paint-brush
Critical Security Update: Coinbase Security Team Discovers Zero-Day Exploit in Firefoxby@LPX
551 reads
551 reads

Critical Security Update: Coinbase Security Team Discovers Zero-Day Exploit in Firefox

by LPXJune 19th, 2019
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

Zero-Day Exploit Found Targeting Crypto-Users

Companies Mentioned

Mention Thumbnail
Mention Thumbnail
featured image - Critical Security Update: Coinbase Security Team Discovers Zero-Day Exploit in Firefox
LPX HackerNoon profile picture

Zero-Day Exploit Found Targeting Crypto-Users

Coinbase Security and Samuel Groß, a security researcher with Google, discovered a zero-day exploit on the Mozilla Firefox browser which uses Javascript objects to incur type confusion. This exploit, tracked as CVE-2019–11707, was seen “in the wild” specifically targeting cryptocurrency users.

“zero-day exploit” is a term used for critical vulnerabilities that is found for the first time, and it is crucial for teams to act quick and release patches. It is equally crucial for browser users to download the patch and update their browsers. Firefox has rated this exploit in its highest category: “Critical Impact — Vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.”

The last Firefox Zero-Day exploit was back in 2016, which makes it quite rare for Mozilla’s flagship browser. Not much has been shared about the exploit itself, most likely due to the sensitive nature of the new exploit and to stop it from more malicious hackers to use the exploit. However, we do know that this exploit can cause a type confusion in Javascript when manipulating objects due to issues in array pop, causing an exploitable crash, as reported by Mozilla engineers in a security advisory today.

Earlier today the Mozilla team released a patch in Firefox version 67.0.3. Again, it is critical that all Firefox users, whether cryptocurrency users or not, update their browsers as soon as possible.

(Like now, yes you.)

edit: Some more information about the vulnerability has been provided by the Center for Internet Security.

A vulnerability has been discovered in Mozilla Firefox and Firefox Extended Support Release (ESR), which could allow for arbitrary code execution. A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash (CVE-2019–11707). Successful exploitation this vulnerability could allow for arbitrary code execution. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.