Topic: Firefox: zero-day critical zero-day vulnerability (Read 214 times)

Good thing auto-update is enabled by default on Mozilla Firefox


Virtual Machine is pretty demanding for user's regular computer/notebook though, especially if both OS and OS on VM are Windows.


There are many similar zero-day vulnerability in past on many browser, even though almost all of them found and fixed before it's exploited/used by hacker.

I got a popup from the browser today saying "click here to update and restart your browser", which seemed a bit strange since usually updates happen when you launch browser and not when you browse, but I'm glad I clicked it, even though I don't think I was at risk, since I only visit Bitcointalk with this browser.

I already got updated my Firefox to 72.0.1 yesterday, because I have auto updated turned on. All these security vulnerabilities is really concerning because you probably may not even notice that someone have control of your computer. So, thanks for warning, it's really needed, because until now I haven't heard about this issue.

Full details are usually not given until an update is rolled out, and a lot of the user base has already had time to update to avoid any issues. I've talked about this a lot recently, but this is an example of when isolation of your computer using computer compartmentalization technology or by physically separating your computers from a insecure device, and a more secure device is important. If you have your computers physically separated, then the network could still be compromised if a browser goes haywire. Therefore, I think a software based approach would be the better option. You could run a level 2 virtual machines for your browser, network, and other software while remaining as safe as possible if one of them gets compromised. Firefox is probably the second most used browser on the internet, and millions of users were exposed to this vulnerability, and I'd agree with Ddmr how bad it is for a browser to get complete control of the operating system.

Its worth noting that you'll likely have to manually update Firefox, and double check after the update has finished whether or not you're running the version in the OP.

This is usually the case for most exploits. However, most exploits are used against specific targets, and won't be much of a threat to "normal" users. Unfortunately, there's no way of preventing this from happening, and vulnerabilities will always be found in software, especially in newly released updates.  There's a lot of debate among software engineers whether you should update or stick with a older version a little longer than usual. This is why a lot of companies keep a up to date long term support option.

Thanks for the warning.
I was using Firefox 71.0. I couldn't find any information whether the vulnerability affects older versions or not.
Anyway, I think it's better to update older versions too, as soon as possible. I just updated it and it was automatically updated to 72.0.1. Hope it is safe now.

https://www.mozilla.org/en-US/security/advisories/mfsa2020-01/


Seems like it was a known attack vector and being exploited in the wild for some time before the CVE came out.
This is concerning that attackers are having free roam with exploits for such a long time before anyone is even aware of them.

Mozilla need to up there game in the security department big time. 

You will find a lot of information on Twitter as I noticed that some developers posted the warning more than 24 hours ago.
So far, many details have not been clarified, but once many people download the browser, the rest of the information will be released.
Generally it appears that the vulnerability needs an affected system in order to succeed, but no details have been published about which operating system is more vulnerable and whether all systems must be updated.

https://www.us-cert.gov/ncas/current-activity/2020/01/08/mozilla-patches-critical-vulnerability

This warning was launched yesterday by the CISA (Cybersecurity and Infrastructure Security Agency), but I haven’t found any echo of it here to date.

It seems that the zero-day vulnerability requires an immediate update of Firefox, since it could lead to hackers taking control of the system. Although the details are scarce, how a bloody browser get to potentially allow a third party to take control beats me.

Note that the update should take you up to version Firefox 72.0.1 or Firefox ESR 68.4.1. We only just barely updated to Firefox 72.0 and Firefox ESR 68.4, so we should not get confused between the two.

https://www.welivesecurity.com/2020/01/09/mozilla-rushes-patch-firefox-zero-day/