Firefox 72.0.1 fixes a security vulnerability that is actively exploited

Martin Brinkmann
Jan 8, 2020
Firefox
|
28

Mozilla has released Firefox 72.0.1, a new stable version of the Firefox web browser. The release may come as a surprise to many considering that Firefox 72.0 was released just a few days ago. Firefox ESR, the Extended Support Release aimed specifically at organizations and users who need stability in regards to changes, is also updated to Firefox ESR 68.4.1.

While it is not uncommon for Mozilla to release a minor update or even multiple between major Firefox releases, it is rare that an update is released just days after a release.

firefox 72.0.1

Firefox 72.0.1 fixes a security vulnerability in the web browser that is actively exploited according to Mozilla. The release note lists the security fix as the only change in the new Firefox release.

Mozilla's Security Advisories hub lists a single vulnerability that has been patched in Firefox 72.0.1. The vulnerability has received a rating of critical, the highest available rating reserved for vulnerabilities with a high impact.

The description provides the following information:

CVE-2019-17026: IonMonkey type confusion with <code>StoreElementHole</code> and <code>FallibleStoreElement</code>

Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw.

Reported by Qihoo 360 ATA, the vulnerability affects the browser's Just in Time Compiler. Since it is exploited in the wild, Mozilla had to react quickly to release a patch.

The new versions of the Firefox web browser, Firefox 72.0.1 and Firefox ESR 68.4.1 are already available. Firefox users can download the latest release from Mozilla's website or use the built-in updating functionality to update the browser this way.

A click on Menu > Help > About Mozilla Firefox runs a manual check for updates. The browser should pick up the new version and install it automatically on the system.

Firefox users are encouraged to update the browser as soon as possible to protect the browser against attacks targeting the vulnerability.

Summary
Firefox 72.0.1 fixes a security vulnerability that is actively exploited
Article Name
Firefox 72.0.1 fixes a security vulnerability that is actively exploited
Description
Mozilla has released Firefox 72.0.1, a new stable version of the Firefox web browser and Firefox 68.4.1, a new ESR version, to patch an activcely exploited security vulnerability.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Amir said on January 20, 2020 at 6:20 pm
    Reply

    Martin, Techspot has Firefox 72.0.2 in their Download section. It will be released today I guess. I don’t have it yet on my Firefox when checking for updates.

  2. Tim said on January 14, 2020 at 5:00 pm
    Reply

    According to what I read on msfn.org. setting this preference to false —>> javascript.options.ion will mitigate the problem.

    However there is a performance hit.

    From what I know it was the Tor browser people who let this be known.

    My system will not allow me to use FF 72 or 68 so I reset all my preferences as above. If you have legacy products, this might end up being your only option.

  3. mozillasux said on January 13, 2020 at 1:47 am
    Reply

    this is a very questionable one.
    discovered by china, alerted by usa
    asking on reddit (which is owned now by china) about this bug availability restrictions will get some pretty fast ban (the first rule, bois)
    are they oversmarting themselves?

    1. fukumz said on January 13, 2020 at 1:58 am
      Reply

      after some discussion about the topic I was permabanned by calling myself a moron in PM.
      nice job /r/firefox. wish that cancelling life were much easier, would do it for u mz.

  4. Anonymous said on January 10, 2020 at 10:19 pm
    Reply

    U.S. Department of Homeland Security Urges Firefox Users to Install Update Amid Active Attack

    ”The vulnerability was first discovered by Chinese company Qihoo 360 two days after the release of Firefox 72, but there is no word on how long the bug has been exploited nor who used the vulnerability or who might have been targeted. This is the third zero-day vulnerability that Mozilla has addressed within the last year –.”

    https://www.macrumors.com/2020/01/10/mozilla-firefox-update-vulnerability/

  5. donttrespassbecauseCIA... said on January 10, 2020 at 5:05 am
    Reply

    Why the *… is Mozilla blocking people from seeing what the bug is about???
    Have to register and log in to read… gatekeeping BS.

    https://bugzilla.mozilla.org/show_bug.cgi?id=1607443

  6. User0193 said on January 9, 2020 at 11:41 pm
    Reply
  7. ulijhon said on January 9, 2020 at 11:50 am
    Reply

    so what does it mean; how can this vulnerability be exploited and what for. what about earlier versions of FF and what about clones

    1. Tom Hawack said on January 10, 2020 at 12:18 am
      Reply

      If I refer to a French security bulletin published by CERT-FR it appears that are concerned :

      – Firefox versions prior to 72.0.1
      – Firefox versions prior to ESR 68.4.1

      “https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-003/”

    2. Pamalz said on January 9, 2020 at 4:49 pm
      Reply

      It appears that most of the online news articles about the Firefox 72.0.1 update to fix the new vulnerability fail to mention how far back into the previous versions of Firefox this vulnerability goes and even if Firefox/Mozilla’s downstream Clones/Derivatives are affected. Even Firefox’s bug write-up page is not being clear on the matter and requires a login to go any further into the matter.

      Folks that may be having compatibility issues with any of the newer/recent “Stable” Firefox versions are maybe having little choice and the lack if full information about the older Firefox versions being affected has me guessing that there are some other intents going on here that are not helping any end users.

  8. Jonas Smithson said on January 9, 2020 at 7:48 am
    Reply

    I’d been running Firefox 70.0.1 (because my heavily customized environment breaks whenever I update it). This alert forced me to update to 72.0.1, and sure enough, all my custom tabs arrangements broke. (I like tabs and some other items to be on the bottom of the browser window.)

    I tried various “solutions” from reddit but none worked. I probably could have figured it out myself using the browser-development tools, but that could take days, because I’d have to learn the changes they made to the FF DOM and to other code before figuring out the new CSS needed.

