Just one day after releasing Firefox 72, Mozilla updated the browser with a fix to shut down active attacks, the company acknowledged.
On Wednesday, Mozilla issued Firefox 72.0.1, which included one change: A patch for the vulnerability identified as CVE-2019-17026. “We are aware of targeted attacks in the wild abusing this flaw,” Mozilla said in the short description of the flaw, signaling that criminals were already leveraging the zero-day vulnerability, the term applied because there no time elapses between patching and exploitation.
Mozilla credited Qihoo 360, a Chinese developer of anti-virus and other security software, for reporting the bug. Qihoo also created and manages the 360 Secure Browser, which relies on Google’s rendering and JavaScript engines, as does Chrome and Microsoft Edge.
The Firefox flaw was characterized as a type confusion bug in the IonMonkey JavaScript JIT (Just-in-Time) compiler of SpiderMonkey, the browser’s JavaScript engine.
Mozilla rated the vulnerability as “Critical,” the most serious rating in its multi-step ranking system. To manually update the browser, users can select Help > About Firefox on Windows or Firefox > About Firefox on macOS. The resulting page shows that the browser is either up to date or describes the refresh process.
Wednesday’s update was the first aimed at a zero-day vulnerability in Firefox since June, when Mozilla patched another critical type confusion flaw.
