CVE-2019-17026: Zero-Day Vulnerability in Mozilla Firefox Exploited in Targeted Attacks
Mozilla releases patch to address Firefox flaw being used as part of targeted attacks.
背景
On January 8, Mozilla Foundation released a security advisory to address a critical zero-day flaw in Mozilla Firefox, which has been exploited in targeted attacks.
分析
CVE-2019-17026 is a type confusion vulnerability in IonMonkey, the JavaScript Just-In-Time (JIT) compiler for SpiderMonkey, Mozilla’s JavaScript engine. According to Mozilla’s advisory, the flaw exists in the JIT compiler due to “incorrect alias information for setting array elements,” specifically in StoreElementHole and FallibleStoreElement.
The vulnerability was reported to Mozilla by researchers at Qihoo 360 ATA. Mozilla’s advisory states they are “aware of targeted attacks in the wild abusing this flaw.” Based on this note in the advisory, it appears the vulnerability was exploited in the wild as a zero-day. Further information about the exploitation was not available at the time this blog post was published.
This advisory follows the release of Firefox 72 and Firefox Extended Support Release (ESR) 68.4 on January 7, which included the following security advisories:
- Firefox 72: Mozilla Foundation Security Advisory 2020-01
- Firefox ESR 68.4: Mozilla Foundation Security Advisory 2020-02
Last year, Mozilla patched CVE-2019-11707, another type confusion flaw that was used in conjunction with CVE-2019-11708, a sandbox escape vulnerability in targeted attacks.
概念验证
At this time, no proof of concept is available for this vulnerability.
解决方案
To address CVE-2019-17026, Mozilla released Firefox 72.0.1 and Firefox ESR 68.4.1. Because this vulnerability has been exploited in targeted attacks, Firefox users are advised to upgrade as soon as possible.
识别受影响的系统
A list of Tenable plugins to identify this vulnerability will appear here as they’re released.
获取更多信息
加入 Tenable Community 中的 Tenable 安全响应团队
了解有关 Tenable 这款首创 Cyber Exposure 平台的更多信息,全面管理现代攻击面。
获取 30 天免费试用 Tenable.io 漏洞管理平台的机会。
Satnam Narang
安全响应高级员工研究工程师
Satnam 于 2018 年入职 Tenable。他有 15 年以上的行业经验(M86 Security 和 Symantec)。 他为反网络钓鱼工作组做出了贡献,助力国家网络安全联盟开发了一个社交网络指南,在 Twitter 上发现了一个巨大的垃圾邮件僵尸网络,并且是在 Tinder 上报告垃圾邮件僵尸网络第一人。 他还参加过 NBC Nightly News、Entertainment Tonight、Bloomberg West 和 Why Oh Why 的节目。
工作外兴趣:Satnam 写写诗,创作嘻哈音乐。他喜欢观看实况音乐,花时间教育三个侄女,享受足球和篮球带来的快乐,观看和收听宝莱坞电影和音乐以及 Grogu (Baby Yoda)。
相关文章
CVE-2025-20333, CVE-2025-20362: Frequently Asked Questions About Zero-Day Cisco Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) Vulnerabilities
Cisco published advisories and a supplemental post about three zero-day vulnerabilities, two of which were exploited in the wild by an advanced threat actor associated with the ArcaneDoor campaign.
IDC Ranks Tenable #1 in WW Device Vulnerability and Exposure Management Market Share
Tenable’s market share leadership in Worldwide Device Vulnerability and Exposure Management is a testament to the trust tens of thousands of customers place in Tenable One every day. Our placement also marks seven consecutive years at #1.
Microsoft’s September 2025 Patch Tuesday Addresses 80 CVEs (CVE-2025-55234)
Microsoft addresses 80 CVEs, including eight flaws rated critical with one publicly disclosed.
- Vulnerability Management
联系我们的销售团队