Mozilla has released a security update that fixes a critical zero-day flaw vulnerability in Firefox 67.0.3 and Firefox ESR 60.7.1.
The Mozilla Foundation Security Advisory (MFSA 2019-18) includes a fix for one critical zero day “type confusion” vulnerability CVE-2019-11707.
In particular, an attacker could manipulate JavaScript objects due to issues in Array.pop, which could then lead to an exploitable crash. Mozilla credited Samuel Groß of Google Project Zero and Coinbase Security for the discovery of the vulnerability.
Although this patch update is light in number, bad actors are exploiting the vulnerability in the wild.
“We are aware of targeted attacks in the wild abusing this flaw,” Mozilla warned in the advisory.
So, organizations should place high priority on updating Firefox to the latest version.
Update on 6/20/19:
Mozilla since released Firefox 67.0.4 and Firefox ESR 60.7.2, each fixes a high severity “sandbox escape” zero-day vulnerability CVE-2019-11708. An actor could exploit this flaw, in combination with CVE-2019-11707, to execute arbitrary code on target computer.
Tenable also provided an update on the latest Firefox zero-day threat in an updated blog post.