/Mozilla patches Firefox zero-day abused in the wild

Mozilla patches Firefox zero-day abused in the wild

New Firefox logo

Image: Mozilla

The Mozilla team has released earlier today version 67.0.3 of the Firefox browser to address a critical vulnerability that is currently being abused in the wild.

“A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop,” Mozilla engineers wrote in a security advisory posted today.

“This can allow for an exploitable crash,” they added. “We are aware of targeted attacks in the wild abusing this flaw.”

Samuel Groß, a security researcher with Google Project Zero security team, and the Coinbase Security team were credited with discovering the Firefox zero-day — tracked as CVE-2019-11707.

Outside of the short description posted on the Mozilla site, there are no other details about this security flaw or the ongoing attacks.

Following a request for additional details from ZDNet, Groß said “the bug can be exploited for RCE [remote code execution] but would then need a separate sandbox escape” in order to run code on an underlying operating system.

“However, most likely it can also be exploited for UXSS [universal cross-site scripting] which might be enough depending on the attacker’s goals,” he added.

Based on who reported the security flaw, we can safely assume the security flaw was being exploited in attacks aimed at cryptocurrency owners. Groß also said he did not have details about how the zero-day was used, and indicated that Coinbase Security may know more about the in-the-wild attacks.

“I don’t have any insights into the active exploitation part. I found and then reported the bug on April 15,” the Google security researcher said.

Firefox zero-days are quite rare. The last time the Mozilla team patched a Firefox zero-day was in December 2016, when they fixed a security flaw that was being abused at the time to expose and de-anonymize users of the privacy-first Tor Browser.

Fellow browser maker Google patched a zero-day in its browser in March this year. The zero-day was being used together with a Windows 7 zero-day as part of a complex exploit chain.

Article updated on June 19 with additional information from Groß.

More browser coverage: