Firefox Critical Zero-Day Being Exploited: Patch NOW

Mozilla’s Firefox browser has a nasty new bug. Rated “critical,” the vulnerability is being actively exploited in the wild, by malefactors unknown.

We don’t know when exploits began, but the bug appears to be 8 years old. It’s yet another failure of the open source JIT-compilation code Firefox relies on to—y’know—do modern web stuff.

Oh, what a tangled web we weave. In today’s SB Blogwatch, we practice to deceive.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: PPP.


Drop Everything

What’s the craic? Sergiu Gatlan reports—“Mozilla Firefox 72.0.1”:

 [The] critical and actively exploited severity vulnerability … could potentially allow attackers to execute code … on machines running vulnerable Firefox versions. … The type confusion vulnerability tracked as CVE-2019-17026 impacts the web browser’s IonMonkey Just-In-Time (JIT) compiler and it occurs when incorrect alias information is fed for setting array elements.

This security patch comes a day after Firefox 72.0 was released with fixes for another 11 security vulnerabilities. … Of the five high-severity vulnerabilities, four could potentially be used by attackers for arbitrary code execution.

All users should install the patched Firefox release by manually checking for the new update by going to … About Firefox.

And Dan Goodin adds—“Firefox gets patch for critical 0-day that’s being actively exploited”:

 A type confusion [is] a potentially critical error that can result in data being written to, or read from, memory locations that are normally off-limits. … Out-of-bounds reads may allow attackers to discover memory locations where malicious code is stored so that protections such as address space layout randomization can be bypassed. Out-of-bounds reads can also cause crashes.

The patching of CVE-2019-17026 comes seven months after Mozilla patched a pair of potent zero-days that attackers exploited in an attempt to install an undetected backdoor on Macs used by cryptocurrency exchange Coinbase. … Firefox users should install the patch as soon as practical.

What if it’s not practical? ve55 suggests a workaround:

 For anyone who is unable or unwilling to update, setting the following two values to ‘false’ in about:config should patch this:
javascript.options.baselinejit
javascript.options.ion
I cannot 100% confirm this as I haven’t found a PoC in the wild yet.

Feeling JITtery? John E. Dunn ’splains—“Update your Firefox right now!”:

 Simply put, a JIT compiler takes JavaScript source code, as you’ll find in most web pages these days, and converts it to executable computer code, so that the JavaScript runs directly inside Firefox as if it were a built-in part of the app. This typically improves performance.

Ironically, most modern apps implement what’s called DEP, short for Data Execution Prevention, a threat mitigation that helps stop crooks from sending over what looks like innocent data but then tricking the app into running that data as if it were an already-trusted program. … But JIT compilers have to exempt themselves from DEP controls, because converting data to code and running it is precisely what they do.

Some Linux distros and many businesses stick to Firefox’s Extended Support Release (ESR). … If you are an ESR user, you need to update to 68.4.1esr to get this patch. … Unfortunately, Tor … hasn’t got its 68.4.1esr update out yet [but] keep your eyes out for an update – a zero-day attack that works against the browser in Tor could undo the anonmyity and privacy that made you choose Tor in the first place.

But why does this keep happening? samanthaj opines thuswise:

 Bugs in the JIT code are important but if Firefox was sandboxing webpages to the same extent as Chrome this would not have been a critical issue. Chrome is designed to assume there will be bugs and that even if you can freely execute CPU code in the webpage’s process nothing bad will happen.
Of course even that is not perfect but checking the CVEs it’s about 10x less likely to allow a critical issue like this. Mozilla is apparently working toward getting to the same level of sandboxing as Chrome.

Oh dear. rvz seconds that emotion:

 Oh dear. We also had a previous zero-day fixed around 7 months ago. But again, there are more critical bugs vs moderate ones.

It goes to show the sheer complexity of developing open-source browsers. The problem is starting to look far more complicated than just swapping in languages, since there is a lot to think about in a browser.

Isn’t it about time we heard from a Rust advocate? kodemizer obliges:

 It’s worth noting that these kind of Zero Day vulnerabilities related to memory safety issues are one of the core reasons that Mozilla is investing in the Rust programming language. By slowly moving FireFox’s legacy C++ codebase to Rust, Mozilla is in the process of removing the possibility of these vulnerabilities for good.

How long has the bug been lurking? mirages has seen things you people wouldn’t believe:

 Date introduced seems Thu, 02 Feb 2012.

Meanwhile, bthylafh is easy for you to say:

 All software sucks. All hardware sucks. It’s just a matter of how and how much.

And Finally:

Arguably Elvis’s greatest song, but sung by a 6’8″ Pierrot-cum-Pagliacci

Trigger warnings: clown; crown; baritown [You’re fired—Ed.]

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or sbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Peter Trimming (cc:by)

Featured eBook
The Next Generation of Application Security

The Next Generation of Application Security

Application security is usually done by finding, fixing and preventing vulnerabilities, with an emphasis on finding solutions to prevent cybersecurity events in the future. However, many of the breaches we’re seeing are caused by a vulnerability related to the application, often because developers move so quickly to push out new code. AppSec promises to become … Read More