Mozilla released a security update for two serious vulnerabilities in Firefox that were actively attacked before the update was available. In the worst case, an attacker could gain full control of the system through the two zero-day leaks.
Just visiting a malicious or compromised website is enough. No further user interaction is required. The zero-day leaks were reported to Mozilla by JMP Security and researcher Francisco Alonso. Mozilla speaks of “targeted attacks”, but no further details about the attacks have been given.
Alonso reports via Twitter that more details will appear later, including other browsers. Firefox users are advised to update directly to Firefox 74.0.1 or Firefx ESR 68.6.1. This can be done via the automatic update function or Mozilla.org. Firefox users were also the target of a zeroday attack in January.