Mozilla has patched a critical vulnerability in its browser that has drawn the attention of US Homeland Security. The zero-day exploit was discovered by Qihoo 360, and has its roots in Firefox's just-in-time compiler, which is used to speed up JavaScript performance.
According to the advisory, incorrect alias information could lead to type confusion, which attackers can exploit to attack users. In fact, Mozilla says its discovered instances of this being in the wild, which makes updating even more critical.
“Mozilla has released security updates to address a vulnerability in Firefox and Firefox ESR. An attacker could exploit this vulnerability to take control of an affected system,” said Homeland Security's CISA. “The Cybersecurity and Infrastructure Security Agency encourages users and administrators to review the Mozilla Security Advisory for Firefox 72.0.1 and Firefox ESR 68.4.1 and apply the necessary updates.”
To gain control of a computer, an attacker would simply have to convince a user to access a website with malicious JavaScript. The bug lets the script run outside of the browser, possibly without the user noticing.
Users should check their Firefox version immediately and ensure their version number is higher than 72.0. Thankfully, the vulnerability was found 2 days after 72's release, but it'll undoubtedly take a while for all users to apply the fix. You can do so By opening the hamburger menu and heading to Help>About Firefox>Restart to Update Firefox.
Updated or not, you should always keep an eye out for suspicious links. Don't click any from senders you don't trust, and even then ensure they're been arranged in advance. This isn't the first time Firefox has run into issues, nor Chrome or Edge, for that matter.