CVE-2019-17017
📋 TL;DR
A type confusion vulnerability in Firefox and Firefox ESR could allow attackers to execute arbitrary code by exploiting missing case handling for object types. This affects Firefox versions below 72 and Firefox ESR versions below 68.4, potentially enabling remote code execution when users visit malicious websites.
💻 Affected Systems
- Mozilla Firefox
- Mozilla Firefox ESR
📦 What is this software?
Firefox by Mozilla
Firefox Esr by Mozilla
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with the same privileges as the Firefox process, potentially leading to full system compromise.
Likely Case
Browser crash (denial of service) or limited code execution within browser sandbox.
If Mitigated
No impact if patched versions are deployed or if vulnerable browsers are isolated from untrusted content.
🎯 Exploit Status
While no public PoC exists, Mozilla presumes exploitation is possible with sufficient effort. Type confusion vulnerabilities are commonly weaponized in browser attacks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firefox 72.0, Firefox ESR 68.4
Vendor Advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2020-02/
Restart Required: Yes
Instructions:
1. Open Firefox/Firefox ESR. 2. Click menu → Help → About Firefox. 3. Browser will check for updates and prompt to install. 4. Restart browser when prompted. For enterprise deployments, use Mozilla's enterprise deployment tools.
🔧 Temporary Workarounds
Disable JavaScript
allPrevents exploitation by disabling JavaScript execution, which is required for most browser-based attacks.
about:config → Set javascript.enabled to false
Use Content Security Policy
allImplement CSP headers to restrict script execution from untrusted sources.
Add 'Content-Security-Policy: script-src 'self'' to web server headers
🧯 If You Can't Patch
- Isolate vulnerable browsers using application whitelisting or network segmentation
- Implement strict web filtering to block access to untrusted or malicious websites
🔍 How to Verify
Check if Vulnerable:
Check browser version in About Firefox/Help menu. If version is below Firefox 72 or Firefox ESR 68.4, system is vulnerable.Check Version:
firefox --version (Linux), or check About Firefox menuVerify Fix Applied:
Verify browser version is Firefox 72.0 or higher, or Firefox ESR 68.4 or higher.📡 Detection & Monitoring
Log Indicators:
- Browser crash reports with suspicious memory access patterns
- Unexpected child process spawning from Firefox
Network Indicators:
- Unusual outbound connections from browser process
- Traffic to known exploit hosting domains
SIEM Query:
process_name="firefox.exe" AND (event_id=1000 OR event_id=1001) | where version < "72"🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00029.html
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00043.html
- http://packetstormsecurity.com/files/155912/Slackware-Security-Advisory-mozilla-thunderbird-Updates.html
- https://access.redhat.com/errata/RHSA-2020:0085
- https://access.redhat.com/errata/RHSA-2020:0086
- https://access.redhat.com/errata/RHSA-2020:0111
- https://access.redhat.com/errata/RHSA-2020:0120
- https://access.redhat.com/errata/RHSA-2020:0123
- https://access.redhat.com/errata/RHSA-2020:0127
- https://access.redhat.com/errata/RHSA-2020:0292
- https://access.redhat.com/errata/RHSA-2020:0295
- https://bugzilla.mozilla.org/show_bug.cgi?id=1603055
- https://lists.debian.org/debian-lts-announce/2020/01/msg00005.html
- https://lists.debian.org/debian-lts-announce/2020/01/msg00016.html
- https://seclists.org/bugtraq/2020/Jan/12
- https://seclists.org/bugtraq/2020/Jan/18
- https://seclists.org/bugtraq/2020/Jan/26
- https://security.gentoo.org/glsa/202003-02
- https://usn.ubuntu.com/4234-1/
- https://usn.ubuntu.com/4241-1/
- https://usn.ubuntu.com/4335-1/
- https://www.debian.org/security/2020/dsa-4600
- https://www.debian.org/security/2020/dsa-4603
- https://www.mozilla.org/security/advisories/mfsa2020-01/
- https://www.mozilla.org/security/advisories/mfsa2020-02/
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00029.html
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00043.html
- http://packetstormsecurity.com/files/155912/Slackware-Security-Advisory-mozilla-thunderbird-Updates.html
- https://access.redhat.com/errata/RHSA-2020:0085
- https://access.redhat.com/errata/RHSA-2020:0086
- https://access.redhat.com/errata/RHSA-2020:0111
- https://access.redhat.com/errata/RHSA-2020:0120
- https://access.redhat.com/errata/RHSA-2020:0123
- https://access.redhat.com/errata/RHSA-2020:0127
- https://access.redhat.com/errata/RHSA-2020:0292
- https://access.redhat.com/errata/RHSA-2020:0295
- https://bugzilla.mozilla.org/show_bug.cgi?id=1603055
- https://lists.debian.org/debian-lts-announce/2020/01/msg00005.html
- https://lists.debian.org/debian-lts-announce/2020/01/msg00016.html
- https://seclists.org/bugtraq/2020/Jan/12
- https://seclists.org/bugtraq/2020/Jan/18
- https://seclists.org/bugtraq/2020/Jan/26
- https://security.gentoo.org/glsa/202003-02
- https://usn.ubuntu.com/4234-1/
- https://usn.ubuntu.com/4241-1/
- https://usn.ubuntu.com/4335-1/
- https://www.debian.org/security/2020/dsa-4600
- https://www.debian.org/security/2020/dsa-4603
- https://www.mozilla.org/security/advisories/mfsa2020-01/
- https://www.mozilla.org/security/advisories/mfsa2020-02/
