Firefox 72.0.1 fixes a security vulnerability that is actively exploited
Mozilla has released Firefox 72.0.1, a new stable version of the Firefox web browser. The release may come as a surprise to many considering that Firefox 72.0 was released just a few days ago. Firefox ESR, the Extended Support Release aimed specifically at organizations and users who need stability in regards to changes, is also updated to Firefox ESR 68.4.1.
While it is not uncommon for Mozilla to release a minor update or even multiple between major Firefox releases, it is rare that an update is released just days after a release.
Firefox 72.0.1 fixes a security vulnerability in the web browser that is actively exploited according to Mozilla. The release note lists the security fix as the only change in the new Firefox release.
Mozilla's Security Advisories hub lists a single vulnerability that has been patched in Firefox 72.0.1. The vulnerability has received a rating of critical, the highest available rating reserved for vulnerabilities with a high impact.
The description provides the following information:
CVE-2019-17026: IonMonkey type confusion with <code>StoreElementHole</code> and <code>FallibleStoreElement</code>
Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw.
Reported by Qihoo 360 ATA, the vulnerability affects the browser's Just in Time Compiler. Since it is exploited in the wild, Mozilla had to react quickly to release a patch.
The new versions of the Firefox web browser, Firefox 72.0.1 and Firefox ESR 68.4.1 are already available. Firefox users can download the latest release from Mozilla's website or use the built-in updating functionality to update the browser this way.
A click on Menu > Help > About Mozilla Firefox runs a manual check for updates. The browser should pick up the new version and install it automatically on the system.
Firefox users are encouraged to update the browser as soon as possible to protect the browser against attacks targeting the vulnerability.
Martin, Techspot has Firefox 72.0.2 in their Download section. It will be released today I guess. I don’t have it yet on my Firefox when checking for updates.
According to what I read on msfn.org. setting this preference to false —>> javascript.options.ion will mitigate the problem.
However there is a performance hit.
From what I know it was the Tor browser people who let this be known.
My system will not allow me to use FF 72 or 68 so I reset all my preferences as above. If you have legacy products, this might end up being your only option.
this is a very questionable one.
discovered by china, alerted by usa
asking on reddit (which is owned now by china) about this bug availability restrictions will get some pretty fast ban (the first rule, bois)
are they oversmarting themselves?
after some discussion about the topic I was permabanned by calling myself a moron in PM.
nice job /r/firefox. wish that cancelling life were much easier, would do it for u mz.
U.S. Department of Homeland Security Urges Firefox Users to Install Update Amid Active Attack
â€The vulnerability was first discovered by Chinese company Qihoo 360 two days after the release of Firefox 72, but there is no word on how long the bug has been exploited nor who used the vulnerability or who might have been targeted. This is the third zero-day vulnerability that Mozilla has addressed within the last year –.â€
https://www.macrumors.com/2020/01/10/mozilla-firefox-update-vulnerability/
Why the *… is Mozilla blocking people from seeing what the bug is about???
Have to register and log in to read… gatekeeping BS.
https://bugzilla.mozilla.org/show_bug.cgi?id=1607443
Details about this vulnerability can be found here:
https://packetstormsecurity.com/files/152304/SpiderMonkey-IonMonkey-Type-Confusion.html
so what does it mean; how can this vulnerability be exploited and what for. what about earlier versions of FF and what about clones
If I refer to a French security bulletin published by CERT-FR it appears that are concerned :
– Firefox versions prior to 72.0.1
– Firefox versions prior to ESR 68.4.1
“https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-003/”
It appears that most of the online news articles about the Firefox 72.0.1 update to fix the new vulnerability fail to mention how far back into the previous versions of Firefox this vulnerability goes and even if Firefox/Mozilla’s downstream Clones/Derivatives are affected. Even Firefox’s bug write-up page is not being clear on the matter and requires a login to go any further into the matter.
Folks that may be having compatibility issues with any of the newer/recent “Stable” Firefox versions are maybe having little choice and the lack if full information about the older Firefox versions being affected has me guessing that there are some other intents going on here that are not helping any end users.
I’d been running Firefox 70.0.1 (because my heavily customized environment breaks whenever I update it). This alert forced me to update to 72.0.1, and sure enough, all my custom tabs arrangements broke. (I like tabs and some other items to be on the bottom of the browser window.)
