Patch Firefox right now to fix this zero-day security flaw

(Image credit: Omar Marques/SOPA Images/LightRocket via Getty Images)

If you use Mozilla Firefox, stop what you're doing and check to make sure your version of the popular web browser is 72.0.1, or 68.4.1 if you're using the extended support release (ESR) build.

That's because just a couple of days after releasing Firefox 72 and Firefox ESR 68.4, Mozilla learned that Qihoo 360 researchers found a serious security flaw that, according to the U.S. Department of Homeland Security, could let an attacker "exploit this vulnerability to take control of an affected system."

That is indeed what is already happening, Mozilla said in its advisory posted yesterday (Jan. 8): "We are aware of targeted attacks in the wild abusing this flaw."

Mozilla isn't saying much else other than this is related to an error in the just-in-time JavaScript code compiler for Firefox. John E. Dunn over at Sophos' Naked Security blog has an informative deep dive about what that means.

It's also telling what Mozilla left out of this security advisory: any mention that this might be specific to one operating system. (Compare that to the two previous Mozilla security advisories, which both specified Windows.) Until we learn otherwise, we have to assume that this flaw affects Windows, macOS and Linux alike.

To check your version of Firefox, go to Help --> About Firefox on Windows, or Firefox --> About Firefox on a Mac. Many instances of Firefox update automatically when you launch them, so if you did so this morning, you may have versions 72.0.1 or ESR 68.4.1 already. 

If not, checking the version number gives you the opportunity to check for updates, or often just starts the update process on its own.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.