Update Firefox now, because the Department of Homeland Security is telling you to

Posted:
in General Discussion edited January 2020
A recent release of Firefox had a bug severe enough, that the US government is telling everyone to update to guarantee online safety.

Mozilla Firefox
Mozilla Firefox


Mozilla has issued an update to its Firefox browser that fixes a critical security issue that could allow attackers to take control of affected computers. The issue has previously not been reported, but according to the Department of Homeland Security, it was already being exploited in attacks.

To update Firefox, users can open the browser, click on the Firefox menu, then on About Firefox. This will start the update.

Alternatively, users can visit the official site to download Firefox.

"Mozilla has released security updates to address a vulnerability in Firefox and Firefox ESR," wrote the US Department's Cyber-Infrastructure (CISA) division in a statement. "An attacker could exploit this vulnerability to take control of an affected system. This vulnerability was detected in exploits in the wild."

"[The CISA] encourages users and administrators to review the Mozilla Security Advisory for Firefox 72.0.1 and Firefox ESR 68.4.1 and apply the necessary updates," it concludes.

Choosing
Choosing "About Firefox" will either start the update or, as here, show you when the latest one has been successfully installed


Firefox ESR is the version of the browser built for enterprise customers.

Mozilla's advisory for both this and the regular Firefox edition repeats the information that "we are aware of targeted attacks in the wild abusing this flaw."

In May 2019, Mozilla also required users to update Firefox following multiple failures with browser extensions.
«1

Comments

  • Reply 1 of 30
    Yeah, update now! Because having a "critical security issue that could allow attackers to take control of affected computers" that was previously unreported sounds like a great selling point. Yeesh.

    Maybe delete Firefox and
     switch to a different browser. 
    baconstangwatto_cobra
  • Reply 2 of 30
    SoliSoli Posts: 10,033member
    Yeah, update now! Because having a "critical security issue that could allow attackers to take control of affected computers" that was previously unreported sounds like a great selling point. Yeesh.

    Maybe delete Firefox and switch to a different browser. 
    Whose to say that any other browser doesn't have severe exploits used by those with nefarious intentions? I say just update your browser and access the internet wisely.

    Apple has certainly had their share of critical bugs. How many years was Apple's "goto fail" bug present? Any captured SSL traffic could've been read which means for years your secure traffic was as good as plaintext for any person or agency that knew how to read it. That even includes after the fact for rooting through data dumps to peak at private information, which is why (for one) had to go change every password in my password manager after this bug was discovered and patched.
    StrangeDaysviclauyycGeorgeBMac
  • Reply 3 of 30
    dewmedewme Posts: 4,250member
    Firefox sure likes to talk the talk when it comes to security. It’s too bad they can’t back up their bravado with real world performance. Yeah, everything that depends on humans is inherently vulnerable to flaws and failures, which is why they should be a little less bold in their claims of providing a secure browsing experience. If they and all other apps that make bold statements about the security were forthright they’d simply state “we’ll try our best” when setting expectations. 
    watto_cobra
  • Reply 4 of 30
    Yeah, update now! Because having a "critical security issue that could allow attackers to take control of affected computers" that was previously unreported sounds like a great selling point. Yeesh.

    Maybe delete Firefox and switch to a different browser. 
     Firefox zero-days are pretty rare. The last one was reported in December 2016”
    GeorgeBMacwatto_cobra
  • Reply 5 of 30
    Soli said:
    Yeah, update now! Because having a "critical security issue that could allow attackers to take control of affected computers" that was previously unreported sounds like a great selling point. Yeesh.

    Maybe delete Firefox and switch to a different browser. 
    Whose to say that any other browser doesn't have severe exploits used by those with nefarious intentions? I say just update your browser and access the internet wisely.

    Apple has certainly had their share of critical bugs. How many years was Apple's "goto fail" bug present? Any captured SSL traffic could've been read which means for years your secure traffic was as good as plaintext for any person or agency that knew how to read it. That even includes after the fact for rooting through data dumps to peak at private information, which is why (for one) had to go change every password in my password manager after this bug was discovered and patched.
    Are you changing all of your passwords now too?
    coolfactorwatto_cobra
  • Reply 6 of 30
    SoliSoli Posts: 10,033member
    Soli said:
    Yeah, update now! Because having a "critical security issue that could allow attackers to take control of affected computers" that was previously unreported sounds like a great selling point. Yeesh.

    Maybe delete Firefox and switch to a different browser. 
    Whose to say that any other browser doesn't have severe exploits used by those with nefarious intentions? I say just update your browser and access the internet wisely.

    Apple has certainly had their share of critical bugs. How many years was Apple's "goto fail" bug present? Any captured SSL traffic could've been read which means for years your secure traffic was as good as plaintext for any person or agency that knew how to read it. That even includes after the fact for rooting through data dumps to peak at private information, which is why (for one) had to go change every password in my password manager after this bug was discovered and patched.
    Are you changing all of your passwords now too?
    Why would I do that?
  • Reply 7 of 30
    After doing this same dance for the last 20 years, you’d think browsers would be completely sandboxed and unable to modify the OS.
    dysamoriaStrangeDays
  • Reply 8 of 30
    rob53rob53 Posts: 2,954member
    Just checked the CVE website and they're still showing it as being reserved without any information although the CVE number, CVE-2019-17026, was assigned 9/30/2019 so it's been known for awhile.

    I don't remember ever seeing DHS actually make an announcement like this so especially in today's political environment I am a little suspicious about it. Firefox/Mozilla is open source so I wonder if someone slipped something in that DHS finally discovered. We've been told because of the assassination of General Qasem Soleimani to expect more cyber attacks so maybe this is the first one found. Who knows because there isn't any public information being given on this patch other than "CVE-2019-17026 is a type confusion vulnerability in IonMonkey, the JavaScript Just-In-Time (JIT) compiler for SpiderMonkey, Mozilla’s JavaScript engine. According to Mozilla’s advisory, the flaw exists in the JIT compiler due to “incorrect alias information for setting array elements,” specifically in StoreElementHole and FallibleStoreElement."

    This is where it is officially identified, cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17026 There's nothing there to look at, however.
    viclauyycwatto_cobra
  • Reply 9 of 30
    I just updated my FF ESR. it took all of 60 seconds and all my existing tabs were reopened. This is hardly an onerous task.
    Now on 68.4.1ESR

    As for moving to another browser... What do you suggest then? Chrome... ROFL
    MplsPwatto_cobra
  • Reply 10 of 30
    Yeah, update now! Because having a "critical security issue that could allow attackers to take control of affected computers" that was previously unreported sounds like a great selling point. Yeesh.

    Maybe delete Firefox and
     switch to a different browser. 
    I literally updated yesterday. What's the big deal? Like other software haven't had critical vulnerabilities. *cough* Flash *cough* For that matter, why don't you chuck your computers since Intel vulnerabilities still exist?

    watto_cobra
  • Reply 11 of 30
    jcs2305jcs2305 Posts: 1,283member
    Yeah, update now! Because having a "critical security issue that could allow attackers to take control of affected computers" that was previously unreported sounds like a great selling point. Yeesh.

    Maybe delete Firefox and
     switch to a different browser. 
    I literally updated yesterday. What's the big deal? Like other software haven't had critical vulnerabilities. *cough* Flash *cough* For that matter, why don't you chuck your computers since Intel vulnerabilities still exist?


    What's the big deal with the OP hinting at removing this browser? People are defending Firefox like they are employed by them.. ease up. Flash has zero to do with this or the OP's opinion. Sheesh..

    I also don't recall Flash or the goto fail bug granting control of a person's machine to an outside attacker. I could be wrong for sure.. just don't recall hearing that specifically. Or the federal government making a statement about either of them. Maybe the fact the the Dept of Homeland Security is telling folks that this exploit has been around for a while and has positively been exploited in the wild makes it bit more real and unnerving to some folks.  

    Personally I use Frirefox on my Windows wok machine, but none of my macs or IOS devices so it wasn't that big of deal for me to update either.
    muthuk_vanalingamwatto_cobra
  • Reply 12 of 30
    StrangeDaysStrangeDays Posts: 12,067member
    Yeah, update now! Because having a "critical security issue that could allow attackers to take control of affected computers" that was previously unreported sounds like a great selling point. Yeesh.

    Maybe delete Firefox and switch to a different browser. 
    If you did this for every browser that had such an issue, you wouldn’t have any left to use. 
    sandorGeorgeBMacronnmuthuk_vanalingamwatto_cobra
  • Reply 13 of 30
    The tin foil hat dude side of me wants to say that the only "security issue" Firefox really has is the absence of the DHS surveillance code.
    JaiOh81leehammwatto_cobra
  • Reply 14 of 30
    sandorsandor Posts: 639member
    Yeah, update now! Because having a "critical security issue that could allow attackers to take control of affected computers" that was previously unreported sounds like a great selling point. Yeesh.

    Maybe delete Firefox and switch to a different browser. 

    What browser do you switch to?
    Chrome had a zero-day back in March and another in November
    Safari had 2 back in March
    ...



    GeorgeBMacronnmuthuk_vanalingamwatto_cobra
  • Reply 15 of 30
    The tin foil hat dude side of me wants to say that the only "security issue" Firefox really has is the absence of the DHS surveillance code.
    This was my initial thought too
    edited January 2020 watto_cobra
  • Reply 16 of 30
    lkrupplkrupp Posts: 9,991member
    Soli said:
    Yeah, update now! Because having a "critical security issue that could allow attackers to take control of affected computers" that was previously unreported sounds like a great selling point. Yeesh.

    Maybe delete Firefox and switch to a different browser. 
    Whose to say that any other browser doesn't have severe exploits used by those with nefarious intentions? I say just update your browser and access the internet wisely.

    Apple has certainly had their share of critical bugs. How many years was Apple's "goto fail" bug present? Any captured SSL traffic could've been read which means for years your secure traffic was as good as plaintext for any person or agency that knew how to read it. That even includes after the fact for rooting through data dumps to peak at private information, which is why (for one) had to go change every password in my password manager after this bug was discovered and patched.
    And yet there is absolutely no data on who and how many users were compromised by any of this stuff. Not only Apple but everybody has had their share of critical bugs over the years but we never hear hard facts on the scope of those bugs. I can’t remember any time that an AppleInsider employee or member stood up, raised their hand, and said “Yep, this one got me and I have been damaged by it.” Lots of chest thumping about security prowess by researchers. Lots of dire warnings of Armageddon.  But it’s all shadowy mists and smoke when it comes to who and how many got hit. Ransomware attacks on cities make the news but I’m guessing the typical American town, village, city is woefully behind the times on networking and security, and their IT departments run by local junior college MCSE types.
    watto_cobra
  • Reply 17 of 30
    SoliSoli Posts: 10,033member
    lkrupp said:
    Soli said:
    Yeah, update now! Because having a "critical security issue that could allow attackers to take control of affected computers" that was previously unreported sounds like a great selling point. Yeesh.

    Maybe delete Firefox and switch to a different browser. 
    Whose to say that any other browser doesn't have severe exploits used by those with nefarious intentions? I say just update your browser and access the internet wisely.

    Apple has certainly had their share of critical bugs. How many years was Apple's "goto fail" bug present? Any captured SSL traffic could've been read which means for years your secure traffic was as good as plaintext for any person or agency that knew how to read it. That even includes after the fact for rooting through data dumps to peak at private information, which is why (for one) had to go change every password in my password manager after this bug was discovered and patched.
    And yet there is absolutely no data on who and how many users were compromised by any of this stuff. Not only Apple but everybody has had their share of critical bugs over the years but we never hear hard facts on the scope of those bugs. I can’t remember any time that an AppleInsider employee or member stood up, raised their hand, and said “Yep, this one got me and I have been damaged by it.” Lots of chest thumping about security prowess by researchers. Lots of dire warnings of Armageddon.  But it’s all shadowy mists and smoke when it comes to who and how many got hit. Ransomware attacks on cities make the news but I’m guessing the typical American town, village, city is woefully behind the times on networking and security, and their IT departments run by local junior college MCSE types.
    Then your recommendation is that people shouldn't bother updating Firefox because we don't know of any exploit those occurred? You don't seem to understand that security occurs through vigilance and being proactive, not assuming that you're in vulnerable simply because you don't believe you've yet been attacked..
    MplsPwatto_cobra
  • Reply 18 of 30
    GeorgeBMacGeorgeBMac Posts: 11,421member

    "[The CISA] encourages users and administrators to review the Mozilla Security Advisory for Firefox 72.0.1 and Firefox ESR 68.4.1 and apply the necessary updates," it concludes.



    I guess I'm missing something:   Mine says:   "72.0.1"  and "FireFox is up to date".  Neither does it provide any method for triggering an update.

    Ooops!  I get it now:  When I checked on my Mac is said 71.0.1 and required 2 updates to get it to 72.0.1
    FireFox updates pretty regularly on my laptop which is why I was surprised we had to do it manually.   But, I don't use it very often on my MacBook (only when trying to sync with something on my laptop) so that may be why it was out of date there.
     
    watto_cobra
  • Reply 19 of 30
    The tin foil hat dude side of me wants to say that the only "security issue" Firefox really has is the absence of the DHS surveillance code.

    Indeed. Why else would DHS consider it so urgent to tell us to upgrade?
    watto_cobra
  • Reply 20 of 30
    DAalsethDAalseth Posts: 2,047member
    Is this just desktop Firefox or does it include the iOS versions too? I just checked the AppStore and there are no updates for FF available.
    GeorgeBMacwatto_cobra
Sign In or Register to comment.