CVE-2019-17026: Zero-Day Vulnerability in Mozilla Firefox Exploited in Targeted Attacks
Mozilla releases patch to address Firefox flaw being used as part of targeted attacks.
Hintergrund
On January 8, Mozilla Foundation released a security advisory to address a critical zero-day flaw in Mozilla Firefox, which has been exploited in targeted attacks.
Analyse
CVE-2019-17026 is a type confusion vulnerability in IonMonkey, the JavaScript Just-In-Time (JIT) compiler for SpiderMonkey, Mozilla’s JavaScript engine. According to Mozilla’s advisory, the flaw exists in the JIT compiler due to “incorrect alias information for setting array elements,” specifically in StoreElementHole and FallibleStoreElement.
The vulnerability was reported to Mozilla by researchers at Qihoo 360 ATA. Mozilla’s advisory states they are “aware of targeted attacks in the wild abusing this flaw.” Based on this note in the advisory, it appears the vulnerability was exploited in the wild as a zero-day. Further information about the exploitation was not available at the time this blog post was published.
This advisory follows the release of Firefox 72 and Firefox Extended Support Release (ESR) 68.4 on January 7, which included the following security advisories:
- Firefox 72: Mozilla Foundation Security Advisory 2020-01
- Firefox ESR 68.4: Mozilla Foundation Security Advisory 2020-02
Last year, Mozilla patched CVE-2019-11707, another type confusion flaw that was used in conjunction with CVE-2019-11708, a sandbox escape vulnerability in targeted attacks.
Proof-of-Concept
At this time, no proof of concept is available for this vulnerability.
Lösung
To address CVE-2019-17026, Mozilla released Firefox 72.0.1 and Firefox ESR 68.4.1. Because this vulnerability has been exploited in targeted attacks, Firefox users are advised to upgrade as soon as possible.
Identifizieren betroffener Systeme
A list of Tenable plugins to identify this vulnerability will appear here as they’re released.
Weitere Informationen
Verfolgen Sie die Beiträge des Security Response Team von Tenable in der Tenable Community.
Erfahren Sie mehr über Tenable, die erste Cyber Exposure-Plattform für die ganzheitliche Verwaltung Ihrer modernen Angriffsoberfläche.
Holen Sie sich eine kostenlose 30-tägige Testversion von Tenable.io Vulnerability Management.
Satnam Narang
Senior Staff Research Engineer, Security Response
Satnam kam 2018 zu Tenable. Er verfügt über mehr als 15 Jahre Erfahrung in der Branche (M86 Security und Symantec). Er leistete Beiträge zur Anti-Phishing Working Group, half bei der Entwicklung eines Social-Networking-Leitfadens für die National Cyber Security Alliance, entlarvte ein riesiges Spam-Botnet auf Twitter und war der erste, der über Spam-Bots auf Tinder berichtete. Er trat in den NBC Nightly News, Entertainment Tonight, Bloomberg West und im Why Oh Why-Podcast auf.
Interessen neben der Arbeit: Satnam schreibt Gedichte und macht Hip-Hop-Musik. Er liebt Live-Musik, verbringt gerne Zeit mit seinen drei Nichten und mag Fußball und Basketball, Bollywood-Filme und -Musik sowie Grogu (Baby Yoda).
Verwandte Artikel
CVE-2025-32756: Zero-Day Vulnerability in Multiple Fortinet Products Exploited in the Wild
Fortinet has observed threat actors exploiting CVE-2025-32756, a critical zero-day arbitrary code execution vulnerability which affects multiple Fortinet products including FortiVoice, FortiMail, FortiNDR, FortiRecorder and FortiCamera....
CVE-2025-4427, CVE-2025-4428: Ivanti Endpoint Manager Mobile (EPMM) Remote Code Execution
Remote code execution vulnerability in a popular mobile device management solution from Ivanti has been exploited in the wild in limited attacks...
Microsoft’s May 2025 Patch Tuesday Addresses 71 CVEs (CVE-2025-32701, CVE-2025-32706, CVE-2025-30400)
Microsoft addresses 71 CVEs including seven zero-days, five of which were exploited in the wild....
- Vulnerability Management