'Mozilla has released a new version of Firefox that fixes an actively exploited zero-day that could allow attackers to take control of users' computers. In an advisory, Mozilla rated the vulnerability critical and said it was "aware of targeted attacks in the wild abusing this flaw." The US Cybersecurity and Infrastructure Security Agency said one or more exploits were "detected in the wild" and warned that attacks could be exploited to "take control of an affected system." The Mozilla advisory credited researchers at China-based Qihoo 360 with reporting the flaw. No other details about the attacks were immediately available. Neither Mozilla nor Qihoo 360 responded to emails asking for more information. CVE-2019-17026, as the vulnerability is indexed, is a type confusion, a potentially critical error that can result in data being written to, or read from, memory locations that are normally off-limits. These out-of-bounds reads may allow attackers to discover memory locations where malicious code is stored so that protections such as address space layout randomization can be bypassed. Out-of-bounds reads can also cause crashes. The flaw is fixed in Tuesday's release of Firefox 72.0.1. The patch came a day after version 72 fixed 11 other vulnerabilities, six of which were rated high. Three of those six bugs might make it possible for attackers to run malicious code on affected computers.' -- source: https://arstechnica.com/information-technology/2020/01/firefox-gets-patch-fo... Cheers, Peter -- Peter Reutemann Dept. of Computer Science University of Waikato, NZ +64 (7) 858-5174 http://www.cms.waikato.ac.nz/~fracpete/ http://www.data-mining.co.nz/