Browser zero day: Update your Firefox right now!

Just two days after releasing Firefox 72, Mozilla has issued an update to patch a critical zero-day flaw.

According to an advisory on Mozilla’s website, the issue identified as CVE-2019-17026 is a type confusion bug affecting Firefox’s IonMonkey JavaScript Just-in-Time (JIT) compiler.

Simply put, a JIT compiler takes JavaScript source code, as you’ll find in most web pages these days, and converts it to executable computer code, so that the JavaScript runs directly inside Firefox as if it were a built-in part of the app.

This typically improves performance, often noticeably.

Ironically, most modern apps implement what’s called DEP, short for Data Execution Prevention, a threat mitigation that helps stop crooks from sending over what looks like innocent data but then tricking the app into running that data as if it were an already-trusted program.

(Code that’s disguised as data is known in the jargon as shellcode.)

DEP means that once a program is running, the data it consumes – especially if it originates from an untrusted source – can’t be turned into executing code, whether accidentally or otherwise.

But JIT compilers have to exempt themselves from DEP controls, because converting data to code and running it is precisely what they do – and that’s why crooks love to probe for flaws in JIT systems.

This bug was reported to Mozilla by Chinese security company Qihoo 360, but the bad news is that attackers were one step ahead of Mozilla, which said:

We are aware of targeted attacks in the wild abusing this flaw.

Nothing has yet been revealed about the nature of the attacks beyond that remark.

The word targeted is often used to imply a campaign run by so-called state-sponsored actors, but it’s safer to assume that anyone and everyone could be at risk – what starts as a limited campaign against specific targets can quickly be picked up by more mainstream attackers.

The last time Mozilla had to patch a zero day was last June when it fixed two in a single week that were being used to target cryptocurrency exchanges.

What to do?

If you use the regular version of Firefox, make sure you have version 72.0.1.

Your Firefox may well have updated automatically, but it’s worth checking.

Go to HelpAbout Firefox (or FirefoxAbout Firefox on a Mac), where you will see the current version number and be offered an update if you’re still behind.

Some Linux distros and many businesses stick to Firefox’s Extended Support Release (ESR) because it gets security fixes at the same pace as the regular version, but doesn’t force you to take on new features at every update.

So if you are an ESR user, you need to update to 68.4.1esr to get this patch. (Note that 68+4=72, which is a general way of telling which ESR release corresponds in security updates to the current bleeding-edge version.)

Note to Tor users

Importantly, the browser that comes with Tor, the privacy-enhancing software bundle that helps you browse without being tracked, is a special build of Firefox ESR.

Unfortunately, Tor only updated within the last 24 hours to the 68.4.0esr version of Firefox’s code, and hasn’t got its 68.4.1esr update out yet.

The Tor site currently [2020-01-09T12:00Z] says, “we are planning to release version 9.0.4 of Tor Browser picking up this fix soon,” so keep your eyes out for an update – a zero-day attack that works against the browser in Tor could undo the anonmyity and privacy that made you choose Tor in the first place.

In the meantime, we think you can mitigate the risk in Tor by turning the IonMonkey JIT system off altogether – put about:config in the address bar, find the entry javascript.options.ion and change it from true (the default) to false.

This may slow down some of your browsing slightly, but as far as we can tell, it skips the IonMonkey JIT compilation process and therefore sidesteps this bug.

Note. The Tor project tweeted the availability of its own update at 2020-01-10T15:00Z.
The updated Tor version is 9.0.4, based on Firefox 68.4.1esr.


Here’s a video from the Naked Security Live playlist on our new YouTube channel: