Critical Firefox Update Released to Address New Zero-Day Vulnerability
On June 21, 2019, Mozilla announced an essential update for its Firefox web browser, specifically version 67.0.4, aimed at patching a second zero-day vulnerability. This release comes closely on the heels of Firefox 67.0.3 and Firefox Extended Support Release (ESR) 60.7.1, which addressed a critical zero-day flaw that had already been actively exploited by threat actors in the wild.
The vulnerability, identified as CVE-2019-11707, could allow attackers to remotely execute arbitrary code on the systems of users running affected versions of Firefox on desktop platforms, including Windows, macOS, and Linux. Conversely, users of Firefox on mobile devices such as Android, iOS, and Amazon Fire TV are not at risk from this vulnerability.
Samuel Groß, a cybersecurity researcher at Google’s Project Zero, discovered the flaw, which falls under the category of a “type confusion” vulnerability. This issue arises from errors in the Array.pop method during JavaScript object manipulation, making it exploitable under specific conditions. Currently, detailed technical information and proof-of-concept demonstrations regarding this vulnerability have not yet been released by either Groß or Mozilla.
To ensure continued protection, users are urged to update their browsers promptly to the latest version, as Firefox is designed to install updates automatically and activate them following a browser restart. However, it remains prudent for users to verify they are running at least version 67.0.3 or ESR 60.7.1 or newer.
Later the same day, further insights surfaced about the vulnerability, highlighting its potential to facilitate Universal Cross-Site Scripting (UXSS) attacks. If leveraged in conjunction with a separate sandbox escape technique, attackers could execute arbitrary code on targeted systems. In statements shared via Twitter, Groß clarified that while the flaw has potential exploitation paths, a distinct sandbox escape would be necessary for remote code execution (RCE) scenarios.
This vulnerability raises significant concerns surrounding web browser security and the need for immediate user action to mitigate potential risks. As cyber threats evolve, business owners are urged to remain vigilant and proactive about updates and security measures. The MITRE ATT&CK framework can provide valuable context for understanding the tactics and techniques used in such attacks, particularly regarding initial access and privilege escalation that adversaries may capitalize on.
In conclusion, the rapid response to this zero-day vulnerability underscores the importance of maintaining up-to-date software to deter cybersecurity risks. As Mozilla continues to address these critical issues, users must remain informed and take prompt action to protect their systems.