Mozilla plugs critical Firefox zero-day used in targeted attacks
A critical Firefox zero-day remote code execution vulnerability is being abused in targeted attacks in the wild, Mozilla has warned on Tuesday.
About the vulnerability (CVE-2019-11707)
Mozilla did not share many details about the flaw – it simply stated that it is a type confusion vulnerability that can occur when manipulating JavaScript objects due to issues in Array.pop, and that it can trigger an exploitable crash.
The flaw can be exploited to achieve arbitrary code execution. Depending on the privileges associated with user active at the time of the attack, an attacker could install programs, view, change, or delete data, or create new accounts with full user rights.
No details about the attacks have been released. Still, the fact that the credit for the discovery of CVE-2019-11707 goes to Coinbase Security and Samuel Groß of Google Project Zero, it seems likely that it the flaw is being exploited by attackers to target cryptocoin owners.
Start patching!
The vulnerability has been patched in Firefox 67.0.3 and Firefox ESR 60.7.1 for Windows, macOS and Linux. Firefox users should restart their browser to prompt an update.
This is the first time since late 2016 that a Firefox zero-day has been exploited in the wild. That flaw was exploited to de-anonymize users of the Tor Browser, which is based on Firefox ESR, Mozilla’s Firefox offering used by organizations that prefer stability over having the latest improvements as soon as they are made available.
UPDATE (June 20, 2019, 3:03 a.m. PT):
The Tor Project has released Tor Browser 8.5.2 (for desktops), with a fix for CVE-2019-11707.
Android users will have to wait for the Android release until the weekend. “In the meantime, Android users should use the safer or safest security levels,” the developers advised.
UPDATE (June 20, 2019, 4:40 a.m. PT):
Coinbase CISO Philip Martin says that the Firefox zero-day was used (unsuccessfully) against Coinbase employees, in conjunction with a separate 0-day Firefox sandbox escape. He also says that Coinbase is “not the only crypto org targeted in this campaign.”
1/ A little more context on the Firefox 0-day reports. On Monday, Coinbase detected & blocked an attempt by an attacker to leverage the reported 0-day, along with a separate 0-day firefox sandbox escape, to target Coinbase employees.
— Philip Martin (@SecurityGuyPhil) June 19, 2019
UPDATE (June 21, 2019, 5:00 a.m. PT):
Firefox users should upgrade again: Mozilla has fixed the 0-day Firefox sandbox escape (CVE-2019-11708) used in the Coinbase attack.