Yesterday, Mozilla released Firefox 67.0.3 and Firefox ESR 60.7.1 to fix an actively exploited vulnerability that can enable attackers to remotely execute arbitrary code on devices using vulnerable versions. So, if you are a Firefox user, it is recommended that you update it right now.
Not much information has been disclosed about the vulnerability yet, apart from this short description on the advisory page. In general, we can say that type confusion happens when a piece of code fails to verify the object type that is passed to it and blindly uses it without type-checking.
The US Cybersecurity and Infrastructure Security Agency (CISA) also issued an alert informing users and administrators to update Firefox as soon as possible:
“The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisory for Firefox 67.0.3 and Firefox ESR 60.7.1 and apply the necessary updates.”
Users can install the patched Firefox versions by downloading them from Mozilla’s official website. Or, they can click on the hamburger icon on the upper-right hand corner, type Update into the search box and hit the Restart to update Firefox button to be sure.
This is not the first time when a zero-day vulnerability has been found in Firefox. Back in 2016, a vulnerability was reported in Firefox that was exploited by attackers to de-anonymize Tor Browser users. The attackers then collected the user data that included their IP addresses, MAC addresses, and hostnames. Mozilla then released an emergency fix in Firefox 50.0.2 and 45.5.1 ESR.