Mozilla is warning its 500 million Firefox users to update after releasing an advisory detailing a “critical” vulnerability. Issued yesterday (June 18), the warning covers security vulnerabilities fixed in Firefox 67.0.3 and Firefox ESR 60.7.1
According to the advisory: “A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash.”
“We are aware of targeted attacks in the wild abusing this flaw,” Firefox owner Mozilla said.
Mozilla gave the issue a “critical” rating–meaning a vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.
The vulnerability is so serious that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also issued a warning. CISA’s advisory reads: “Mozilla has released security updates to address a vulnerability in Firefox and Firefox ESR.
“An attacker could exploit this vulnerability to take control of an affected system. This vulnerability was detected in exploits in the wild.”
“The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisory for Firefox 67.0.3 and Firefox ESR 60.7.1 and apply the necessary updates.”
What to do
Given that the zero day–tracked as CVE-2019-11707–is critical, it’s important that you update now. You can download the update for Firefox 67.0.3 on the firm’s website.
Firefox is also releasing the update automatically over the browser. You can check if yours has the update by visiting "Firefox" on the menu bar and selecting "About Firefox." If an update is available, a new window should open and this will prompt the latest version to download.
Although the update will be pushed to users, it makes sense to check if yours is available now. Sean Wright, independent security researcher advises users to “drop everything you are doing and update ASAP.”
He says the issue could impact “quite a few” Firefox users, especially since many have recently switched over to Firefox from Chrome.
“Unfortunately, details of the issue are really sparse, so it could be all prior versions of Firefox which are affected, or only a subset. Likely most given the fixed versions (67.0.3 and ESR 60.7.1),” he says.
More detail needed
The vulnerability was reported by Google's Samuel Groß and Coinbase Security. Due to the latter, it’s likely the attacks are related to cryptocurrency in some way.
But Mozilla hasn’t released any more details about the issue. I have contacted the firm for comment and will update this story if and when it arrives.
As ZDNet points out, Firefox zero-days are pretty rare. The last one was reported in December 2016, when Mozilla patched a zero day security flaw that was being used by attackers to expose and de-anonymize Tor browser users.
For now, Wright says: “Based on reports, especially from US CERT, it's best to err on the side of caution and treat this vulnerability as a means of an attacker to be able to run commands by exploiting it.”
But given that it’s already being actively exploited, Wright says Firefox should have released more information about this vulnerability. “This highlights the issue we have around disclosing vulnerabilities and often, the vague details given which could lead to confusion or worse, the issue being downplayed or ignored.”
At very least, he says CVSS scores (the Common Vulnerability Scoring System, which gives a numerical score for an idea of severity as well as providing an associated CVSS vector to help provide further information about the vulnerability) should be given to give a better idea of the risk. “Given that it is already being exploited, withholding information is likely only harming users.”
So if you are using Firefox, take time to look for the update now. And at least you can rest easy knowing vulnerabilities of this severity are pretty uncommon in Firefox.
Updated 04:00 ET
A second zero day has been patched by Mozilla, just days after the first. According to ZDNet, the second exploit, described as a "sandbox escape" allowed actors to bypass the Firefox protected process and execute code on the underlying operating system.
Both zero days were being used in attempts to attack and infect staff of the cryptocurrency exchange Coinbase via phishing emails. If the staff who used Firefox clicked on the link in the email, an info-stealer downloaded to collect browser passwords and other data.
Firefox sent me a statement via email, authored by Selena Deckelmann, senior director, Firefox browser engineering. It reads: “On Monday, June 17, 2019, Coinbase reported a vulnerability used as part of targeted attacks for a spear phishing campaign. In less than 24 hours, we released a fix for the exploit.”
The firm reiterated the need to update now if you haven't already.
