
Firefox gets patch for critical zeroday that’s being actively exploited - nnx
https://arstechnica.com/information-technology/2020/01/firefox-gets-patch-for-critical-zeroday-thats-being-actively-exploited/
======
shawnz
Previous discussion:
[https://news.ycombinator.com/item?id=21995055](https://news.ycombinator.com/item?id=21995055)

Particularly interesting is this tweet which suggests there might be an
accompanying unpatched vulnerability in IE:
[https://twitter.com/campuscodi/status/1215020566656299011](https://twitter.com/campuscodi/status/1215020566656299011)

------
rvz
> The patch came a day after version 72 fixed 11 other vulnerabilities, six of
> which were rated high.

Oh dear. We also had a previous zero-day fixed around 7 months ago. But again,
there are more critical bugs vs moderate ones here. It goes to show the sheer
complexity of developing open-source browsers.

The problem is starting to look far more complicated than just swapping in
languages, since there is a lot to think about in a browser.

------
kijin
A few hours ago, Firefox interrupted me in the middle of a busy browsing
session and urged me to update. That was unusual. Most of the time Firefox
updates quietly when I restart the browser, but people these days don't
restart their browsers as often as they did before. I often go several days
without restarting. I guess the vulnerability was urgent enough to warrant a
mid-day interruption this time.

~~~
Zekio
as far as I can tell the only time firefox urges you to update is security
updates and if you are more than a version behind stable

~~~
jand
I can confirm the surprising update notification, telling me to upgrade
developer edition from 72.0b11 (64-bit) to 73.0b2.

And FF tells me, it cannot update automatically, i would have to download the
new version.

------
joshjannick
While a zero day is interesting news, I think a more interesting point is that
the bug was reported by Qihoo 360. The company has a bit of a storied history
when it comes to security:
[https://en.m.wikipedia.org/wiki/Qihoo_360](https://en.m.wikipedia.org/wiki/Qihoo_360)

~~~
pro_zac
"In 2012, a whistleblower reported a hidden backdoor in 360 Secure Browser."

"In January 2020, a Reddit user reported Qihoo's presence in Samsung mobile
phones as a pre-installed storage cleaner in the device settings, from where
it sends data packages to Chinese servers."

Definitely not a company one would expect to report vulnerabilities. Also odd
that they would be find Firefox issues given their browser uses IE and Chrome
renderers.

~~~
acqq
Why should anybody find reporting a zero day suspicious? Independently of the
history of the older business practices of the reporter, it can’t be anything
than a positive act.

------
nfoz
Does anyone know what version introduced the problem?

~~~
mirages
Seems to be fixed by this commit

[https://hg.mozilla.org/releases/mozilla-
release/rev/8a2adb09...](https://hg.mozilla.org/releases/mozilla-
release/rev/8a2adb09dd1028af83524adea36c5b2797a1c1bd)

Date introduced seems Thu, 02 Feb 2012 13:41:58 +0100 (2012-02-02) but I may
be wrong

~~~
nfoz
Wow thanks!

Good grief that's a long time.

------
jokoon
No details on the exploit...

Generally those exploit only work in particular scenarios...

------
angrygoat
Mozilla advisory is here: [https://www.mozilla.org/en-
US/security/advisories/mfsa2020-0...](https://www.mozilla.org/en-
US/security/advisories/mfsa2020-03/)

A little frustrating that they don't list a fixed version for Firefox
Developer Edition: 73.0b2 just came out so I guess hopefully it's okay?

~~~
bugmen0t
Yes. This is fixed in all branches. Developer Edition is Firefox beta with a
different skin. The commits at [https://hg.mozilla.org/releases/mozilla-
beta/](https://hg.mozilla.org/releases/mozilla-beta/) will show you that
73.0b2 has the same commit as mention elsewhere in the thread.

~~~
angrygoat
Thanks :)

