CVE-2019-17026:Zero-Day Vulnerability in Mozilla Firefox Exploited in Targeted Attacks
Mozilla releases patch to address Firefox flaw being used as part of targeted attacks.
Antecedentes
On January 8, Mozilla Foundation released a security advisory to address a critical zero-day flaw in Mozilla Firefox, which has been exploited in targeted attacks.
Análisis
CVE-2019-17026 is a type confusion vulnerability in IonMonkey, the JavaScript Just-In-Time (JIT) compiler for SpiderMonkey, Mozilla’s JavaScript engine. According to Mozilla’s advisory, the flaw exists in the JIT compiler due to “incorrect alias information for setting array elements,” specifically in StoreElementHole and FallibleStoreElement.
The vulnerability was reported to Mozilla by researchers at Qihoo 360 ATA. Mozilla’s advisory states they are “aware of targeted attacks in the wild abusing this flaw.” Based on this note in the advisory, it appears the vulnerability was exploited in the wild as a zero-day. Further information about the exploitation was not available at the time this blog post was published.
This advisory follows the release of Firefox 72 and Firefox Extended Support Release (ESR) 68.4 on January 7, which included the following security advisories:
- Firefox 72: Mozilla Foundation Security Advisory 2020-01
- Firefox ESR 68.4: Mozilla Foundation Security Advisory 2020-02
Last year, Mozilla patched CVE-2019-11707, another type confusion flaw that was used in conjunction with CVE-2019-11708, a sandbox escape vulnerability in targeted attacks.
Prueba de concepto
At this time, no proof of concept is available for this vulnerability.
Solución
To address CVE-2019-17026, Mozilla released Firefox 72.0.1 and Firefox ESR 68.4.1. Because this vulnerability has been exploited in targeted attacks, Firefox users are advised to upgrade as soon as possible.
Identificación de los sistemas afectados
A list of Tenable plugins to identify this vulnerability will appear here as they’re released.
Obtenga más información
Únase al Equipo de respuesta de seguridad de Tenable en Tenable Community.
Obtenga más información sobre Tenable, la primera plataforma de Cyber Exposure para el control integral de la superficie de ataque moderna.
Obtenga una prueba gratuita de 30 días de Tenable.io Vulnerability Management.
Satnam Narang
Senior Staff Research Engineer, Security Response
Satnam se unió a Tenable en 2018. Cuenta con más de 15 años de experiencia en la industria (M86 Security y Symantec). El ha realizado contribuciones para el Anti-Phishing Working Group, ayudó a desarrollar una guía de redes sociales para la National Cyber Security Alliance, descubrió un inmenso botnet de spam en Twitter y fue el primero en informar acerca de bots de spam en Tinder. Ha aparecido en NBC Nightly News, Entertainment Tonight, Bloomberg West y en el podcast Why Oh Why.
Intereses fuera de trabajo: Satnam escribe poesía y compone música hip-hop. Le gusta la música en vivo, pasar tiempo con sus tres sobrinas, el fútbol americano y el basquetbol, las películas de Bollywood y Grogu (Baby Yoda).
Artículos relacionados
Forrester Names Tenable a Leader in the Q3 2025 Unified Vulnerability Management Solutions Wave™ Report
“Tenable continues to extend its established vulnerability management offerings into exposure management with its Tenable One platform,” according to the report....
CVE-2025-53770: Frequently Asked Questions About Zero-Day SharePoint Vulnerability Exploitation
Successful exploitation of CVE-2025-53770 could expose MachineKey configuration details from a vulnerable SharePoint Server, ultimately enabling unauthenticated remote code execution....
CVE-2025-54309: CrushFTP Zero-Day Vulnerability Exploited In The Wild
A critical zero-day flaw in CrushFTP that can grant attackers administrator access was discovered on July 18 and is under active exploitation....
- Vulnerability Management