Mozilla has issued an emergency patch for a remote code execution vulnerability in Firefox that is being used in active attacks right now.
The vulnerability is in the just-in-time compiler in Firefox and Mozilla has released new versions of the main branch of the browser as well as the extended support release branch to fix the bug. Mozilla warned users that the vulnerability has been used in targeted attacks, making it urgent for customers to update their machines.
“Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw,” the Mozilla advisory says.
On Tuesday, Mozilla released Firefox 72, the latest major version of the browser, which brought with it fixes for a number of other security vulnerabilities. Six of those flaws are high-severity bugs, but none is as dangerous as the one that Mozilla fixed on Wednesday with the emergency release. Mozilla did not provide any further details about the vulnerability or the exploits that are targeting it, but it is quite rare for the company to push out emergency patches like this.
In June, Mozilla issued an emergency fix for a similar type confusion vulnerability in Firefox, a bug that was also being used in active attacks. That flaw was used in an attack on Coinbase and security researcher Patrick Wardle also discovered that the vulnerability was used to deliver the Netwire Mac malware.
Researchers at Chinese security company Qihoo 360 discovered the new Firefox vulnerability and reported it to Mozilla.