Yesterday, Mozilla released a patch for its Firefox browser that fixes the zero-day bug. According to network sources, the vulnerability was actively exploited by attackers, but Mozilla representatives have not yet commented on this information.
The vulnerability was known to affect the IonMonkey JavaScript JIT compiler for SpiderMonkey, one of the main components of the Firefox core that handles JavaScript operations. Experts classified the problem as a vulnerabilities of mismatch between the data types used or “type confusion”, when information written to memory is first defined as one data type, but later, due to certain manipulations, switches to another type. Using this vulnerability, attackers could remotely launch arbitrary code execution on the attacked system.
According to available data, the vulnerability in question was discovered by specialists from the Chinese company Qihoo 360. Company representatives said that they are aware of a number of cases when the mentioned vulnerability was used in practice by attackers. It is worth mentioning that recently a message appeared on the Qihoo 360 Twitter account that the company had discovered an actively exploited zero-day vulnerability in the Internet Explorer browser. However, this post was later deleted.
As for the vulnerability in question, it was fixed in Firefox 72.0.1 and Firefox ESR 68.4.1 browser versions. Mozilla browser users are advised to update their browser to the latest version to avoid becoming victims of malicious attacks.
Source: 3dnews.ru