Why you should update Firefox right now, according to the U.S. Department of Homeland Security
The U.S. Department of Homeland Security has issued an alert about a “critical vulnerability” affecting Mozilla’s Firefox browser. The DHS has advised all Firefox users to update their browser software immediately.
In this short article, we’ll explain what the vulnerability is, help you parse the language used in the security advisory, tell you who is affected, and let you know how to get your updates and stay safe.
What is the vulnerability?
What does it mean?
Compilers are great, because they can create optimized versions of code that computers can then read and execute very quickly. But they can also be slow in the beginning, because they need to do an initial translation of an entire chunk of human-readable code into a computer-readable format, which takes time. Interpreters, by contrast, are very fast — but they’re also highly inefficient over time, since they have to translate a piece of code each and every time it’s used, even if they’ve already done the same translation before.
This brings us to the issue of “type confusion”. We won’t go into a ton of detail here, since it would take us into the nitty-gritty of how computer memory actually works (and how hackers take advantage of this). But it’s enough to say that certain kinds of programming languages — like the ones used to create programs such as compilers — require programmers to carefully specify the reference and storage of data in computer memory. If they’re not careful, there can be bugs which leave an area of computer memory open and allow an attacker to insert malicious code there — which the computer may take for legitimate code and execute. This can happen in a number of ways, and a “type confusion” is one of them. Type confusions occur when a computer is expecting one type of data and instead gets another, which can lead to crashes or, even worse, allow attackers to write data to memory locations that they shouldn’t have access to.
Am I affected?
Any Firefox user without an up-to-date version is potentially at risk.
However, in the absence of more detailed information about how the flaw is being exploited, it is difficult to assess the actual risk to everyday users.
If the exploit requires that a victim be lured to a specific website, then this may be a case of a targeted attack affecting a relatively small group of people. Some of the cybersecurity press can be a bit sensationalistic at times, and so we want to temper our advice to update Firefox immediately with a degree of realism.
That said, though, we simply don’t know yet how widespread the issue is, and the flaw is indeed a serious one, even if it isn’t being widely abused at the moment.
In short, everyone should keep calm and update now.
How can I update?
You’ll need Firefox version 72.0.1 or, if you’re using the Extended Support Version for organizations, Firefox ESR 68.4.1.
If you haven’t configured automatic updates, you can update Firefox on a Mac by opening the app and going to About > Firefox, where you will see an option to update if you don’t have the latest version. The app will have to be restarted in order to complete the update. If you have any questions about the process or need any help, feel free to ask at Security@SecureMac.com.