Mozilla Issues Emergency Zero-Day Firefox Patch

Mozilla Issues Emergency Zero-Day Firefox Patch

Mozilla switched to a Chrome-like release schedule years back and has kept up a consistent release cycle ever since. It doesn’t usually deviate unless there’s a serious issue. Well, there’s a serious issue. Mozilla advises all Firefox users to update to the latest version of the browser as soon as possible. The company has just become aware of a zero-day exploit affecting Firefox, meaning there are nefarious internet forces actively using it.

The latest build and the only one that will protect you from the bug is v67.0.3. You can see which version you’re running by opening the menu, clicking Help, and selecting “About Firefox.” The browser should prompt users to update, but you can do so manually if your browser is not on the latest build — just type “update” in the search bar.

According to Mozilla, the issue is a type confusion vulnerability related to JavaScript. A malicious website can use this to cause an “exploitable crash.” This could let the attacker execute remote code on the system, but they’d still be limited to the browser’s sandbox. That might be enough to do some damage, though.

Mozilla has specifically avoided providing extensive details of the flaw. It only says it knows there are active attacks in the wild, so it probably wants to get users updated first. Otherwise, it could make things even worse.

This screen will tell you what version of the browser you’ve got. Anything lower than 67.0.3 and you’re in trouble. Update immediately.
This screen will tell you what version of the browser you’ve got. Anything lower than 67.0.3 and you’re in trouble. Update immediately.

The original bug report comes from Samuel Groß, who works on Google’s elite Project Zero team, as well as the Coinbase security team. We don’t know much about the nature of the attacks, but Groß’s involvement suggests they may be attempting to exploit the vulnerability to steal cryptocurrency. A UXSS (universal cross-site scripting) coupled with the new JavaScript attack could get them what they need without touching the underlying operating system.

Firefox has managed to avoid frequent emergency updates. The last one was in 2016 when it patched a zero-day exploit that could de-anonymize users of the Tor network.

Continue reading

New Intel Rocket Lake Details: Backwards Compatible, Xe Graphics, Cypress Cove
New Intel Rocket Lake Details: Backwards Compatible, Xe Graphics, Cypress Cove

Intel has released a bit more information about Rocket Lake and its 10nm CPU that's been back-ported to 14nm.

Time to Update: Google Patches 2 Severe Zero-Day Chrome Vulnerabilities
Time to Update: Google Patches 2 Severe Zero-Day Chrome Vulnerabilities

Unlike the last few zero-days, Google didn't find these security holes itself. Instead, it was tipped by anonymous third-parties, and the problems are severe enough that it hasn't released full details. Suffice it to say, you should stop putting off that update.

Early Adopters of Apple M1 Macs Should Be Cautious About Compatibility
Early Adopters of Apple M1 Macs Should Be Cautious About Compatibility

Apple's new MacBooks and Mac mini have made waves, partly thanks to the new silicon inside of them. Apple's new ARM ecosystem, however, is not without its growing pains.

Android 12 Could Include Major App Compatibility Improvements
Android 12 Could Include Major App Compatibility Improvements

Google has attempted to centralize chunks of Android over the years, and a major component called ART is set to get this treatment in Android 12. The result could be vastly improved app compatibility, which is sure to make everyone happy.