Hackers are using a major security flaw in the Mozilla Firefox web browser to carry out ‘targeted attacks’ on some users, US government warns
- Mozilla says the weakness has been fixed and sent out in an automatic update
- US cybersecurity agency says hackers were found exploiting it ‘in the wild’
- Users are urged to manually update the app to ensure they are fully protected
Mozilla has been forced to rush out a fix to its Firefox browser after it was revealed a critical vulnerability was allowing hackers to target users.
The US Cybersecurity and Infrastructure Security Agency (CISA) revealed the vulnerability could allowed criminals to seize total control of the browser.
Mozilla said it had found evidence that hackers were actively exploiting the vulnerability in ‘targeted attacks’ against users.
Mozilla prides itself on stringent security protocols and ushered out an automatic update with a patch for the vulnerability.
Users are urged to update the browser manually to ensure they are fully protected from any attacks.
Scroll down for video
Mozilla has made a concerted effort to court users away from other browsers like Google Chrome by building privacy into its experience but a serious flaw this week exposed customers
HOW TO GET THE LATEST VERSION OF FIREFOX
The fix was sent out on Wednesday in an automatic update.
Users should manually update their app to ensure they are fully protected.
To do so, open your browser, click on ‘Firefox’ in the top menu, and then select ‘About Firefox.’
A popup window will open and assess which version of the browser you’re running.
f you have an older version of the browser, it’ll automatically update and then ask you to restart your browser.
All your open windows will be restored.
The browser will then be fully up to date.
The CISA said in a statement: ‘Mozilla has released security updates to address a vulnerability in Firefox and Firefox ESR.
‘An attacker could exploit this vulnerability to take control of an affected system.
‘This vulnerability was detected in exploits in the wild.
‘The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisory for Firefox 72.0.1 and Firefox ESR 68.4.1 and apply the necessary updates.’
The fix was sent out on Wednesday in an automatic update but users should manually update their app to ensure they are fully protected.
Mozilla claims it was first made aware of the zero-day vulnerability when Chinese security company Qihoo 360 notified the company.
‘On Tuesday, January 7, 2020, Chinese security firm Qihoo 360 reported a vulnerability that was used as part of targeted attacks on a local network,’ a Mozilla spokesperson said in a statement.
‘We started shipping Firefox updates to address this security vulnerability the next morning.’
It is unknown how many people were subjected to attacks and what the hackers had access to.
But Mozilla did confirm that it is ‘aware of targeted attacks in the wild abusing this flaw.’
Mozilla has not revealed specifics of how the attackers exploited the vulnerability, but it is believed to be a type of memory bug.
Mozilla has not revealed specifics of how the attackers exploited the vulnerability, but it is believed to be a type of memory bug
WHAT ARE THE MOST POPULAR PC INTERNET BROWSERS?
- Google Chrome – 67.63 per cent
- Mozilla Firefox – 10.97 per cent
- Internet Explorer – 7.02 per cent
- Apple Safari – 5.13 per cent
- Microsoft Edge – 4.24 per cent
- Opera – 2.48 per cent
Attackers found a way to read data in memory locations that should be hidden from view.
Typing their own malicious code into this can can bypass protections and enable access to the system.
In the update, the loophole has been closed.
Javvad Malik, security awareness advocate at KnowBe4 told MailOnline: ‘Specifics of the hack are not fully clear at this point beyond the fact that it allowed an attacker to execute code on a system running Firefox.
‘Given the fact that Mozilla patched the flaw very quickly, and pushed it out to install automatically indicates how seriously the company took the flaw and ensured all users were protected immediately.
‘It’s why it is recommended that where feasible, users turn on auto updates for software so that they remain up to date at all times and reduce any window of opportunity for attackers.’