Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Mozilla. Show all posts

Mozilla Privacy: Tracking Users Without Consent


The organization behind the privacy-centric Firefox browser, has come under fire for allegedly tracking users without their consent. This controversy centers around a feature called Privacy Preserving Attribution (PPA), which has sparked a heated debate about privacy, consent, and the future of online tracking.

The User Tracking Allegations

The European digital rights group NOYB (None Of Your Business) has filed a privacy complaint against Mozilla, claiming that the PPA feature in Firefox tracks users’ online behavior without their explicit consent. According to NOYB, this practice violates the EU’s General Data Protection Regulation (GDPR), which mandates that users must be informed and give consent before any tracking can occur.

What is Privacy Preserving Attribution?

Privacy Preserving Attribution is a method designed to measure the effectiveness of online advertisements without relying on invasive third-party cookies. Instead of allowing individual websites to track users, PPA shifts this responsibility to the browser itself. The idea is to provide advertisers with the data they need while protecting users’ privacy.

However, the implementation of PPA has raised significant concerns. Critics argue that by enabling this feature by default, Mozilla has effectively bypassed the need for user consent. This move has been seen as contradictory to Mozilla’s long-standing reputation as a champion of online privacy.

The GDPR Implications

The GDPR is one of the most stringent privacy regulations in the world, and it requires that any form of data processing must be transparent and consensual. NOYB’s complaint suggests that Mozilla’s PPA feature does not meet these criteria. If the complaint is upheld, Mozilla could face substantial fines and be forced to alter its approach to user tracking.

Mozilla’s Response

In response to the allegations, Mozilla has defended the PPA feature, stating that it is designed to balance the needs of advertisers with the privacy rights of users. Mozilla argues that PPA is a more privacy-friendly alternative to traditional tracking methods and that it does not collect any personally identifiable information.

Despite these assurances, the controversy has highlighted a broader issue within the tech industry: the tension between innovation and privacy. As companies strive to develop new technologies, they must also navigate the complex landscape of privacy regulations and user expectations.

Protecting User Privacy by Removing Personal Data from Data Broker Sites

 


As part of its new subscription service model, Mozilla Firefox is offering its users the possibility of finding and removing their personal and sensitive information from data brokers across the internet. This new subscription model is known as Mozilla Monitor Plus and will allow users to locate and remove their sensitive information. 

To eliminate their phone numbers, e-mail, home addresses, and other information that is usually sold to data broker platforms for profit, the company offers a new subscription model called Mozilla Monitor-Plus. This is particularly interesting since Mozilla already offers a free service of privacy monitoring called Firefox Monitor which was previously known as Mozilla Monitor - which is now being revamped to strengthen privacy for users.

Previously, Mozilla Monitor was a free service that sent users notifications when their email accounts had been compromised. The new version is now called Monitor-Plus, and it is a subscription-based service. Approximately 10 million current Mozilla Monitor users will now have the opportunity to run scans to see if their personal information has been hacked by using the subscription-based service. 

Whenever a breach is detected, Monitor Plus provides the tools to make sure that a user's information remains private again if a breach is detected. Data broker websites have a convoluted and confusing process that individuals have to deal with when they try to remove their information from them. It is not uncommon for people to find themselves unsure of who is using their personal information or how to get rid of it once they find it online.

However, most sites have either an opt-out page or require them to contact the broker directly to request removal. This process can be simplified by Mozilla Monitor, which searches across 190 data broker sites known for selling private and personal information proactively.

Mozilla will initiate a request on behalf of the user for removal if any data provided to Mozilla is discovered on those sites, including name, location, and birthdate. The removal process can take anywhere from a day to a month, depending on how serious the problem is. There are two subscription options available for users of this feature, the Monitor Plus subscription costs $13.99 per month or $8.99 per month with an annual subscription, which includes this feature. 

The free option for users who do not wish to subscribe to Firefox is to scan data broker sites once. However, these users will have to manually go through the steps to remove their information from these websites. This may encourage them to upgrade to the Monitor Plus subscription, as it provides automatic removals for a process that can be very tedious otherwise.

