The bug affects both Firefox and its enterprise counterpart, Extended Support Release (ESR). According to Mozilla’s advisory:
array object to contain a collection of data items.
pop is a command that they can use to remove the last element of an array.
A type confusion vulnerability happens when a program doesn’t check the type of a data item that is passed to it. It might assume it’s getting a number, for example, when it actually gets a string. If it doesn’t check, then it can mishandle the data item, potentially destabilising its code.
In this case, the effect is catastrophic, the advisory warned:
This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw.
The vulnerability was discovered by Samuel Groß of Google Project Zero, and has the code CVE-2019-11707. The Department of Homeland Security also published an alert about the flaw.
Mozilla has fixed the flaw in Firefox version 67.0.3, and in Firefox ESR version 60.7.1. Because people are already exploiting the bug, it’s important that you update to the latest version now.
Firefox automatically checks for updates and installs them, but if you’re worried, you can force it to do this manually. To do this, select Help, and About Firefox. This will force it to check for updates and install them. When it has finished, restart the browser.
Users of the Tor Browser (which is based on Firefox) should also update their browsers to version 8.5.2, which the company released Wednesday. The Android version isn’t available yet, though. The Tor team said:
As part of our team is currently traveling to an event, we are unable to access our Android signing token, therefore the Android release is not yet available. We expect to be able to publish the Android release this weekend.
In the meantime, Android users should use the
safest levels, the Tor team concluded. Do that by selecting Security Settings in the menu to the right of the URL bar.