Firefox 67.0.3 fixes 0-day vulnerability

0
146

by Martin Brinkmann on June 19, 2019 in Firefox – No comments

Mozilla released a new update for the Firefox web browser, Firefox 67.0.3, on June 19, 2019 to address a 0-day vulnerability in the browser. A new Firefox ESR, Extended Support Release, version is also available that brings it to Firefox ESR 60.7.1.

Firefox 67.0.3 is a security release for the Stable channel of the web browser. Firefox users may run a manual check for updates to update the browser to the new version; this is done by selecting Menu > Help > About Firefox.

firefox 67.0.3

Firefox checks if an update is available to download and install it if that is the case.

The new version of the web browser is also already available as a download on the Mozilla website. Firefox ESR downloads are provided on a download page for organizations.

The release notes are available but they don’t reveal much; the only issue that is fixed in the release is the security issue. A link points to Mozilla’s Security Advisories website.  ZDnet’s Catalin Cimpanu has some insights on the security issue.

The vulnerability was reported by Samuel Groß, a member of Google’s Project Zero security team, and Coinbase Security.

Mozilla describes the issue in the following way:

A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw.

Mozilla is aware of targeted attacks that exploit the issue but did not provide specifics. It seems likely that the attacks are related to cryptocurrency because of the involvement of Coinbase Security.

Firefox users and admins are encouraged to update the web browser as soon as possible to address the security issue in the browser.

Firefox 67.0.3 is the third stable release of the web browser after the release of Firefox 67.0. Firefox 67.0.1 and Firefox 67.0.2 were smaller bug fix releases; none patched security issues in Firefox though.