    Luckily I found the correct code on github, and it works great. If anyone else here hacks at userchrome.css and likes their tabs on the bottom of the window, the code on this page worked for me in FF 72.0.1:

    Another problem I had with the new version is that it froze every time I tried to close a tab or window, and I had to force-quit Firefox several times. Eventually the problem went away (keeping fingers crossed). I have no idea what was going on with that, but it’s all working OK for now.

    1. Jonas said on January 9, 2020 at 9:59 pm
      Reply

      In my original post, I included the URL to find the code on Github. Somehow that URL disappeared, and now my post makes little sense, or at least isn’t helpful. Does this forum prohibit (or automatically remove) any URLs included in someone’s comment?

  9. ilev said on January 9, 2020 at 7:36 am
    Reply
  10. Rod said on January 9, 2020 at 3:27 am
    Reply

    I’m running an earlier version of FF than FF 72.0, should I be worried?

  11. Anonymous said on January 9, 2020 at 1:07 am
    Reply

    I had Firefox 72.0.1 for Mac installed automatically and found it would not start up at all.
    I uninstalled it and reinstalled version 71.0 from my clone disk and that did start up normally. I tried several times to reinstall version 72.0.1 manually but it refused to start up. Is this a problem for Mac Users? Does this version of Firefox have system requirements?

    Lou

    1. Anonymous said on January 9, 2020 at 10:35 am
      Reply

      Did you try new profile (without deleting old)? I think reinstalling is a rare solution.

      Firefox 72.0.2 works well in macOS 10.15.2 but it depends on is profile broken or not. I haven’t yet update Firefox in Linux Mint nor Windows.

  12. Paul(us) said on January 8, 2020 at 10:51 pm
    Reply

    Thanks Martin,
    Really great that Mozilla Firefox is decisive are handling quick by updating to repair this java script (IronMonkey JIT compiler) security risk and is by doing so not working on the Microsoft way.
    Do you know or this is related to the dynamic scrollbars based on page color integration in Firefox 72?
    And thanks to Ghacks.net for reporting this security problem so quickly back to me.

  13. user.js fan club said on January 8, 2020 at 10:37 pm
    Reply

    You can block this in about:config (until available)

    1. thanksman said on January 10, 2020 at 5:01 am
      Reply

      What and how to block “it” under about:config??

  14. ULBoom said on January 8, 2020 at 9:23 pm
    Reply

    Updated Firefox ESR 68.4.1 and…well…it works!

    I’ve updated ESR whenever an update exists; never had a problem. No config changes, no reinstallation of “features” folder, just an update.

    Windows? Well, that’s updated weeks after there’s general consensus a major security vulnerability exists, which is about once or twice a year. Arms raised to the sky, eyes closed, always facing the sunrise and fingers crossed!

    1. Anonymous said on January 11, 2020 at 2:29 am
      Reply

      ULBoom said .. no reinstallation of “features” folder.
      Contrary to mine, everytime i update FF, the features folder and all its current annoying features reinstalled. So i have to delete them after every update manually. Mind if i ask how do i make my FF to not reinstalled its features everytime it updates?

      1. owl said on January 11, 2020 at 11:01 am
        Reply

        @Anonymous said on January 11, 2020 at 2:29 am,

        Which build is the “FF” you mention?

        The build of Mozilla’s Firefox: Release, Beta, Developer Edition, Nightly, and ESR.
        ULBoom and I explicitly state “Firefox ESR”.
        As an example:
        https://i.imgur.com/ZaLlViq.png
        “ESR” update does not add any new features. In principle, it is limited to “Provide bug fixes and security patches.”

        ESR(Extended Support Release)
        https://support.mozilla.org/en-US/kb/choosing-firefox-update-channel
        Extended Support Release (ESR): receives major updates on average every 42 weeks with minor updates such as crash fixes, security fixes and policy updates as needed, but at least every six weeks.

        Take a browse on the wild side.
        https://www.mozilla.org/en-US/firefox/channel/desktop/#beta
        Firefox Extended Support (ESR):
        https://www.mozilla.org/firefox/organizations/all/

    2. owl said on January 9, 2020 at 9:30 am
      Reply

      It is the same opinion to @ULBoom.

      Ghacks Tech News article, quick!
      However, it was updated to Firefox ESR 68.4.1 yesterday by “PatchMyPC”.

  15. ForgotZeOldz said on January 8, 2020 at 8:46 pm
    Reply

    Does this “actively exploited” vulnerability just affect FF 72.0 and what about older versions of FF?

    And I’m not registered with FF’s bug system to get any more complete info.

    P.S. It’s just sloppy journalism to mention a Security Vulnerability that’s actively being exploited and not explicitly make note of the affected FF older versions that may or may not be vulnerable to said vulnerability!

    1. Martin P. said on January 9, 2020 at 4:02 pm
      Reply

      @ ForgotZeOldz

      Wow… what an incredibly constructive comment…

    2. Gary D said on January 9, 2020 at 12:56 pm
      Reply

      @ ForgotZeOldz

      “It’s just sloppy journalism to mention a Security Vulnerability that’s actively being exploited and not explicitly make note of the affected FF older versions that may or may not be vulnerable to said vulnerability!”

      Have you thought about using your brain and doing a browser search to find info instead of slagging off Martin ??

      1. Tim Segulin said on January 9, 2020 at 1:43 pm
        Reply

        Hey Gary – you may have a good point but the nasty personal attack reflects more on you than Martin. Please don’t do that.

  16. Tom Hawack said on January 8, 2020 at 7:30 pm
    Reply

    Done.
    Many thanks Martin for this immediate info.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.