WHAT YOU NEED TO KNOW
On January 10, 2020, Mozilla Firefox, Firefox ESR, and Thunderbird Zero-day Vulnerabilities have been discovered for Windows, MacOS and Linux. These vulnerabilities could allow an attacker to take control of an affected system.
This vulnerability was detected in exploits in the wild and has been assigned a Critical severity. This vulnerability has been assigned to CVE-2019-17026: IonMonkey type confusion with StoreElementHole and FallibleStoreElement.
Mozilla has released update 72.0.1 for Firefox, 68.4.1 for Firefox ESR, and 68.4.1 for Thunderbird to address these issues.
Users will be prompted to update Firefox after the next launch.
Additional information can be found on the US-CERT, Mozilla Foundation Security Advisory (Firefox and Thunderbird).
WHAT YOU NEED TO DO
Users should be advised to update Firefox when prompted after the next launch.
Firefox is not a supported browser as there are no security policy in place in Active Directory group policies to control it. Adding multiple browsers, especially if they are not secured, increases the attack surface on systems. Removal of Firefox should be considered.
Additionally, the updates for Mozilla Firefox and Thunderbird are available in BigFix for deployment. The update names are:
- Mozilla Firefox (x64) 72.0.1 Available
- Mozilla Firefox 72.0.1 Available
- Mozilla Firefox (x64) 68.4.1 ESR Available
- Mozilla Firefox 68.4.1 ESR Available
Local IT should act to test and apply these updates to their relevant systems immediately.
The ePatching team will address the remaining Firefox, Firefox ESR, and Thunderbird updated during the January ePatching cycle.
Send questions to gs_epatching@usgs.gov.
