The US government’s Department of Homeland Security is urging all Firefox users to update to v72.0.1 as soon as possible. Earlier this week, a zero day vulnerability was found in the then most current version of the Firefox browser by Mozilla which allows hackers to take over your computer. What’s more, this 0day was found to have already been used in the wild by security researchers from a Chinese firm, Qihoo 360. Remote code execution is the holy grail of zero day vulnerabilities, and the fact that one of the most popular privacy and security focused browsers in the world had such a flaw should be a massive wake up call to internet browser users around the world. The government’s urgent security message, issued through the Department of Homeland Security’s Cyber + Infrastructure division (CISA), states simply:
“Mozilla has released security updates to address a vulnerability in Firefox and Firefox ESR. An attacker could exploit this vulnerability to take control of an affected system. This vulnerability was detected in exploits in the wild. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisory for Firefox 72.0.1 and Firefox ESR 68.4.1 and apply the necessary updates.”
Mozilla’s released version 72.0.1 very soon after receiving news of the zero day vulnerability. In their announcement that they had fixed the zero day vulnerability, Mozilla also acknowledged that they were aware of “targeted attacks in the wild abusing this flaw.”
The issue is this: Firefox versions for desktop older than the just-patched version contain a critical vulnerability that could allow an attacker to take control of a user’s entire operating system—whether they use Windows or Mac. More alarming, the vulnerability is already being exploited in the wild, thus Homeland Security stepping in with the urgent plea for users to upgrade.
Firefox is bloated and contains many vectors for security nightmares to happen: What is Normandy?Firefox has other privacy concerns regarding telemetry data which Privacy Online News will be revealing in coming posts. What’s out in the open already regarding potential security vectors of attack into Firefox is also concerning. Most people don’t know this, but Firefox comes with a remote access software called “Normandy.” Yes, that’s the same Normandy which is commonly known in history as the beachhead in one of the biggest surprise attacks in history: D-Day.
While Firefox does allow users to disable Normandy in Firefox, they’ve also shown that they’re willing to change that user setting with an automatic update. The fact of the matter is, most internet users are not sophisticated enough to look through code and find these potential vectors of attack – and as this most recent CVE has shown – potentially active vectors of attack. Therefore, it’s become more and more clear that even unsophisticated internet users are the end all be all for securing their own privacy on the internet.
About Caleb ChenCaleb Chen is a digital currency and privacy advocate who believes we must #KeepOurNetFree, preferably through decentralization. Caleb holds a Master's in Digital Currency from the University of Nicosia as well as a Bachelor's from the University of Virginia. He feels that the world is moving towards a better tomorrow, bit by bit by Bitcoin.
As long as these two terms continue to be misunderstood or interchanged for one another, businesses will struggle to protect the privacy of consumers online. Security software may address the challenge of protecting your devices from viruses and intruders, but it doesn’t provide control over how your information is shared online.