Mozilla just pushed out an update for its Firefox browser to patch a security hole that was already being exploited in the wild.

If you’re on the regular version of Firefox, you’re looking to upgrade from 74.0 to 74.0.1 and if you’re using the Extended Support Release (ESR), you should upgrade from ESR 68.6.0 to ESR 68.6.1.

The Tor Browser followed suit shortly afterwards [updated 2020-04-06T22:30Z], so if you’re a Tor user, you want to make sure you upgrade from 9.0.7 to 9.0.8. (See below for screenshots.)

Given that the bug needed patching in both the latest and the ESR versions, we can assume either that the vulnerability has been in the Firefox codebase at least since version 68 first appeared, which was back in July 2019, or that it was introduced as a side effect of a security fix that came out after version 68.0 showed up.

(If you have ESR version X.Y.0, you essentially remain on the feature set of Firefox X.0, but with all the security fixes that have come out up to and including Firefox (X+Y).0, so the ESR is popular with IT departments who want to avoid frequent feature updates that might require changes in company workflow, but don’t want to lag behind on security patches.)

What we can’t tell you yet are any details about exactly how long ago the bug was found by the attackers, how they are exploiting it, what they’re doing with it, or who’s been attacked so far.