Han Yoon

CEO @ Lunar Digital Assets, Hobbyist Writer, Cryptonaut. CyberSecurity Researcher. Noonie Nominee.

Critical Security Update: Coinbase Security Team Discovers Zero-Day Exploit in Firefox

Zero-Day Exploit Found Targeting Crypto-Users

Coinbase Security and Samuel Groß, a security researcher with Google, discovered a zero-day exploit on the Mozilla Firefox browser which uses Javascript objects to incur type confusion. This exploit, tracked as CVE-2019–11707, was seen “in the wild” specifically targeting cryptocurrency users.
“zero-day exploit” is a term used for critical vulnerabilities that is found for the first time, and it is crucial for teams to act quick and release patches. It is equally crucial for browser users to download the patch and update their browsers. Firefox has rated this exploit in its highest category: “Critical Impact — Vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.”
The last Firefox Zero-Day exploit was back in 2016, which makes it quite rare for Mozilla’s flagship browser. Not much has been shared about the exploit itself, most likely due to the sensitive nature of the new exploit and to stop it from more malicious hackers to use the exploit. However, we do know that this exploit can cause a type confusion in Javascript when manipulating objects due to issues in array pop, causing an exploitable crash, as reported by Mozilla engineers in a security advisory today.
Earlier today the Mozilla team released a patch in Firefox version 67.0.3. Again, it is critical that all Firefox users, whether cryptocurrency users or not, update their browsers as soon as possible.
(Like now, yes you.)
edit: Some more information about the vulnerability has been provided by the Center for Internet Security.
A vulnerability has been discovered in Mozilla Firefox and Firefox Extended Support Release (ESR), which could allow for arbitrary code execution. A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash (CVE-2019–11707). Successful exploitation this vulnerability could allow for arbitrary code execution. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Originally published at Lunar Digital Assets.




Tags

Comments

More by Han Yoon

Crypto
Saas
Ethereum
Vpn
Pivx
Binance
Decentralized Exchange
Blockchain
Chrome
Cryptocurrency
Ieo
Galaxy Digital
Automobile
Blockchain
Alibaba
Blockchain
Bitcoin
Blockchain
Topics of interest