Zero-Day Exploit Found Targeting Crypto-Users Coinbase Security and Samuel Groß, a security researcher with Google, discovered a zero-day exploit on the browser which uses Javascript objects to incur type confusion. This exploit, tracked as , was seen “in the wild” specifically targeting users. Mozilla Firefox CVE-2019–11707 cryptocurrency A is a term used for critical vulnerabilities that is found for the first time, and it is crucial for teams to act quick and release patches. It is equally crucial for browser users to download the patch and update their browsers. Firefox has rated this exploit in its highest category: “Critical Impact — Vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.” “zero-day exploit” The last Firefox Zero-Day exploit was back in 2016, which makes it quite rare for Mozilla’s flagship browser. Not much has been shared about the exploit itself, most likely due to the sensitive nature of the new exploit and to stop it from more malicious hackers to use the exploit. However, we do know that this exploit can cause a type confusion in Javascript when manipulating objects due to issues in array pop, causing an exploitable crash, in a security advisory today. as reported by Mozilla engineers Earlier today the Mozilla team released a patch in Firefox version 67.0.3. Again, it is critical that all Firefox users, whether cryptocurrency users or not, update their browsers as soon as possible. (Like now, yes you.) Some more information about the vulnerability has been provided by the Center for Internet Security. edit: A vulnerability has been discovered in Mozilla Firefox and Firefox Extended Support Release (ESR), which could allow for arbitrary code execution. A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash (CVE-2019–11707). Successful exploitation this vulnerability could allow for arbitrary code execution. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Coinbase

Google

Mozilla

Winner of Noonies 2019 Cybersecurity Writer of the Year

2019 - Cybersecurity Writer of the Year

Read My Stories

Too Long; Didn't Read

Build JavaScript blockchain apps easily with Lisk

Critical Security Update: Coinbase Security Team Discovers Zero-Day Exploit in Firefox

Too Long; Didn't Read

Companies Mentioned

@LPX

RELATED STORIES