Search This Blog

Powered by Blogger.

Blog Archive

Labels

Mozilla Fixes Actively Exploited Zero-Day Flaw with Firefox 67.0.3



Mozilla has fixed the Firefox and Firefox ESR zero-day vulnerabilities with the release of its latest versions, Firefox 67.0.3 and Firefox ESR 60.7.1. These flaws were rampantly exploited by the hackers to remotely execute arbitrary code onto the systems of the users who ran vulnerable versions of the Browser.
The zero-day flaw tracked as CVE-2019-11707 takes place when JavaScript objects are manipulated because of the issues in Array.pop; before Mozilla came up with the patch, hackers could set off the attack by misguiding users using vulnerable versions of the browser to visit a malicious web address which is designed to take control of the infected systems and consequently, execute arbitrary code onto the machines.
Referencing from the statements given by security advisory of Mozilla, the Browser developers are "aware of targeted attacks in the wild abusing this flaw" that could allow hackers who take advantage of this zero-day flaw to take over the affected machines.
As a security measure against the Firefox and Firefox ESR zero-day vulnerabilities which were reported to Mozilla by Coinbase Security team and Samuel Groß from Google Project Zero, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) put forth an advise suggesting users "to review the Mozilla Security Advisory for Firefox 67.0.3 and Firefox ESR 60.7.1 and apply the necessary updates."
Commenting on the matter, Groß tweeted, “The bug can be exploited for RCE [remote code execution] but would then need a separate sandbox escape,” 
“However, most likely it can also be exploited for UXSS [universal cross-site scripting] which might be enough depending on the attacker’s goals.” he added. 
Mozilla has released a similar emergency patch, Firefox 50.0.2 and 45.5.1 ESR, earlier in 2016 as well. Back in 2016, the flaw was exploited by cybercriminals to de-anonymize Tor Browser users and accumulate their private data such as MAC addresses, hostnames, and IP addresses.


Share it:

Cyber Security News

Firefox

Firefox update

Mozilla

zero Day vulnerability