Zero-Day Vulnerability in Mozilla Firefox Exploited in Targeted Attacks

January 10, 2020

By Satnam Narang on January 8th, 2020 – On January 8, Mozilla Foundation released a security advisory to address a critical zero-day flaw in Mozilla Firefox, which has been exploited in targeted attacks.

Analysis

CVE-2019-17026 is a type confusion vulnerability in IonMonkey, the JavaScript Just-In-Time (JIT) compiler for SpiderMonkey, Mozilla’s JavaScript engine. According to Mozilla’s advisory, the flaw exists in the JIT compiler due to “incorrect alias information for setting array elements,” specifically in StoreElementHole and FallibleStoreElement.

The vulnerability was reported to Mozilla by researchers at Qihoo 360 ATA. Mozilla’s advisory states they are “aware of targeted attacks in the wild abusing this flaw.” Based on this note in the advisory, it appears the vulnerability was exploited in the wild as a zero-day. Further information about the exploitation was not available at the time this blog post was published.

This advisory follows the release of Firefox 72 and Firefox Extended Support Release (ESR) 68.4 on January 7, which included the following security advisories:

Last year, Mozilla patched CVE-2019-11707, another type confusion flaw that was used in conjunction with CVE-2019-11708, a sandbox escape vulnerability in targeted attacks.

Proof of concept

At this time, no proof of concept is available for this vulnerability.

Solution

To address CVE-2019-17026, Mozilla released Firefox 72.0.1 and Firefox ESR 68.4.1. Because this vulnerability has been exploited in targeted attacks, Firefox users are advised to upgrade as soon as possible.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability will appear here as they’re released.

Get more information


Windows 7 support to end on January 14, 2020; Satnam Narang, Senior Research Engineer, comments on the importance of migration plans

January 10, 2020

With Windows 7 and Windows Server 2008 coming to end of life on 14 January, meaning patching and technical support via Microsoft’s support center will no longer be available for these products. This means continuing to use either operating system after this date will put your system at risk of attack from new and unpatched vulnerabilities. Running your business on an outdated (and unsupported) system is a huge security risk.

 

Satnam Narang, Senior Research Engineer at Tenable said, “With Microsoft discontinuing support for Windows 7 and Windows Server 2008 on January 14, it is imperative that consumers and businesses take steps to ensure their systems are not vulnerable. In December 2019, Microsoft released fixes for CVE-2019-1458, an elevation of privilege vulnerability that was exploited in the wild. It affects both Windows 7 and Windows 2008 systems. Users of Windows 7 and Windows Server 2008 who opt not to migrate to newer versions are at risk of being preyed upon by bad actors, leaving them vulnerable to attacks especially since these systems won’t be supported by Microsoft. We strongly encourage consumers and businesses to take stock of what Windows 7 or Windows Server 2008 assets remain and make immediate plans for migration.


%d bloggers like this: