CVE-2019-17026:Zero-Day Vulnerability in Mozilla Firefox Exploited in Targeted Attacks
Mozilla releases patch to address Firefox flaw being used as part of targeted attacks.
背景說明
On January 8, Mozilla Foundation released a security advisory to address a critical zero-day flaw in Mozilla Firefox, which has been exploited in targeted attacks.
分析
CVE-2019-17026 is a type confusion vulnerability in IonMonkey, the JavaScript Just-In-Time (JIT) compiler for SpiderMonkey, Mozilla’s JavaScript engine. According to Mozilla’s advisory, the flaw exists in the JIT compiler due to “incorrect alias information for setting array elements,” specifically in StoreElementHole and FallibleStoreElement.
The vulnerability was reported to Mozilla by researchers at Qihoo 360 ATA. Mozilla’s advisory states they are “aware of targeted attacks in the wild abusing this flaw.” Based on this note in the advisory, it appears the vulnerability was exploited in the wild as a zero-day. Further information about the exploitation was not available at the time this blog post was published.
This advisory follows the release of Firefox 72 and Firefox Extended Support Release (ESR) 68.4 on January 7, which included the following security advisories:
- Firefox 72: Mozilla Foundation Security Advisory 2020-01
- Firefox ESR 68.4: Mozilla Foundation Security Advisory 2020-02
Last year, Mozilla patched CVE-2019-11707, another type confusion flaw that was used in conjunction with CVE-2019-11708, a sandbox escape vulnerability in targeted attacks.
概念驗證
At this time, no proof of concept is available for this vulnerability.
解決方法
To address CVE-2019-17026, Mozilla released Firefox 72.0.1 and Firefox ESR 68.4.1. Because this vulnerability has been exploited in targeted attacks, Firefox users are advised to upgrade as soon as possible.
找出受影響的系統
A list of Tenable plugins to identify this vulnerability will appear here as they’re released.
取得更多資訊
加入 Tenable Community 的 Tenable 安全回應團隊。
深入瞭解 Tenable,這是用於全面管理新型攻擊破綻的首創 Cyber Exposure 平台。
Get a free 30-day trial of Tenable.io Vulnerability Management.
Satnam Narang
安全應變資深研發工程師
Satnam 於 2018 年加入 Tenable 公司。他在業界擁有 15 年的豐富經驗 (M86 Security 和賽門鐵克)。 他對於防網路釣魚工作小組 (Anti-Phishing Working Group) 多所貢獻,協助美國國家網路安全聯盟 (National Cyber Security Alliance) 開發一份社群網路指南 (Social Networking Guide),並且揭露了一個 Twitter 上的龐大垃圾郵件 botnet,同時也是第一個提報 Tinder 上垃圾郵件機器人的人。他還曾出現在 NBC 夜線新聞、Entertainment Tonight、Bloomberg West 以及 Why Oh Why 播客中。
他在工作之餘的興趣:Satnam 喜歡寫詩和創作嘻哈音樂。他喜歡參加現場音樂表演、和他 3 個姪女做伴、足球、藍球、看寶萊塢電影、玩音樂以及 Grogu (尤達寶寶)。
相關文章
Forrester Names Tenable a Leader in the Q3 2025 Unified Vulnerability Management Solutions Wave™ Report
“Tenable continues to extend its established vulnerability management offerings into exposure management with its Tenable One platform,” according to the report....
CVE-2025-53770: Frequently Asked Questions About Zero-Day SharePoint Vulnerability Exploitation
Successful exploitation of CVE-2025-53770 could expose MachineKey configuration details from a vulnerable SharePoint Server, ultimately enabling unauthenticated remote code execution....
CVE-2025-54309: CrushFTP Zero-Day Vulnerability Exploited In The Wild
A critical zero-day flaw in CrushFTP that can grant attackers administrator access was discovered on July 18 and is under active exploitation....
- Vulnerability Management