Skip to main content

Firefox Users Urged to Patch Zero Day Following Attack

by Chris Brook on Thursday June 20, 2019

Contact Us
Free Demo

The zero day - which was actually two zero days chained together - was used in attacks against a popular cryptocurrency exchange on Monday.

Security experts and even the U.S. government are urging Firefox users to update their browser as soon as possible this week to address a vulnerability, currently being exploited in the wild, that could let an attacker take control of an affected system.

The bug, a type confusion vulnerability (CVE-2019-11707) in Array.pop, a method that's used to add or remove JavaScript objects in Firefox, could allow an exploitable crash, Mozilla warned Tuesday. Firefox 67.0.3 and Firefox ESR 60.7.1, released this week, resolve the vulnerability.

In type confusion vulnerabilities wrong function pointers or data is passed to the wrong piece of code that can't verify the type of object its passed to.

Samuel Groß, a researcher at Google's Project Zero who's been a mainstay the last several years at Pwn2Own, the annual hacking competition, discovered the bug on April 15.

Groß said Wednesday on Twitter that the bug can be exploited for remote code execution but that an attacker would need a separate sandbox escape to do so.

It sounds as if that's exactly what happened earlier this week, nearly two months after Groß first reported the bug to Mozilla, when an attacker tried to exploit the vulnerability against employees at the cryptocurrency exchange Coinbase.

Philip Martin, Coinbase’s Chief Information Security Officer walked through the attack Wednesday night on Twitter, explaining that that the company detected and blocked an attempt on Monday by an attacker using the type confusion vulnerability (CVE-2019-11707) in tandem with a separate zero day Firefox sandbox escape to target employees.

Mozilla addressed the second zero day, a sandbox escape the company marked as "high" impact, with a patch on Thursday.

Martin, who reported the attack to Mozilla, claims his team is still digging into the malware and infrastructure used in the attack but says he hasn't seen any evidence that the service's customers are being targeted.

After Martin posted a handful of indicators of compromise (IOC) on Twitter, Vitali Kremez, former Director of Research at Flashpoint, chimed in, acknowledging that the IOCs could be linked to a "powercat"-like stealer. Patrick Wardle, Chief Research Officer at Digita Security, and Nick Carr, a FireEye senior manager, also looked at IOCs provided by Martin and tied them to a new sample of the Mac malware OSX.NetWire.A.

Given the vulnerability is being exploited in the wild, even the U.S. government pressed users to update this week.

Officials with the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) urged users and administrators alike on Tuesday to apply the necessary updates.

Developers with the Tor Browser, which shares some of the same code with Firefox, are also encouraging users to apply a browser update it pushed this week. With that update, which brings the anonymity service to version 8.5.2, Tor also updated the NoScript addon, which comes bundled in, to version 10.6.3.

Tags:  Vulnerabilities

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.