Critical vulnerability in browser version 67.0.3

UPDATED Mozilla has released an emergency fix for a critical vulnerability in Firefox that could allow an attacker to take over a victim’s machine.

The zero-day, assigned as CVE-2019-11707, could allow arbitrary code to be remotely executed on any desktop running affected versions of the browser – Firefox 67.0.3 and Firefox ESR 60.7.1.

This type confusion vulnerability is currently being exploited by attackers in the wild, Mozilla said.

“A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop,” a Mozilla security advisory reads.

“This can allow for an exploitable crash.”

The bug was independently reported to Mozilla by Samuel Groß of Google Project Zero and Coinbase Security in what appears to be a bug collision – when security researchers arrive at the same vulnerability without intending to.

No details other than Mozilla’s security advisory were provided, although it is likely that a fix for the vulnerability had initially been planned for next month with the release of Firefox 68. 

Selena Deckelmann, senior director of Firefox Browser Engineering, told The Daily Swig: “On Monday, June 17, 2019, Coinbase reported a vulnerability used as part of targeted attacks for a spear phishing campaign.

“In less than 24 hours, we released a fix for the exploit.”

Coinbase, a digital currency exchange in the US, said its employees were targeted in the campaign.

“We’ve seen no evidence of exploitation targeting customers,” Philip Martin of Coinbase Security said on Twitter.

“We were not the only crypto org targeted in the campaign. We are working to notify other orgs we believe were also targeted. We’re also releasing a set of IOCs that orgs can use to evaluate their potential exposure.”

Not long after Martin’s comments, Mac security expert Patrick Wardle released an analysis of malware believed to be the same zero-day used in the Coinbase attacks.

A warning of the vulnerability has also been issued by the US Department of Homeland Security.

Firefox had just over 5% of the browser market share worldwide as of May of this year, falling behind Safari (16%) and Chrome (63%).

Users are reminded to make sure they are running the latest version of Firefox 67.0.3 and Firefox (Extended Support Release) 60.7.1 or later.

This article has been updated to include comments from Mozilla, Patrick Wardle, and Coinbase Security.