I tried various “solutions” from reddit but none worked. I probably could have figured it out myself using the browser-development tools, but that could take days, because I’d have to learn the changes they made to the FF DOM and to other code before figuring out the new CSS needed.
Luckily I found the correct code on github, and it works great. If anyone else here hacks at userchrome.css and likes their tabs on the bottom of the window, the code on this page worked for me in FF 72.0.1:
Another problem I had with the new version is that it froze every time I tried to close a tab or window, and I had to force-quit Firefox several times. Eventually the problem went away (keeping fingers crossed). I have no idea what was going on with that, but it’s all working OK for now.
In my original post, I included the URL to find the code on Github. Somehow that URL disappeared, and now my post makes little sense, or at least isn’t helpful. Does this forum prohibit (or automatically remove) any URLs included in someone’s comment?
https://archive.mozilla.org/pub/firefox/releases/72.0.1/
I’m running an earlier version of FF than FF 72.0, should I be worried?
I had Firefox 72.0.1 for Mac installed automatically and found it would not start up at all.
I uninstalled it and reinstalled version 71.0 from my clone disk and that did start up normally. I tried several times to reinstall version 72.0.1 manually but it refused to start up. Is this a problem for Mac Users? Does this version of Firefox have system requirements?
Lou
Did you try new profile (without deleting old)? I think reinstalling is a rare solution.
Firefox 72.0.2 works well in macOS 10.15.2 but it depends on is profile broken or not. I haven’t yet update Firefox in Linux Mint nor Windows.
Thanks Martin,
Really great that Mozilla Firefox is decisive are handling quick by updating to repair this java script (IronMonkey JIT compiler) security risk and is by doing so not working on the Microsoft way.
Do you know or this is related to the dynamic scrollbars based on page color integration in Firefox 72?
And thanks to Ghacks.net for reporting this security problem so quickly back to me.
You can block this in about:config (until available)
What and how to block “it” under about:config??
Updated Firefox ESR 68.4.1 and…well…it works!
I’ve updated ESR whenever an update exists; never had a problem. No config changes, no reinstallation of “features” folder, just an update.
Windows? Well, that’s updated weeks after there’s general consensus a major security vulnerability exists, which is about once or twice a year. Arms raised to the sky, eyes closed, always facing the sunrise and fingers crossed!
ULBoom said .. no reinstallation of “features†folder.
Contrary to mine, everytime i update FF, the features folder and all its current annoying features reinstalled. So i have to delete them after every update manually. Mind if i ask how do i make my FF to not reinstalled its features everytime it updates?
@Anonymous said on January 11, 2020 at 2:29 am,
Which build is the “FF” you mention?
The build of Mozilla’s Firefox: Release, Beta, Developer Edition, Nightly, and ESR.
ULBoom and I explicitly state “Firefox ESR”.
As an example:
https://i.imgur.com/ZaLlViq.png
“ESR” update does not add any new features. In principle, it is limited to “Provide bug fixes and security patches.”
ESR(Extended Support Release)
https://support.mozilla.org/en-US/kb/choosing-firefox-update-channel
Extended Support Release (ESR): receives major updates on average every 42 weeks with minor updates such as crash fixes, security fixes and policy updates as needed, but at least every six weeks.
Take a browse on the wild side.
https://www.mozilla.org/en-US/firefox/channel/desktop/#beta
Firefox Extended Support (ESR):
https://www.mozilla.org/firefox/organizations/all/
It is the same opinion to @ULBoom.
Ghacks Tech News article, quick!
However, it was updated to Firefox ESR 68.4.1 yesterday by “PatchMyPC”.
Does this “actively exploited” vulnerability just affect FF 72.0 and what about older versions of FF?
And I’m not registered with FF’s bug system to get any more complete info.
P.S. It’s just sloppy journalism to mention a Security Vulnerability that’s actively being exploited and not explicitly make note of the affected FF older versions that may or may not be vulnerable to said vulnerability!
@ ForgotZeOldz
Wow… what an incredibly constructive comment…
@ ForgotZeOldz
“It’s just sloppy journalism to mention a Security Vulnerability that’s actively being exploited and not explicitly make note of the affected FF older versions that may or may not be vulnerable to said vulnerability!”
Have you thought about using your brain and doing a browser search to find info instead of slagging off Martin ??
Hey Gary – you may have a good point but the nasty personal attack reflects more on you than Martin. Please don’t do that.
Done.
Many thanks Martin for this immediate info.