CVE-2019-17026, as the vulnerability is indexed, is a type confusion, a potentially critical error that can result in data being written to, or read from, memory locations that are normally off-limits. These out-of-bounds reads may allow attackers to discover memory locations where malicious code is stored so that protections such as address space layout randomization can be bypassed. Out-of-bounds reads can also cause crashes.
The flaw is fixed in Tuesday's release of Firefox 72.0.1. The patch came a day after version 72 fixed 11 other vulnerabilities, six of which were rated high. Three of those six bugs might make it possible for attackers to run malicious code on affected computers.
Further ReadingPotent Firefox 0-day used to install undetected backdoors on MacsThe patching of CVE-2019-17026 comes seven months after Mozilla patched a pair of potent zero-days that attackers exploited in an attempt to install an undetected backdoor on Macs used by cryptocurrency exchange Coinbase.
While details of the new exploits are unavailable, Firefox users should install the patch as soon as practical. The easiest way to do that is to use the in-browser update feature, which is available by clicking "About Firefox." In Windows, it's available in the menu's Help section. On Macs, it's in the menu's Firefox section.