Language Selection

English French German Italian Portuguese Spanish

Security: Firefox 72.0.1, Year of Encryption and Kernel Runtime Security Instrumentation (KRSI)

Filed under
Security
  • Firefox 72.0.1 released

    There is another Firefox release out there; this advisory suggests that updating quickly would be a good idea: "Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw."

  • Critical Firefox 0-Day Under Active Attacks – Update Your Browser Now!

    Attention! Are you using Firefox as your web browsing software on your Windows, Linux, or Mac systems?

    If yes, you should immediately update your free and open-source Firefox web browser to the latest version available on Mozilla's website.

    Why the urgency? Mozilla earlier today released Firefox 72.0.1 and Firefox ESR 68.4.1 versions to patch a critical zero-day vulnerability in its browsing software that an undisclosed group of hackers is actively exploiting in the wild.

    Tracked as 'CVE-2019-17026,' the bug is a critical 'type confusion vulnerability' that resides in the IonMonkey just-in-time (JIT) compiler of the Mozilla's JavaScript engine SpiderMonkey.

  • The year of encryption is upon us

    1969 will forever be known as the year humans walked on the moon. Gary Ross Dahl rocked the world again in 1975 with the introduction of the Pet Rock. And MTV celebrated the moon landing and popular culture – and changed the music world – when it launched in 1981.

    The world remembers 1989 as the year the Berlin Wall fell, opening the door to a unified Germany. It’s hard to forget 2008, the year the financial crisis hit. And 2015 was the year of the millennial, when this group surpassed baby boomers as the biggest U.S. generation.

    Each year has its defining moments and trends. And 2020 will be the Year of Encryption.

    Here’s why: Encryption is a key technology in protecting sensitive information such as social security numbers, government IDs and financial data. It is also an important part of personal data privacy – a key consumer and compliance concern. Given the importance of encryption it is also a subject of debate at the U.S. state and federal level and elsewhere in the world.

  • KRSI — the other BPF security module

    One of the first uses of the BPF virtual machine outside of networking was to implement access-control policies for the seccomp() system call. Since then, though, the role of BPF in the security area has not changed much in the mainline kernel, even though BPF has evolved considerably from the "classic" variant still used with seccomp() to the "extended" BPF now supported by the kernel. That has not been for a lack of trying, though. The out-of-tree Landlock security module was covered here over three years ago. We also looked at the kernel runtime security instrumentation (KRSI) patch set in September. KP Singh has posted a new KRSI series, so the time seems right for a closer look.
    While KRSI is implemented as a Linux security module and is able to make access-control decisions, access control does not appear to be the core goal behind this work. Instead, KRSI exists to keep an eye on system behavior overall in order to detect attacks. It is, in a sense, better thought of as an extension of the kernel's audit mechanism that uses BPF to provide a higher level of configurability beyond what the audit subsystem can do.

    The concept behind KRSI is simple enough: it allows a suitably privileged user to attach a BPF program to any of the hundreds of hooks provided by the Linux security module subsystem. To make this attachment easy, KRSI exports a new filesystem hierarchy under /sys/kernel/security/bpf, with one file for each hook. The bpf() system call can be used to attach a BPF program (of the new type BPF_PROG_TYPE_LSM) to any of these hooks; there can be more than one program attached to any given hook. Whenever a security hook is called, all attached BPF programs will be called in turn; if any BPF program returns an error status, then the requested action will be denied.

The U.S. government says you need to update Firefox right now

  • The U.S. government says you need to update Firefox right now

    If you use the Mozilla Firefox web browser, the government recommends that you update the browser because of a zero-day vulnerability that could enable hackers to take control of your computer.

    The United States Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) is encouraging those with the Firefox browser to update to versions 72.0.1 and ESR 68.4.1.

    “Mozilla has released security updates to address a vulnerability in Firefox and Firefox ESR. An attacker could exploit this vulnerability to take control of an affected system. This vulnerability was detected in exploits in the wild,” CISA’s statement published on Wednesday reads.

  • Firefox gets patch for critical 0-day that’s being actively exploited

    Mozilla has released a new version of Firefox that fixes an actively exploited zero-day that could allow attackers to take control of users' computers.

    In an advisory, Mozilla rated the vulnerability critical and said it was "aware of targeted attacks in the wild abusing this flaw." The US Cybersecurity and Infrastructure Security Agency said one or more exploits were "detected in the wild" and warned that attacks could be exploited to "take control of an affected system." The Mozilla advisory credited researchers at China-based Qihoo 360 with reporting the flaw.

    No other details about the attacks were immediately available. Neither Mozilla nor Qihoo 360 responded to emails asking for more information.

    CVE-2019-17026, as the vulnerability is indexed, is a type confusion, a potentially critical error that can result in data being written to, or read from, memory locations that are normally off-limits. These out-of-bounds reads may allow attackers to discover memory locations where malicious code is stored so that protections such as address space layout randomization can be bypassed. Out-of-bounds reads can also cause crashes.

This Firefox vulnerability is so bad...

  • This Firefox vulnerability is so bad, the U.S. government is urging users to patch it immediately

    The good news is that it’s already been patched. The bad news is that it’s already being exploited in the wild. And it’s about as bad as it can get. In technical terms, as Mozilla explains, “Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. That means that an attacker could exploit the Javascript code to surreptitiously hack a user’s PC and install malicious code outside of Firefox. Mozila says it is “aware of targeted attacks in the wild abusing this flaw,” but doesn’t give any information about how widespread the attacks are.

US government urges everyone to update Mozilla Firefox

  • US government urges everyone to update Mozilla Firefox to v72.0.1 because of an active exploit that allows remote code execution

    The US government’s Department of Homeland Security is urging all Firefox users to update to v72.0.1 as soon as possible. Earlier this week, a zero day vulnerability was found in the then most current version of the Firefox browser by Mozilla which allows hackers to take over your computer. What’s more, this 0day was found to have already been used in the wild by security researchers from a Chinese firm, Qihoo 360. Remote code execution is the holy grail of zero day vulnerabilities, and the fact that one of the most popular privacy and security focused browsers in the world had such a flaw should be a massive wake up call to internet browser users around the world.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

This week in KDE: window thumbnails on Wayland

This week we got tons and tons of stuff done, including window thumbnails on Wayland! This much-awaited feature brings our Wayland session ever closer to parity with the X11 session. Read more

Is There Room for Linux Workstations at Your Organization?

Although it's been a long time since Linux was more difficult to use than Windows, most companies have been reluctant to deploy Linux workstations to its employees. That might be changing. Read more

The University of Costumed Heroes: A video from the FSF

This video is the second in a series of animated videos created by the Free Software Foundation's (FSF), and this one is themed around our campaign against the use of proprietary remote education software. We must reverse the trend of forsaking young people's freedom, which has been accelerating as corporations try to capitalize on the need to establish new remote education practices. Free software not only protects the freedoms of your child or grandchild by allowing people to study the source code for any malicious functionalities, it also communicates important values like autonomy, sharing, social responsibility, and collaboration. Read more Also: The FSF's approach to using online videos for advocacy

Best Multimedia Linux distributions

When choosing the best Linux distribution for your needs, multimedia experts such as video editors and photographers will benefit most from a Linux distro that specializes in multimedia production. There are a few Linux distrubitions that fill the gap for multimedia gurus, and we're going to cover the top choices in this article. Read below to see our countdown of the five best multimedia Linux distros. Read more