Mozilla releases patch for a severe vulnerability in Firefox that's being actively exploited

In brief: While it's always a good idea to keep your operating system and apps up to date, we've become so dependent on web browsers that they sometimes need to be patched several times a week to fix glaring security issues that hackers are eager to exploit. Such is the case with the latest Firefox update, which patches a serious bug that makes it easy for someone to take complete control of your system.

If you're using Firefox as your go-to web browser, you might want to update it as soon as possible. Earlier today, Mozilla rushed out version 72.0.1 (and ESR 68.4.1) to fix a vulnerability that is actively being exploited in the wild to take complete control of machines running the vulnerable bits of the popular open source browser.

If you need another reason to be worried about using an unpatched version, the United States Cybersecurity and Infrastructure Security Agency (CISA) has issued a security advisory explaining that there is sufficient evidence that hackers are taking advantage of this zero-day flaw.

Mozilla says the vulnerability was uncovered and reported by researchers at China-based Qihoo 360. Apparently, a bug indexed as CVE-2019-17026 is a "type confusion" vulnerability that affects the IonMonkey just-in-time compiler that's an essential part of Mozilla's SpiderMonkey JavaScript engine.

In simple terms, it's a memory bug where a program allocates resources as one type but later accesses those resources as a different type. This allows attackers to access data stored in other memory locations that are normally off-limits, and execute code on a vulnerable system through specially crafted web pages.

The flaw has been fixed in Firefox 72.0.1, just 24 hours after version 72 was released with fixes for 11 other vulnerabilities. Last year, two serious zero-day flaws allowed attackers to slip a largely undetected backdoor on Macs used by operators of cryptocurrency exchange Coinbase.