The information below was sent to U-M IT staff groups January 9, 2020. It is intended for U-M IT staff who are responsible for university devices with Mozilla Firefox installed. It will also be of interest to individuals who have Firefox installed on their own devices.
A critical vulnerability in the Mozilla Firefox web browser has been found that could allow attackers to take control of users' computers. There are currently targeted attacks exploiting this flaw. Update Firefox as soon as possible.
Firefox has a vulnerability that could potentially allow attackers to execute code or trigger crashes on machines running vulnerable Firefox versions. This vulnerability is being actively exploited in the wild.
- Versions of Firefox prior to Firefox 72.0.1. This is the version of Firefox intended for individuals who manage their own personal computers.
- Versions of Firefox Extended Support Release (ESR) prior to 68.4.1. Mozilla Firefox ESR is meant for organizations that manage computers for their users. For example, MiWorkspace users will have Firefox ESR on their computers.
Update to the latest version of Firefox as soon as possible. Mozilla has released these two versions to address the vulnerability:
- Firefox 72.0.1
- Firefox ESR 68.4.1 (for managed computers)
The vulnerability could potentially allow attackers to execute code or trigger crashes. It is being exploited in the wild.
According to the Mozilla Foundation Security Advisory, "Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion."
How We Protect U-M
- Information Assurance (IA) monitors a number of sources for information about new vulnerabilities and threats and provides up-to-date information to the university community.
- IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation.
- IA provides vulnerability management guidance to the university.
Information for Users
Use the latest version of Firefox:
- University-managed machines. MiWorkspace staff will release updates for MiWorkspace machines by Friday (January 10) morning. Staff who manage other university machines are expected to apply the update as appropriate for their environments.
- Personal machines. Firefox is set to update automatically (unless you have changed this setting yourself). You can update manually if you wish. See Update Firefox to the latest release.
In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.
- U.S. Government Confirms Critical Security Warning For Firefox Users (Forbes, 1/9/20)
- Mozilla Foundation Security Advisory 2020-03 (Mozilla, 1/8/20)
- Mozilla Patches Critical Vulnerability (US Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA), 1/8/20)
- Vulnerability in Mozilla Firefox Could Allow for Arbitrary Code Execution (CIS Security, 1/8/20)
- Mozilla Firefox 72.0.1 Patches Actively Exploited Zero-Day (Bleeping Computer, 1/8/20)
- Firefox gets patch for critical 0-day that’s being actively exploited (Ars Technica, 1/8/20)
- CVE-2019-17026: Zero-Day Vulnerability in Mozilla Firefox Exploited in Targeted Attacks (Tenable, 1/8/20)