Department of Homeland Security Urges Firefox And Thunderbird Users To Upgrade
The American Department of Homeland Security has issued a National Cyber Awareness System alert urging Firefox users to upgrade to the latest versions of Firefox, Firefox ESR and Thunderbird due to a vulnerability which is being actively exploited in the wild.
We wrote that the Firefox 72.0.1 release fixed an actively exploited security hole a few days ago. Mozilla noted that they are "aware of targeted attacks in the wild abusing this flaw". It appears that these "targeted attacks" got the attention of the American Homeland Security Department who issued this statement:
"Mozilla has released security updates to address a vulnerability in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit this vulnerability to take control of an affected system. This vulnerability was detected in exploits in the wild.
Thunderbird, which shares some of Firefox's code, is also affected. Thunderbird users should absolutely make sure they are using 68.4.1 which fixes the Ironmonkey JIT vulnerability and several others. Targeting someone with a carefully crafted e-mail is easy if you know their e-mail address.
The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisories for Firefox 72.0.1 and Firefox ESR 68.4.1 and Thunderbird 68.4.1 and apply the necessary updates."
Warnings about software vulnerabilities from the American Homeland Security Department are rare. There has been several security vulnerabilities listed in Firefox's changelog every release for a decade without a warning or notice from Homeland Security. Them issuing a warning is therefore noteworthy. It is also interesting to note that Firefox bug 1607443 remains restricted days after the fix for that security bug was released.
Firefox 72 has some new features like a picture-in-picture video mode and enhanced tracking protection. If those do not motivate you to upgrade then perhaps the Homeland Security warning will.
Major distributions like Arch, Manjaro Linux and Fedora have already made Firefox 72.0.1 available in their repositories. Upgrading your distributions packages so you get the latest Firefox and Thunderbird version is probably a good idea.