and its enterprise counterpart, Extended Support Release (ESR). According to Mozilla’s advisory:

A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop.

Programmers use JavaScript’s array object to contain a collection of data items. pop is a command that they can use to remove the last element of an array.

A type confusion vulnerability happens when a program doesn’t check the type of a data item that is passed to it. It might assume it’s getting a number, for example, when it actually gets a string. If it doesn’t check, then it can mishandle the data item, potentially destabilising its code.

In this case, the effect is catastrophic, the advisory warned:

This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw.

You might also like More from author

Comments are closed.