{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2020-001.pdf"
    },
    "title": "Critical Vulnerability in Mozilla Firefox",
    "serial_number": "2020-001",
    "publish_date": "10-01-2020 14:25:00",
    "description": "A critical vulnerability affecting Mozilla Firefox has been been disclosed. The vulnerability identified as CVE-2019-17026 allows attackers to write to and read from memory locations that are off-limits, and could lead to information disclosures, security bypass and crashes. This vulnerability is actively being exploited in the wild.",
    "url_title": "2020-001",
    "content_markdown": "---\ntitle: 'Critical Vulnerability in Mozilla Firefox'\nversion: '1.0'\nnumber: '2020-001'\ndate: 'January 10, 2020'\n---\n\n_History:_\n\n* _10/01/2020 --- v1.0 -- Initial publication_\n\n# Summary\n\nA critical vulnerability affecting Mozilla Firefox has been been disclosed [1]. The vulnerability identified as CVE-2019-17026 allows attackers to write to and read from memory locations that are off-limits, and could lead to information disclosures, security bypass and crashes. This vulnerability is actively being exploited in the wild.\n\n# Technical Details\n\nThis vulnerability is a _type confusion_ in the IonMonkey Just-in-Time (JIT) compiler for SpiderMonkey [2]. It could occur when a resource is accessed as a type that is different and incompatible with the original one. Depending on the type confusion, an attacker could disclose sensible information or cause crashes by accessing memory locations that are off-limits.\n\n# Products Affected\n\nThis vulnerability actually affected the following products:\n\n* Firefox prior 72.0.1\n* Firefox ESR prior 68.4.1\n\n# Recommendations\n\nAs this vulnerability is under active exploitation, it is highly recommended to update to the latest version of Firefox or Firefox ESR.\n\n# References\n\n[1] <https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/>\n\n[2] <https://www.tenable.com/blog/cve-2019-17026-zero-day-vulnerability-in-mozilla-firefox-exploited-in-targeted-attacks>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>10/01/2020 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>A critical vulnerability affecting Mozilla Firefox has been been disclosed [1]. The vulnerability identified as CVE-2019-17026 allows attackers to write to and read from memory locations that are off-limits, and could lead to information disclosures, security bypass and crashes. This vulnerability is actively being exploited in the wild.</p><h2 id=\"technical-details\">Technical Details</h2><p>This vulnerability is a <em>type confusion</em> in the IonMonkey Just-in-Time (JIT) compiler for SpiderMonkey [2]. It could occur when a resource is accessed as a type that is different and incompatible with the original one. Depending on the type confusion, an attacker could disclose sensible information or cause crashes by accessing memory locations that are off-limits.</p><h2 id=\"products-affected\">Products Affected</h2><p>This vulnerability actually affected the following products:</p><ul><li>Firefox prior 72.0.1</li><li>Firefox ESR prior 68.4.1</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>As this vulnerability is under active exploitation, it is highly recommended to update to the latest version of Firefox or Firefox ESR.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/\">https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.tenable.com/blog/cve-2019-17026-zero-day-vulnerability-in-mozilla-firefox-exploited-in-targeted-attacks\">https://www.tenable.com/blog/cve-2019-17026-zero-day-vulnerability-in-mozilla-firefox-exploited-in-targeted-attacks</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}