SecureMac, Inc.

Why you should update Firefox right now, according to the U.S. Department of Homeland Security

January 11, 2020

The U.S. Department of Homeland Security has issued an alert about a “critical vulnerability” affecting Mozilla’s Firefox browser. The DHS has advised all Firefox users to update their browser software immediately.

In this short article, we’ll explain what the vulnerability is, help you parse the language used in the security advisory, tell you who is affected, and let you know how to get your updates and stay safe.

What is the vulnerability?

According to the Mozilla security advisory, the vulnerability was due to a flaw in the “IonMonkey JIT compiler”, which could “lead …

Why you should update Firefox right now, according to the U.S. Department of Homeland Security

The U.S. Department of Homeland Security has issued an alert about a “critical vulnerability” affecting Mozilla’s Firefox browser. The DHS has advised all Firefox users to update their browser software immediately.

In this short article, we’ll explain what the vulnerability is, help you parse the language used in the security advisory, tell you who is affected, and let you know how to get your updates and stay safe.

What is the vulnerability?

According to the Mozilla security advisory, the vulnerability was due to a flaw in the “IonMonkey JIT compiler”, which could “lead to a type confusion”. So what does that actually mean? We’ll break it down more fully in the next section, but the TL;DR version is that there was a bug in the part of Firefox that helps to render JavaScript in your browser, and that bug could allow an attacker to run malicious code on your computer. The full explanation requires knowing a bit about how browsers work “under the hood”, which is what we’ll get into below.

What does it mean?

Firefox, like other web browsers, is software for rendering web pages. In almost all cases, code for web pages will include HTML and CSS, which determine the appearance of the page, as well as JavaScript, a scripting language which allows for greater functionality and interactivity than HTML/CSS alone. Depending on the complexity of the web site and how well it was built, it can take a lot of work for the browser to show you what you’re supposed to be seeing — which can lead to slow or unresponsive web sites. In order to provide the best user experience possible, web browsers contain tools and features designed to optimize performance. One such tool is the “JIT compiler”, which stands for “Just-in-time compiler”. Firefox’s JIT compiler is named IonMonkey.

In general terms, a compiler is a computer program which creates a complete translation of code from one programming language to another, typically from a human-readable programming language (like JavaScript) into the kind of machine code instructions that your computer’s CPU actually reads and executes, before the code is executed. There are other programs, called interpreters, which do the same thing on a line-by-line basis as a program runs. Programmers write JavaScript code for their web pages, but computers need the help of a compiler or interpreter to translate that into instructions they can use.

Compilers are great, because they can create optimized versions of code that computers can then read and execute very quickly. But they can also be slow in the beginning, because they need to do an initial translation of an entire chunk of human-readable code into a computer-readable format, which takes time. Interpreters, by contrast, are very fast — but they’re also highly inefficient over time, since they have to translate a piece of code each and every time it’s used, even if they’ve already done the same translation before. 

A “just-in-time” compiler tries to strike a balance between the speed of an interpreter and the efficiency of a traditional compiler. It looks for pieces of JavaScript on a webpage that seem to be used frequently, and when it notices one, it uses its compiler function to create and store an optimized translation for future use. Everything else is just run through an interpreter. The net result is the fastest possible rendering of JavaScript on a page.

This brings us to the issue of “type confusion”. We won’t go into a ton of detail here, since it would take us into the nitty-gritty of how computer memory actually works (and how hackers take advantage of this). But it’s enough to say that certain kinds of programming languages — like the ones used to create programs such as compilers — require programmers to carefully specify the reference and storage of data in computer memory. If they’re not careful, there can be bugs which leave an area of computer memory open and allow an attacker to insert malicious code there — which the computer may take for legitimate code and execute. This can happen in a number of ways, and a “type confusion” is one of them. Type confusions occur when a computer is expecting one type of data and instead gets another, which can lead to crashes or, even worse, allow attackers to write data to memory locations that they shouldn’t have access to.

This seems to be what happened here, although the specifics are still unclear, since the discoverers of the vulnerability have yet to release details how exactly it is being exploited. One possibility, though, is that victims are being directed to malicious websites containing JavaScript code designed to take advantage of the bug when run through the JIT. What is certain is that Mozilla has seen examples of the vulnerability being exploited “in the wild”, meaning that someone is actively attacking targets in the real world, and that the exploit is much more than a theoretical “proof-of-concept” developed by a security researcher.

Am I affected?

Any Firefox user without an up-to-date version is potentially at risk. 

However, in the absence of more detailed information about how the flaw is being exploited, it is difficult to assess the actual risk to everyday users. 

If the exploit requires that a victim be lured to a specific website, then this may be a case of a targeted attack affecting a relatively small group of people. Some of the cybersecurity press can be a bit sensationalistic at times, and so we want to temper our advice to update Firefox immediately with a degree of realism. 

That said, though, we simply don’t know yet how widespread the issue is, and the flaw is indeed a serious one, even if it isn’t being widely abused at the moment. 

In short, everyone should keep calm and update now.

How can I update?

You’ll need Firefox version 72.0.1 or, if you’re using the Extended Support Version for organizations, Firefox ESR 68.4.1. 

If you haven’t configured automatic updates, you can update Firefox on a Mac by opening the app and going to About > Firefox, where you will see an option to update if you don’t have the latest version. The app will have to be restarted in order to complete the update. If you have any questions about the process or need any help, feel free to ask at Security@SecureMac.com.

Get the latest security news and deals