Mozilla has patched a Firefox zero-day vulnerability (CVE-2019-17026) that is being exploited in attacks in the wild and is urging Firefox and Firefox ESR users to update their installations as soon as possible.
According to the accompanying security advisory, the vulnerability was flagged by researchers with Chinese internet security company Qihoo 360 and is being actively abused by attackers.
That’s the extent of the information that’s currently available regarding this flaw, although, according to Catalin Cimpanu, the company let it slip that there is an accompanying Internet Explorer zero-day abused in these ongoing attacks.
Previous zero-days and attacks
The last Firefox zero-day before this one was plugged in June 2019. In fact, there were two: CVE-2019-11707 (also a type confusion flaw) and CVE-2019-11708 (a sandbox escape). Together they were used (unsuccessfully) against Coinbase employees.
Whether this latest flaw is being used for a similar purpose or for an alternative one (e.g., de-anonymization of Tor Browser users) is unknown.
Whatever the case, the Tor Project has announced they will be releasing a new version of the Tor Browser to implement Mozilla’s fix “soon”.