Search This Blog

Showing posts with label Firefox update. Show all posts

Mozilla Fixes Actively Exploited Zero-Day Flaw with Firefox 67.0.3



Mozilla has fixed the Firefox and Firefox ESR zero-day vulnerabilities with the release of its latest versions, Firefox 67.0.3 and Firefox ESR 60.7.1. These flaws were rampantly exploited by the hackers to remotely execute arbitrary code onto the systems of the users who ran vulnerable versions of the Browser.
The zero-day flaw tracked as CVE-2019-11707 takes place when JavaScript objects are manipulated because of the issues in Array.pop; before Mozilla came up with the patch, hackers could set off the attack by misguiding users using vulnerable versions of the browser to visit a malicious web address which is designed to take control of the infected systems and consequently, execute arbitrary code onto the machines.
Referencing from the statements given by security advisory of Mozilla, the Browser developers are "aware of targeted attacks in the wild abusing this flaw" that could allow hackers who take advantage of this zero-day flaw to take over the affected machines.
As a security measure against the Firefox and Firefox ESR zero-day vulnerabilities which were reported to Mozilla by Coinbase Security team and Samuel Groß from Google Project Zero, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) put forth an advise suggesting users "to review the Mozilla Security Advisory for Firefox 67.0.3 and Firefox ESR 60.7.1 and apply the necessary updates."
Commenting on the matter, Groß tweeted, “The bug can be exploited for RCE [remote code execution] but would then need a separate sandbox escape,” 
“However, most likely it can also be exploited for UXSS [universal cross-site scripting] which might be enough depending on the attacker’s goals.” he added. 
Mozilla has released a similar emergency patch, Firefox 50.0.2 and 45.5.1 ESR, earlier in 2016 as well. Back in 2016, the flaw was exploited by cybercriminals to de-anonymize Tor Browser users and accumulate their private data such as MAC addresses, hostnames, and IP addresses.


Firefox update fixes critical security vulnerability

Firefox 66.0.1 Released with Fix for Critical Security Vulnerabilities that discovered via Trend Micro’s Zero Day Initiative. The vulnerability affects all the versions of Firefox below 66.0.1.

An attacker could exploit these vulnerabilities to take complete control over the target system of the process.

CVE-2019-9810: Incorrect alias information

Incorrect alias information with IonMonkey JIT compiler for Array.prototype.slice leads to missing bounds check and a buffer overflow.

The bounds checking is a method used for detecting the variable is present within the bounds, a failed bound check would through the exception and results in security vulnerabilities.

CVE-2019-9813: Ionmonkey type confusion with proto mutations

Mishandling of proto mutations leads to the type of confusion vulnerability in IonMonkey JIT code.

The type confusion vulnerability occurs, when the code doesn’t verify what objects it is passed to, and blindly uses it without type-checking.

By exploiting this vulnerability an attacker can execute arbitrary commands or code on a target machine or in a target process without user interaction.

This vulnerability discovered by an independent researcher Niklas Baumstark targeting Mozilla Firefox with a sandbox escape in Trend Micro Zero-day initiative contest and he successfully demonstrates the JIT bug in Firefox, for that he earned $40,000.

In Pwn2Own 2019 contents researchers exploit multiple bugs with leading providers such as Edge, Mozilla Firefox, Windows, VMware and earned $270,000 USD in a single day by submitting 9 unique zero-day exploits.

The Firefox bug was introduced in the second day of the contest by Fluoroacetate team and an individual security researcher Niklas Baumstark.