Critical Security Update: Coinbase Security Team Discovers Zero-Day Exploit in Firefox

Written by LPX | Published 2019/06/19
Tech Story Tags: cybersecurity | cryptocurrency | blockchain | exploit | security | firefox | coinbase | latest-tech-stories | web-monetization

TLDRvia the TL;DR App

Zero-Day Exploit Found Targeting Crypto-Users

Coinbase Security and Samuel Groß, a security researcher with Google, discovered a zero-day exploit on the Mozilla Firefox browser which uses Javascript objects to incur type confusion. This exploit, tracked as CVE-2019–11707, was seen “in the wild” specifically targeting cryptocurrency users.
“zero-day exploit” is a term used for critical vulnerabilities that is found for the first time, and it is crucial for teams to act quick and release patches. It is equally crucial for browser users to download the patch and update their browsers. Firefox has rated this exploit in its highest category: “Critical Impact — Vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.”
The last Firefox Zero-Day exploit was back in 2016, which makes it quite rare for Mozilla’s flagship browser. Not much has been shared about the exploit itself, most likely due to the sensitive nature of the new exploit and to stop it from more malicious hackers to use the exploit. However, we do know that this exploit can cause a type confusion in Javascript when manipulating objects due to issues in array pop, causing an exploitable crash, as reported by Mozilla engineers in a security advisory today.
Earlier today the Mozilla team released a patch in Firefox version 67.0.3. Again, it is critical that all Firefox users, whether cryptocurrency users or not, update their browsers as soon as possible.
(Like now, yes you.)
edit: Some more information about the vulnerability has been provided by the Center for Internet Security.
A vulnerability has been discovered in Mozilla Firefox and Firefox Extended Support Release (ESR), which could allow for arbitrary code execution. A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash (CVE-2019–11707). Successful exploitation this vulnerability could allow for arbitrary code execution. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Written by LPX | Former CEO, Web3 Evangelist, & 2019 Noonie Winner. After years of hiatus, it's good to be back just DAOin' it.
Published by HackerNoon on 2019/06/19
ABOUTHow hackers start their afternoons. We publish tech stories and build publishing software.

READEntirely free library read by hundreds of millions to learn anything about any technology.

WRITEHackerNoon elevates quality technology writing far and wide across the interwebs.

PARTNERHackerNoon works directly with tech companies to place ads by content relevancy