0day RCE in Firefox

2020-01-12T02:06:26
ID AVLEONOV:E4282EE7F282C86320DF8912B47DF172
Type avleonov
Reporter Alexander Leonov
Modified 2020-01-12T02:06:26

Description

This seems like a pretty interesting vulnerability CVE-2019-17026 in Firefox (and Thunderbird) in Windows, MacOS and Linux.

A pretty interesting vulnerability in  Firefox  (and Thunderbird)

"Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw".

US-cert informs us that "an attacker could exploit this vulnerability to take control of an affected system". Yep, it's RCE.

On the one hand, it's not a big deal, because Firefox will ask you to update it after the next launch.

Firefox will ask you to update it after the next launch

But if somewhere in your organization the old version of Firefox is used because it is the only version that is supported by some legacy application or plugin, you are in hell. Of course, this old browser may be only installed somewhere and not used, but still try to monitor this and take care. Especially if you use some custom Firefox-based build.