Firefox Users Urged to Patch Zero Day Following Attack | Digital Guardian

The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls

Digital Guardian's Blog

Firefox Users Urged to Patch Zero Day Following Attack

by Chris Brook on Thursday June 20, 2019

Contact Us
Free Demo

The zero day - which was actually two zero days chained together - was used in attacks against a popular cryptocurrency exchange on Monday.

Security experts and even the U.S. government are urging Firefox users to update their browser as soon as possible this week to address a vulnerability, currently being exploited in the wild, that could let an attacker take control of an affected system.

The bug, a type confusion vulnerability (CVE-2019-11707) in Array.pop, a method that's used to add or remove JavaScript objects in Firefox, could allow an exploitable crash, Mozilla warned Tuesday. Firefox 67.0.3 and Firefox ESR 60.7.1, released this week, resolve the vulnerability.

In type confusion vulnerabilities wrong function pointers or data is passed to the wrong piece of code that can't verify the type of object its passed to.

Samuel Groß, a researcher at Google's Project Zero who's been a mainstay the last several years at Pwn2Own, the annual hacking competition, discovered the bug on April 15.

Groß said Wednesday on Twitter that the bug can be exploited for remote code execution but that an attacker would need a separate sandbox escape to do so.

It sounds as if that's exactly what happened earlier this week, nearly two months after Groß first reported the bug to Mozilla, when an attacker tried to exploit the vulnerability against employees at the cryptocurrency exchange Coinbase.

Philip Martin, Coinbase’s Chief Information Security Officer walked through the attack Wednesday night on Twitter, explaining that that the company detected and blocked an attempt on Monday by an attacker using the type confusion vulnerability (CVE-2019-11707) in tandem with a separate zero day Firefox sandbox escape to target employees.

Mozilla addressed the second zero day, a sandbox escape the company marked as "high" impact, with a patch on Thursday.

Martin, who reported the attack to Mozilla, claims his team is still digging into the malware and infrastructure used in the attack but says he hasn't seen any evidence that the service's customers are being targeted.

After Martin posted a handful of indicators of compromise (IOC) on Twitter, Vitali Kremez, former Director of Research at Flashpoint, chimed in, acknowledging that the IOCs could be linked to a "powercat"-like stealer. Patrick Wardle, Chief Research Officer at Digita Security, and Nick Carr, a FireEye senior manager, also looked at IOCs provided by Martin and tied them to a new sample of the Mac malware OSX.NetWire.A.

Given the vulnerability is being exploited in the wild, even the U.S. government pressed users to update this week.

Officials with the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) urged users and administrators alike on Tuesday to apply the necessary updates.

Developers with the Tor Browser, which shares some of the same code with Firefox, are also encouraging users to apply a browser update it pushed this week. With that update, which brings the anonymity service to version 8.5.2, Tor also updated the NoScript addon, which comes bundled in, to version 10.6.3.

Tags: Vulnerabilities

Recommended Resources

  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business
  • How to simplify the classification process
  • Why classification is important to your firm's security
  • How automation can expedite data classification

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.