Firefox Critical Flaw Patched
Mozilla has released updates for the Firefox browser fixing a critical vulnerability that is being actively exploited in targeted attacks against Coinbase employees and other cryptocurrency organizations. The critical flaw , CVE-2019-11707, is a type confusion vulnerability in the Array.pop, which is an array method that is used in JavaScript objects in Firefox. The vulnerability, under active attack, enables bad actors to take full control of systems running the vulnerable Firefox versions.
The Mozilla Foundation said that the issue is fixed in Firefox 67.0.3 and Firefox ESR 60.7.1. Anyone using Firefox on a Windows, macOS or Linux desktop is affected. A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. The Mozilla Foundation is aware of targeted attacks in the wild abusing this flaw.
The flaw was discovered by the Google Project Zero and the Coinbase Security team. It was reported in a Twitter threat that the first public fix was deployed about a week ago. Essentially the object in the Array.pop method could be manipulated due to a type confusion vulnerability to execute malicious JavaScript on webpages. The bug can be exploited for RCE, or remote code execution, but would then need a separate sandbox escape. However, most likely, it can also be exploited for universal cross-site scripting which might be enough depending on the attacker’s goals. Both malicious actions are serious. Remote code execution enables an attacker to access devices and make changes, and UXSS is a type of attack that exploits client-side vulnerabilities in the browser in order to execute malicious code.
Recently Mozilla has been fixing critical flaws in its Firefox browser. In May, Mozilla patched several critical vulnerabilities with the release of its Firefox 67 browser. The worst of the bugs patched are two memory safety flaws that could allow attackers to exploit the vulnerabilities to take control of an affected system, according to a security bulletin issued by United States Computer Emergency Readiness Team.