US government urges everyone to update Mozilla Firefox to v72.0.1 because of an active exploit that allows remote code execution

Posted on Jan 10, 2020 by Caleb Chen

department of homeland security mozilla firefox warning

The US government’s Department of Homeland Security is urging all Firefox users to update to v72.0.1 as soon as possible. Earlier this week, a zero day vulnerability was found in the then most current version of the Firefox browser by Mozilla which allows hackers to take over your computer. What’s more, this 0day was found to have already been used in the wild by security researchers from a Chinese firm, Qihoo 360. Remote code execution is the holy grail of zero day vulnerabilities, and the fact that one of the most popular privacy and security focused browsers in the world had such a flaw should be a massive wake up call to internet browser users around the world.

The government’s urgent security message, issued through the Department of Homeland Security’s Cyber + Infrastructure division (CISA), states simply:

“Mozilla has released security updates to address a vulnerability in Firefox and Firefox ESR. An attacker could exploit this vulnerability to take control of an affected system. This vulnerability was detected in exploits in the wild.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisory for Firefox 72.0.1 and Firefox ESR 68.4.1 and apply the necessary updates.”

Mozilla’s released version 72.0.1 very soon after receiving news of the zero day vulnerability. In their announcement that they had fixed the zero day vulnerability, Mozilla also acknowledged that they were aware of “targeted attacks in the wild abusing this flaw.”

Firefox is bloated and contains many vectors for security nightmares to happen: What is Normandy?

Firefox has other privacy concerns regarding telemetry data which Privacy Online News will be revealing in coming posts. What’s out in the open already regarding potential security vectors of attack into Firefox is also concerning. Most people don’t know this, but Firefox comes with a remote access software called “Normandy.” Yes, that’s the same Normandy which is commonly known in history as the beachhead in one of the biggest surprise attacks in history: D-Day.

While Firefox does allow users to disable Normandy in Firefox, they’ve also shown that they’re willing to change that user setting with an automatic update. The fact of the matter is, most internet users are not sophisticated enough to look through code and find these potential vectors of attack – and as this most recent CVE has shown – potentially active vectors of attack. Therefore, it’s become more and more clear that even unsophisticated internet users are the end all be all for securing their own privacy on the internet.