Firefox Users Urged To Update Browser

Mozilla advisory urges update after discovery of zero-day vulnerability being exploited in the wild

Mozilla urges its 500 million Firefox users to update their browser immediately, as hackers are currently exploiting a zero-day flaw.

The Mozilla Foundation deemed the flaw so serious that it issued an advisory, as well as an emergency patch for those running Firefox 67.0.3 or Firefox ESR 60.7.1.

Mozilla takes its security seriously and regularly issues patches. Indeed, it takes security so seriously that in 2012 it withdrew Firefox 16 altogether after the discovery of a flaw that could allow a malicious site to see what websites users have been visiting.

Google search
Chrome and Firefox

Javascript flaw

But the latest flaw it seems concerns Javascript objects.

“A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop,” said Mozilla. “This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw.”

Users are advised to either restart the Firefox browser to trigger the update.

The Firefox bug was initially discovered by Samuel Gross from Google’s Project Zero security team, as well as Coinbase Security.

And at least one expert warned that the flaw is pretty big due to the sheer number of Firefox users around the world.

“As zero-day vulnerabilities go this one is pretty huge simply due to the number of Mozilla users globally,” said Brian Higgins, security specialist at Comparitech.com. “There is no user culpability here but, as is so often the case, the platform itself has rendered its users vulnerable to substantially impactful attack.”

“The Mozilla community are the latest victims of the global Tech ‘first to market’ business model so beloved of all of the major platform providers,” said Higgins. “The ‘release it first and patch it later’ approach is manifestly unfair on the end user community but, unfortunately, has been allowed to perpetuate for so long that it has become the norm.”

“Whilst they currently represent a huge threat surface for malicious actors, the only thing Mozilla users can usefully do right now is follow the advice from Mozilla and CISA,” he concluded. “Patch, Update and hope they’ve done it in time. After that they might consider looking around for a provider with a more ethical business model.”

A less scathing response came from another security expert, who noted that the exact details of the flaw are not fully available.

“The details on this vulnerability are not fully available, but the most concerning thing is that attackers can run code without user interaction beyond normal browsing,” said Javvad Malik, security awareness advocate at KnowBe4.

“A reminder that users should be wary of which sites they visit,” Malik added. “Beyond that, there is little that can be done beyond installing the latest patch and ensuring all machines are up to date.”

Busy period

It has been a busy period for Mozilla. Last week it unveiled its redesigned logo that features a bit less fox than before.

And it has hinted that a premium version of Firefox could be on the cards, that will include extra bits of functionality (cloud storage, VPN etc) for the discerning web user.

Mozilla also recently strengthened its privacy capabilities, when it included a free-of-charge desktop password manager called Firefox Lockwise.

Mozilla has also added Tracking Protection in Private Browsing, to stop firms like Facebook from scrapping people’s data.

Other privacy developments include a new interface for Firefox Monitor, which Mozilla launched last year to help users see if their login details have been leaked as part of a data breach.

And in March, Mozilla officially released its Firefox Send file-sharing service, after nearly two years of product testing.

Are you a Firefox fan? Try our quiz!