.png)
A critical Firefox zero-day remote code execution vulnerability is being abused in targeted attacks in the wild, Mozilla has warned on Tuesday.
About the vulnerability (CVE-2019-11707)
Mozilla did not share many details about the flaw – it simply stated that it is a type confusion vulnerability that can occur when manipulating JavaScript objects due to issues in Array.pop, and that it can trigger an exploitable crash.
The flaw can be exploited to achieve arbitrary code execution. Depending on the privileges associated with user active at the time of the attack, an attacker could install programs, view, change, or delete data, or create new accounts with full user rights.
No details about the attacks have been released. Still, the fact that the credit for the discovery of CVE-2019-11707 goes to Coinbase Security and Samuel Groß of Google Project Zero, it seems likely that it the flaw is being exploited by attackers to target cryptocoin owners.
Start patching!
The vulnerability has been patched in Firefox 67.0.3 and Firefox ESR 60.7.1 for Windows, macOS and Linux. Firefox users should restart their browser to prompt an update.
This is the first time since late 2016 that a Firefox zero-day has been exploited in the wild. That flaw was exploited to de-anonymize users of the Tor Browser, which is based on Firefox ESR, Mozilla’s Firefox offering meant for organizations that prefer stability over having the latest improvements as soon as they are available.
from Help Net Security http://bit.ly/2WNDUlD
0 comments:
Post a Comment