A critical update for the Firefox web browser is urgent, as Mozilla has issued a warning to users regarding a newly discovered zero-day vulnerability. This update comes just days after the release of a fix for another actively exploited vulnerability within Firefox 67.0.3.
The most recent vulnerability, identified as CVE-2019-11708, is a “sandbox escape” flaw that, when combined with a previous type confusion bug (CVE-2019-11707), enables remote attackers to execute arbitrary code on victim systems merely by luring them to malicious websites. This poses significant risks, especially for organizations that may be targeted.
A key aspect of this vulnerability hinges on inadequate checks of parameters transmitted between child and parent processes within the browser. Such shortcomings can allow an unprotected parent process to interact with web content at the discretion of a compromised child process. The advisory released by Mozilla highlights the seriousness of the issue and underscores the need for immediate action.
Reports indicate that attackers have exploited both vulnerabilities in tandem, targeting employees of cryptocurrency platforms, including Coinbase, as well as users associated with other digital currency services. The flaws have also facilitated campaigns designed to install malware on macOS systems specifically targeted at cryptocurrency users.
While it remains uncertain whether the attackers independently discovered the initial vulnerability or somehow accessed confidential bug-report information, it is clear that these exploits pose an evolving threat. Cybersecurity experts are closely monitoring the situation, especially in the context of the frequent updates being issued in light of these vulnerabilities.
To counteract potential exploitation, Mozilla has released Firefox version 67.0.4 and Firefox ESR 60.7.2. Users are strongly advised to ensure they are operating these versions to mitigate the risks of remote control by attackers. Although Firefox typically installs updates automatically, confirming the application’s version can enhance security measures.
As a significant precautionary step, organizations relying on Firefox should remain vigilant and update their systems promptly. Additionally, the Tor Project is anticipated to release an updated version of its privacy-focused browser shortly, which will also patch the recently fixed vulnerabilities.
In summary, the urgency surrounding this update cannot be overstated, as the vulnerabilities pose real-world threats that could compromise the integrity and security of organizational systems. It is essential for business owners to understand the tactics involved, especially those outlined in the MITRE ATT&CK framework, including initial access, execution, and privilege escalation, enabling a deeper understanding of the risks associated with these vulnerabilities.
