Background
On Nov. 30, a new zero-day vulnerability was identified affecting versions of Mozilla Firefox versions 50.1 and lower. External security groups report that this vulnerability is actively being exploited in the wild.
Impact
Exploitation through a vulnerable browser can allow an attacker to have direct remote access to your computer and/or allow arbitrary code execution.
Please see UISO Recommendations and Workarounds below for further steps that must be taken.
Platforms Affected
- Mozilla Firefox, version(s) prior to 50.0.2
- Mozilla Firefox ESR version(s) prior to 45.5.1
- Mozilla Thunderbird version(s) prior to 45.5.1
Local Observations
Using network sensors, the University Information Security Office monitors the IU network for devices being exploited via this vulnerability. The UISO hasn't seen evidence of active exploitation for this vulnerability at IU at this time. Successful compromise of a device may result in the device being blocked from the network.
Mozilla has published browser updates to patch this critical vulnerability. Firefox is usually configured to update itself automatically, however you can install this update manually.
UISO Recommendations
- Regularly check for, update and remove old versions of Firefox.
- You can verify your software is up to date by installing Secunia Personal Software Inspector on hosts running the Windows operating system and patching any of the vulnerable software it finds.
- Enable Firefox's automatic update feature.
Workarounds
The UISO recommends that you use an alternate browser if you are unable to update Firefox.