23 March 19, 14:40
Quote:Mozilla released the first point release to its latest Firefox 66 web browser to address two critical security vulnerabilities exposed during the Pwn2Own hacking contest event.
Firefox 66.0.1 is now available, just a few days after the release of Firefox 66.0 earlier this week, to patch CVE-2019-9810 and CVE-2019-9813, two security vulnerabilities reported by Richard Zhu, Amat Cama, and Niklas Baumstark via Trend Micro's Zero Day Initiative.
According to the security advisory published by Mozilla on March 22nd, CVE-2019-9810 describes a buffer overflow issue and missing bounds check flaw in the Firefox 66.0 release due to incorrect alias information in the IonMonkey JIT compiler for the Array.prototype.slice method.
On the other hand, CVE-2019-9813 describes a "type confusion" issue in the IonMonkey JIT code affecting the Firefox 66.0 release that may let attackers read and write arbitrary memory, which was possible due to incorrect handling of __proto__ mutations.
SOURCE: https://news.softpedia.com/news/mozilla-...5408.shtml