Quote

Mozilla has released an emergency critical update for Firefox to squash a zero-day vulnerability that is under active attack.

The Firefox 67.0.3 and ESR 60.7.1 builds include a patch for CVE-2019-11707. The vulnerability is a type confusion bug in the way Firefox handles JavaScript objects in Array.pop. By manipulating the object in the array, malicious JavaScript on a webpage could get the ability to remotely execute code without any user interaction.

This is a bad thing.

What’s worse, Mozilla says it has already received reports that the flaw is being actively exploited in the wild by miscreants, making it critical for users to install the latest patched versions of the browser.

Fortunately, because Mozilla automatically updates Firefox with new patches and bug fixes, both Linux, Mac, and Windows PC users can install the patch with a simple browser restart.

Credit for the discovery and disclosure of the bug was given to Samuel Groß of Project Zero. ®