In regards to data breaches, both free and paid users will continue to receive alerts and will have access to tools to learn how to fix high-risk breaches. By providing their email addresses, as well as a few personal details such as their first and last name, city, state, and date of birth, users can initiate a free one-time scan for their device.

There will then be the possibility to scan the tool for potential exposures and let users know about them and how they can be fixed. It is Mozilla's policy to initiate a data removal request on behalf of users who wish to have their data removed. The status of the requests of users can be viewed, as well as the progress of their requests can be tracked. 

Furthermore, Mozilla will perform a monthly scan after the removal of personal information to ensure that it is kept safe on 190+ data broker sites even after the removal. Users must submit their first and last name, current city and state, date of birth, and email address to initiate a scan. Mozilla has an extensive privacy policy that protects the privacy of this information and encrypts it.

With this kind of information in hand, Mozilla applies a scan to your personal information, showing you where your information has been exposed by data breaches, brokers, or websites that collect personal information. In 2023 alone, 233 million people will have been affected by data breaches, and it is for this reason that a tool such as this is vital in the current environment. The Mozilla Monitor Plus subscription will include monthly scans and automatic removal of any malware that is found on your computer.

Smart Car Dread: Mozilla Reports Tested Cars Failed Privacy Regulations, User Data at Risk

Smart Car Privacy

Mozilla Reveals Tested Cars Failed Privacy Regulations

Mozilla recently disclosed that all 25 car brands it tested failed its privacy standards. While all, according to Mozilla, went overboard in their data collection and use rules, some even had disclaimers about gathering more private forms of information, such as your sexual history and genetic information. As it seems, this isn't just a speculative: the tech used in today's cars can collect this type of private data, and the fine print of user agreements explains how manufacturers get you into agreement every time you switch on the ignition.

Adonne Washington, who is a policy council at the Future of Privacy Forum, said. "These privacy policies are written in a way to ensure that whatever is happening in the car if there's an inference that can be made, they're still ensuring that there's protection and that they're compliant with different state laws." The agreements take into consideration technology advancements that may occur while you own the car. According to Washington, tools designed to do one thing may soon be able to do more, therefore manufacturers must keep this in mind.

Kinds of data gathered

So it seems logical that a car manufacturer's privacy policy would include every form of data feasible in order to protect the company legally if it fell into a particular data collection area. Nissan's privacy policy, for instance, lists "sexual orientation, sexual activity, precise geolocation, health diagnosis data, and genetic information" as forms of personal data gathered.

Organizations claim prior ownership, so you can't sue if, for example, they mistakenly capture you having sex in the backseat. Nissan argued in a statement that this is why their privacy policy is still so general. Nissan claims it "does not knowingly collect or disclose customer information on sexual activity or sexual orientation," but it has those terms in its policy as "some U.S. state laws require us to account for inadvertent data we have or could infer but do not request or use." 

Why the companies need data? What is the urgency?

Aside from covering all legal bases, there's no way of knowing why these companies would want extremely sensitive information on their drivers, or what they'd do with it. Even if it isn't a "smart" car, any vehicle equipped with Bluetooth, USB, or recording capabilities may gather a lot of information on the driver.

The lack of available connected cars, paired with an absence of full disclosure related to driver data use, leaves customers with little choice but to trust that what they share is being used ethically, or that at least some of the categories of data listed in these troubling privacy policies — such as Nissan's decision to include "genetic information" — are solely linked to possible liability. The choices are basically to read each of these policies and choose the least severe, to buy a very old, probably fuel-inefficient automobile with no smart technologies, or to just not own a car at all. To that end, just around 8% of American households own a car, not because they belong to an area that is walkable with good public transportation, but because they are unable to afford one.

What choice

Customers are actively constrained by the current state of legal contract understanding, while companies are driven to limit risk by continuing to exaggerate these (often misread) agreements with more intrusive kinds of information. A lot of experts would tell you that federal regulation is the only actual option here. There have been occasional instances of state privacy laws being used to benefit customers, such as in Massachusetts and California, but for the most part, drivers have no idea they should be upset. But even if they are outraged, there is nothing much they can do except buy a car anyway.

Behind the Wheel, Under Surveillance: The Privacy Risks of Modern Cars

 


The auto industry is failing to give drivers control over their data privacy, according to researchers warning that modern cars are "wiretaps on wheels." An analysis published on Wednesday revealed that in an era when driving is becoming increasingly digital, some of the most popular car brands in the world are a privacy nightmare, collecting and selling personal information about their customers. 

According to the Mozilla Foundation's 'Privacy Not Included' survey, most major manufacturers admit to selling drivers' personal information, with half of those manufacturers saying they'd make it available without a court order to governments, law enforcement agencies, or the insurance company. 

Automobiles have become prodigious data-collection hubs since the proliferation of sensors - from telematics to fully digitalised control consoles - has enabled us to collect huge amounts of data about vehicles. 

The findings of a new study indicate that car brands intentionally collect "too much personal data" from drivers, which gives them little or no choice regarding what they want to share. In addition to automobiles, the new study also examined products from a wide variety of categories, including mental health apps, electronic entertainment devices, smart home devices, wearables, fitness products, and health and exercise products, among other categories. 

There is, however, one concern that the authors addressed when reviewing cars, namely that they found them to be the worst products in terms of privacy, calling them a "privacy nightmare". Mozilla Foundation Spokesperson Kevin Zawacki stated that cars were the first category to be reviewed in which all of the products were given the warning label "Privacy Not Included" in the privacy information. 

As reported by several different sources, all car brands are also said to be collecting a significant amount of personal information about their customers, with 84% sharing or selling their collected data. According to the study, car manufacturers are becoming tech manufacturers in order to collect data from their customers that can easily be shared or sold without their knowledge or permission, which is why privacy concerns are rising. 

Among other things, the data from the car includes super in-depth information about the car user, such as biometric information, medical information, genetic information, driving speeds, travel locations, and music preferences; among many other things. 

Taking care of your privacy is one of the most frustrating aspects of owning a car for several reasons. In addition to the fact that they collect too much personal information, as stated in the report, many automakers do the same. 

The report goes on to explain that every manufacturer does the same thing. From the way users interact with their cars to data from third parties such as Google Maps, this type of data can include many different kinds of information. 

Some cars can even collect data from the phones associated with them if they have an accompanying app. There is perhaps nothing worse about these kinds of privacy violations than the fact that there is no way for the user, unlike with devices like TVs, to opt out of them. 

As far as the user's data is concerned, 92% of car manufacturers do not allow them to have control over it - while only two car manufacturers allow the user to delete the data they have collected. Mozilla has identified no car company that has met its Minimum Security Standards, which include the very basics as well as such things as encrypted data. 

Caltrider mentioned that car buyers are limited to several options if they do not opt for a used, pre-digital model. Since 2017, Mozilla has studied a wide range of products - including fitness trackers, reproductive-health apps, smart speakers, and other connected home appliances - and since 2017, cars ranked lowest for privacy out of more than a dozen product categories. 

Is it Possible for Cars to Spy on Drivers? 

There has been a trend of automakers openly bragging about their cars being 'computers on wheels' for years to promote their advanced features, but these features have been especially augmented with the advent of the internet, which has transformed new cars into "powerful data-hungry machines," according to Mozilla. 

Nowadays, there are cameras mounted on both sides of the vehicle, microphones, and many other sensors that assist in monitoring driver activity. The companies that provide apps, maps, and connected services that combine with your phone collect or access your data when you pair the phone to the computer.

A lot of car buyers don't have many choices on the market today, other than opting for a used, pre-digital model, Caltrider told the Associated Press. She points out that automobile manufacturers seem to behave better in Europe, where the laws are tougher, and she believes the United States could pass similar laws if they wished. 

The Mozilla Foundation is hoping that raising awareness among consumers will raise awareness and fuel a backlash against companies that are guilty of the same kind of surveillance practices in their "smart" devices, as was the case with TV manufacturers during the 2010s. "Cars seem to have slipped under the radar in terms of privacy."

Mozilla Research Lashes Out Google Over ‘Misleading’ Privacy Labels on Leading Android Apps


An investigation, conducted by the Mozilla Foundation, into the data safety labels and privacy policy on the Google Play Store has exposed some severe loopholes that enable apps like Twitter, TikTok, and Facebook to give inaccurate or misleading information about how user data is shared. 

The study was conducted between the 40 most downloaded Android apps, out of which 20 were free apps and 20 were paid, on Google Play and found that nearly 80% of these apps disclose misleading or false information. 

The following findings were made by the Mozilla researchers: 

  • 16 of these 40 apps including Facebook and Minecraft, had significant discrepancies in their data safety forms and privacy policies. 
  • 15 apps received the intermediate rating, i.e. “Need Improvement” indicating some inconsistencies between the privacy policies and the Data Safety Form. YouTube, Google Maps, Gmail, Twitter, WhatsApp Messenger, and Instagram are some of these applications. 
  • Only six of these 40 apps were granted the “OK” grade. These apps included Candy Crush Saga, Google Play Games, Subway Surfers, Stickman Legends Offline Games, Power Amp Full Version Unlocker, and League of Stickman: 2020 Ninja. 

Google’s Data Privacy Section 

Google apparently launched its data privacy section for the Play Store last year. This section was introduced in an attempt to provide a “complete and accurate declaration” for information gathered by their apps by filling out the Google Data Safety Form. 

Due to certain vulnerabilities in the safety form's honor-based system, such as ambiguous definitions for "collection" and "sharing," and the failure to require apps to report data shared with "service providers," Mozilla claims that these self-reported privacy labels may not accurately reflect what user data is actually being collected. 

In regards to Google’s Data Safety labels, Jen Caltrider, project lead at Mozilla says “Consumers care about privacy and want to make smart decisions when they download apps. Google’s Data Safety labels are supposed to help them do that[…]Unfortunately, they don’t. Instead, I’m worried they do more harm than good.” 

In one instance in the report, Mozilla notes that TikTok and Twitter both confirm that they do not share any user data with the third parties in their Data Safety Forms, despite stating that the data is shared with the third parties in their respective privacy policies. “When I see Data Safety labels stating that apps like Twitter or TikTok don’t share data with third parties it makes me angry because it is completely untrue. Of course, Twitter and TikTok share data with third parties[…]Consumers deserve better. Google must do better,” says Caltrider. 

In response to the claim, Google has been dismissing Mozilla’s study by deeming its grading system inefficient. “This report conflates company-wide privacy policies that are meant to cover a variety of products and services with individual Data safety labels, which inform users about the data that a specific app collects[…]The arbitrary grades Mozilla Foundation assigned to apps are not a helpful measure of the safety or accuracy of labels given the flawed methodology and lack of substantiating information,” says a Google spokesperson. 

Apple, on the other hand, has also been criticized for its developer-submitted privacy labels. The 2021 report from The Washington Post indicates that several iOS apps similarly disclose misleading information, along with several other apps falsely claiming that they did not collect, share, or track user data. 

To address these issues, Mozilla suggests that both Apple and Google adopt an overall, standardized data privacy system across all of their platforms. Mozilla also urges that major tech firms shoulder more responsibility and take enforcement action against apps that fail to give accurate information about data sharing. “Google Play Store’s misleading Data Safety labels give users a false sense of security[…]It’s time we have honest data safety labels to help us better protect our privacy,” says Caltrider.  

Google Blames Spanish Spyware of Exploiting Chrome, Windows, and Firefox Zero-Days


Variston IT Spyware behind an attack on Google

A surveillance vendor from Barcelona called Variston IT is believed to deploy spyware on victim devices by compromising various zero-day flaws in Google Chrome, Mozilla Firefox, and Windows, some of these go back to December 2018. 

Google Threat Analysis Group (TAG) researchers Clement Lecigne and Benoit Sevens said "their Heliconia framework exploits n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender, and provides all the tools necessary to deploy a payload to a target device." 

Variston has a bare-bones website, it claims to provide tailor-made security solutions to its customers, it also makes custom security patches for various types of proprietary systems and assists in the discovery of digital information by law enforcement agencies, besides other services.

Google's Response 

Google said "the growth of the spyware industry puts users at risk and makes the Internet less safe, and while surveillance technology may be legal under national or international laws, they are often used in harmful ways to conduct digital espionage against a range of groups. These abuses represent a serious risk to online safety which is why Google and TAG will continue to take action against, and publish research about, the commercial spyware industry."

The vulnerabilities, which have been fixed by Google, Microsoft, and Mozilla in 2021 and early 2022, are said to have been used as zero-days to help customers deploy whichever malware they want to, on targeted systems. 

What is Heliconia vulnerability?

Heliconia consists of three components called Noise, Files, and Soft, each of these is responsible for installing exploits against vulnerabilities in Windows, Firefox, and Chrome, respectively. 

Noise is designed to exploit a security flaw in the Chrome V8 engine JavaScript that was fixed last year in August 2021, along with an unknown sandbox escape method known as "chrome-sbx-gen" to allow the final payload (also called an agent) to be deployed on select devices.  

But the attack works only when the victim accesses a malicious webpage intended to trap the user, and then trigger the first-stage exploit. 

Google says it came to know about the Heliconia attack framework after it got an anonymous submission in its Chrome bug reporting program. It further said that currently there's no proof of exploitation, after hinting the toolset has shut down or evolved further. 

Google blog said

Although the vulnerabilities are now patched, we assess it is likely the exploits were used as 0 days before they were fixed.

Heliconia Noise: a web framework for deploying an exploit for a Chrome renderer bug followed by a sandbox escape

Heliconia Soft: a web framework that deploys a PDF containing a Windows Defender exploit

Files: a set of Firefox exploits for Linux and Windows.






Mental Health Apps Fail Privacy Guidelines Spectacularly, Says Mozilla

An inquiry into mental health and prayer apps disclosed a problematic lack of concern around user security and privacy. Last Monday, Mozilla published the findings of new research about these kinds of apps, which mostly deal with sensitive issues like depression, anxiety, mental health awareness, PTSD, domestic violence, etc., and religion-based services. Mozilla's recent "Privacy Not Included," guide says that even though these apps manage personal information, they regularly share data, allow easy passwords, pick vulnerable users via targeted ads, and show poorly written and vague privacy policies. 

In a study consisting of 32 applications focused on mental health and religion, Mozilla identified 25 apps that failed to meet its Minimum Security Standards. The privacy standards work as the main highlight for the Privacy Not Included reports. The unauthorized sharing and selling of user data, poor data management services, poor encryption, weak password guidelines, inaccurate vulnerability management system, and different lax privacy policies can lead to the downgrading of a vendor product in accordance with Mozilla's standards. 

Once an app fails to touch these minimum standards, they are labeled with a "the privacy not included" warning tag. Mental health and healing-related applications have received an accolade, but they can't be covered. To protect users' privacy and security, these applications are the worst in any product category that Mozilla experts have investigated or reviewed in the past six years. The examined apps include Better Help, Talkspace, Calm, 7 Cups, Glorify, Wysa, Headspace, and Better Stop Suicide. 

As a result, every one of these apps now has a dedicated slot that users can access to know more about the app's privacy and security rating. According to ZDNet, "while the app gathers some personal information and says that users can reach out to them if they have further queries, they did not respond to Mozilla's attempts at contact and did not mention who "trusted partners'" were when data sharing. Only two applications on the list, PTSD Coach and the AI chatbot Wysa seemed to take data management and user privacy seriously."

Mozilla: Maximum Breached Accounts had Superhero and Disney Princes Names as Passwords

 

The passwords that we make for our accounts are very similar to a house key used to lock the house. The password protects the online home (account) of personal information, thus possessing an extremely strong password is just like employing a superhero in a battle of heroes and villains. 

However, according to a new blog post by Mozilla, superhero-themed passwords are progressively popping up in data breaches. Though it may sound absurd - following the research done by Mozilla using the data from haveibeenpwned.com, it was evident that most frequent passwords discovered in data breaches were created on either the names of superheroes or Disney princesses. Such obvious passwords make it easier for hackers to attack and hijack any account or system. 

While analyzing the data it was seen that 368,397 breaches included Superman, 226,327 breaches included Batman, and 160,030 breaches had Spider-Man as their passwords. Further, thousands of breaches featured Wolverine and Ironman as well. And not only this research from 2019 showed that 192,023 breached included Jasmine and 49,763 breached included Aurora as their password.

There were 484,4765 breached that had password as ‘princess’ and some Disney + accounts had password as ‘Disney’. This is one of the biggest reasons that support data breaches by hackers and boost their confidence.

With the increasing frequency of compromised account credentials on the dark web, a growing number of businesses are turning to password-less solutions. Microsoft has expanded its password-less sign-in option from Azure Active Directory (AAD) commercial clients to use Microsoft accounts on Windows 10 and Windows 11 PCs. 

Almost all of Microsoft's employees are passwordless, according to Vasu Jakkal, corporate vice president of the Microsoft Security, Compliance, Identity, and Management group.

"We use Windows Hello and biometrics. Microsoft already has 200 million passwords fewer customers across consumer and enterprise," Jakkal said. "We are going completely passwordless for Microsoft accounts. So you don't need a password at all," he further added. 

Though it's common to reuse passwords, it is highly dangerous, yet it's all too frequently because it's simple and people aren't aware of the consequences. Credential stuffing exploits take advantage of repeated passwords by automating login attempts targeting systems utilizing well-known email addresses and password pairings. One must keep changing their passwords from time to time and try to create a strong yet not so obvious password.

CERT-In Alerts Mozilla Firefox Users to Update their Browsers Immediately


Mozilla Firefox users are receiving alerts regarding multiple vulnerabilities in the web browser by the Indian Computer Emergency Response Team (CERT-In). An advisory has also been issued in the regard asking the users to update their web browsers as soon as possible.

While rating the severity of the vulnerability as 'High' on all the versions of Mozilla Firefox that have been released before version 75 and version 68.7 on Mozilla Firefox ESR, the CERT-In stated in the advisory that remote hackers can take advantage of these browser flaws to acquire sensitive data through the browser.

According to the CERT-In advisory, “Out-of-Bounds Read Vulnerability in Mozilla Firefox ( CVE-2020-6821 ). This vulnerability exists in Mozilla Firefox due to a boundary condition when using the WebGLcopyTexSubImage method. A remote attacker could exploit this vulnerability by specially crafted web pages. Successful exploitation of this vulnerability could allow a remote attacker to disclose sensitive information,”

“Information Disclosure Vulnerability in Mozilla Firefox ( CVE-2020-6824). This vulnerability exists in Mozilla Firefox to generate a password for a site but leaves Firefox open.A  remote attacker could exploit this vulnerability by revisiting the same site of the victim and generating a new password. The generated password will remain the same on the targeted system,” the advisory further reads.

The aforementioned vulnerability also allows the attacker to execute 'arbitrary code' on the targeted system, letting them run any chosen command onto it. As per sources, another flaw was also found to be existing in the internet browser that concerns with a boundary condition in GMP Decode Data as images exceeding 4GB are being processed on 32-bit builds. The exploitation of this flaw requires the attacker to trick users into opening specially designed images. Upon successful exploitation, the attacker can yet again execute arbitrary code on the targeted system.

Another way by which a remote attacker can take advantage of this exploit is by convincing a user to install a crafted extension, on doing so the attacker will be able to obtain sensitive information.

Apple Engineers to Standardize the Format of the SMS Messages Containing OTPs


A proposal comes from Apple engineers working at WebKit, the core component of the Safari web browser, to institutionalize the format of the SMS messages containing one-time passwords (OTP) that users receive during the two-factor authentication (2FA) login process.

 With 2 basic goals, the proposal aims initially is to introduce a way that OTP SMS messages can be associated with a URL, which is essentially done by adding the login URL inside the SMS itself.

And the second being to institutionalize the format of 2FA/OTP SMS messages, so browsers and other mobile applications can undoubtedly distinguish the approaching SMS, perceive web domain inside the message, and afterward consequently extract the OTP code and complete the login operation moving forward without any further user interaction.

According to the new proposal, the new SMS format for OTP codes would look like below:

747723 is your WEBSITE authentication code. 
@website.com #747723 

The first line, intended for human users, permits them to decide from what site the SMS OTP code originated from and the second line is for both human users as well as for applications and browsers.

 Applications and browsers will consequently extricate the OTP code and complete the 2FA login operation. In the event that there's a 'mismatch' and the auto-complete operation falls flat, human readers will have the option to see the site's original URL, and contrast it with the site they're attempting to login.

On the off chance that the two are not similar, at that point, users will be alerted that they're very a phishing site and forsake their login activity.

When browsers will deliver components for reading SMS OTP codes in the new format, significant providers of SMS OTP codes are required to switch to utilizing it. Starting now, Twilio has already communicated its enthusiasm for actualizing the new arrangement for its SMS OTP administrations. 

Presently, while Apple (WebKit) and Google (Chromium) engineers are quite energetic about the proposition, Mozilla (Firefox) has not yet given an official criticism on the standard yet.

Mozilla advices its users' to update their web browser to fix critical vulnerability






Mozilla has issued a warning to its users and asked them to upgrade their web browser Firefox, after company found some critical vulnerabilities.

The company has issued an advisory on Tuesday, 18 June, 2019, it includes a details about security vulnerabilities that have been fixed in Firefox 67.0.3 and Firefox ESR 60.7.1.

 The advisory detailed flaws stating, “A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash.”

It further read “We are aware of targeted attacks in the wild abusing this flaw.” The company has marked the update as ‘critical’. 

According to reports, the bug is classified as critical because  it allows outside users to remotely execute code on your machine without your permission.


The bug was spotted for the first time by Samuel Groß, who is reportedly a security researcher with Google Project Zero and Coinbase Security.

Mozilla Fixes Actively Exploited Zero-Day Flaw with Firefox 67.0.3



Mozilla has fixed the Firefox and Firefox ESR zero-day vulnerabilities with the release of its latest versions, Firefox 67.0.3 and Firefox ESR 60.7.1. These flaws were rampantly exploited by the hackers to remotely execute arbitrary code onto the systems of the users who ran vulnerable versions of the Browser.
The zero-day flaw tracked as CVE-2019-11707 takes place when JavaScript objects are manipulated because of the issues in Array.pop; before Mozilla came up with the patch, hackers could set off the attack by misguiding users using vulnerable versions of the browser to visit a malicious web address which is designed to take control of the infected systems and consequently, execute arbitrary code onto the machines.
Referencing from the statements given by security advisory of Mozilla, the Browser developers are "aware of targeted attacks in the wild abusing this flaw" that could allow hackers who take advantage of this zero-day flaw to take over the affected machines.
As a security measure against the Firefox and Firefox ESR zero-day vulnerabilities which were reported to Mozilla by Coinbase Security team and Samuel Groß from Google Project Zero, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) put forth an advise suggesting users "to review the Mozilla Security Advisory for Firefox 67.0.3 and Firefox ESR 60.7.1 and apply the necessary updates."
Commenting on the matter, Groß tweeted, “The bug can be exploited for RCE [remote code execution] but would then need a separate sandbox escape,” 
“However, most likely it can also be exploited for UXSS [universal cross-site scripting] which might be enough depending on the attacker’s goals.” he added. 
Mozilla has released a similar emergency patch, Firefox 50.0.2 and 45.5.1 ESR, earlier in 2016 as well. Back in 2016, the flaw was exploited by cybercriminals to de-anonymize Tor Browser users and accumulate their private data such as MAC addresses, hostnames, and IP addresses.