Firefox Users: Update Now to Patch Remote Execution Flaw

John Lister's picture

Mozilla has issued an emergency patch for the Firefox browser that is a must-install. It fixes a security gap that hackers are actively exploiting on compromised websites that serve up malicious code.

How to Patch Firefox

For most users, restarting Firefox should be enough to trigger the update.

Users can also click the menu icon near the top right of the browser (the three vertical bars), then scroll all the way down near the bottom and click the "(?) Help" sub menu, then click the "About Firefox" option, which will trigger the update. Once the update has been downloaded, Firefox will say "Restart to update Firefox."

In both cases, users will see a page reading "Congrats! You're using the latest version of Firefox" when the browser restarts.

How to Tell Which Version of Firefox is Installed

To verify that the patch has been installed, click the menu icon (near the top right of the browser), then click "(?) Help", then "About Firefox". If Firefox is patched, it should have version 67.0.3 installed (or 67.7.1 for those who use the business-oriented 'Extended Support Release' edition).

Remote Code Execution Risk

While the simplicity of the update means the risk only really affects those who keep the browser open for days on end, it's a big deal as the security bug itself combines several dangerous features.

The first is what the exploit actually does. According to Mozilla, it means malicious JavaScript on a webpage could create a "type confusion vulnerability" that can "allow for an exploitable crash." In simple terms, it means that visiting a web page could be enough to let hackers remotely infect a machine with malware. The malware can then be used to control the machine by remote, and may even record keystrokes, spy on the user, download Trojans, etc.

Secondly, this exploit is considered a "zero day vulnerability." That means the flaw has become known to third parties other than Mozilla, and before Mozilla has had a chance to issue a fix.

Finally, since this is a zero day vulnerability, it also means it's not a "theoretical risk." In this case, hackers who discovered the bug are already actively taking advantage with what Mozilla calls "targeted" attacks. (Source: mozilla.org)

Cryptocurrency May Be Target

While Mozilla hasn't given any more details on what or who is being targeted, it has credited the bug's discovery to Samuel Gro. He works for Google's Project Zero security team and is also working on a project called "Coinbase." (Source: mozilla.org)

Coinbase is roughly an equivalent to a foreign currency exchange for those wanting to buy and sell digital or "virtual" currencies, of which Bitcoin is the best known. It's suggested that attackers are trying to get hold of information that could allow them to steal such digital currency.

What's Your Opinion?

Do you use Firefox? Are you reassured by its security updates process? Do you regularly leave your computer on and a browser open for extended periods?

Rate this article: 
Average: 5 (8 votes)

Comments

Jim-in-kansas's picture

I've used Mozilla's FireFox browser for years now on a daily basis.

I don't leave the browser open for extended periods of time. This is a personal habit and
nothing more.

Not an issue for me.

James Douglass
Kansas USA

pm.norris_5513's picture

I have run Firefox domestically for many years, starting with Win7! All this time I've had the Browser open all the time to receive News flashes and the like. Luckily I've always had an AV program running at the same time (Kaspersky for the last 7 years).
I've also had Firefox running on auto-update. This has occasionally lead to trouble when an Add-on has not been compatible to the new version but that's usually only a short term problem.
Since I don't see how new browser pages could easily cause themselves to loaded in and opened unless I'm running some dodgy page that Kaspersky lets through (together with Malwarebytes) I've never worried about leaving the browser running. Is my optimism misplaced?