ALERT: Update Firefox to fix critical vulnerability

Wednesday, June 19, 2019

The information below was sent to U-M staff groups via email on June 19, 2019. It was intended for U-M IT staff who are responsible for university computers that run the Mozilla Firefox web browser.

Summary

A critical vulnerability in the Mozilla Firefox web browser could allow attackers to remotely execute arbitrary code. This vulnerability is being actively exploited in the wild. Update to the newest version of Firefox as soon as possible for protection against this vulnerability.

Problem

Attackers could exploit the flaw to take control of affected systems. An attacker would need to cause unpatched Firefox versions to first load maliciously crafted web content, and subsequently execute arbitrary code on their systems.

Affected Versions

  • Versions of Firefox prior to 67.0.3. This is the version of Firefox intended for individuals who manage their own personal computers.
  • Versions of Firefox Extended Support Release (ESR) prior to 60.7.1. Mozilla Firefox ESR is meant for organizations that manage their client desktops. For example, MiWorkspace users will have Firefox ESR on their computers.

Action Items

If you are responsible for managing university computers running Firefox, update Firefox to the newest version to fix the vulnerability. See Information for Users below for details about updating your own computer(s).

Threats

Mozilla is aware of targeted attacks in the wild exploiting the vulnerability.

Technical Details

ZDNet quotes Mozilla engineers as saying: "A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash."

How We Protect U-M

  • Information Assurance (IA) monitors a number of sources for information about new vulnerabilities and threats and provides up-to-date information to the university community.
  • IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation.
  • IA provides vulnerability management guidance to the university.

Information for Users

Use the latest version of Firefox:

  • University-managed machines. MiWorkspace staff plan to update MiWorkspace machines this week, after appropriate testing. Staff who manage other university machines are expected to apply the update as appropriate for their environments.
  • Personal machines. Firefox is set to update automatically (unless you have changed this setting yourself). You can update manually if you wish. See Update Firefox to the latest release.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.

Questions, Concerns, Reports