Coinbase Security and Samuel Groß, a security researcher with Google, discovered a zero-day exploit on the Mozilla Firefox browser which uses Javascript objects to incur type confusion. This exploit, tracked as CVE-2019–11707, was seen “in the wild” specifically targeting cryptocurrency users.
A “zero-day exploit” is a term used for critical vulnerabilities that is found for the first time, and it is crucial for teams to act quick and release patches. It is equally crucial for browser users to download the patch and update their browsers. Firefox has rated this exploit in its highest category: “Critical Impact – Vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.”
The last Firefox Zero-Day exploit was back in 2016, which makes it quite rare for Mozilla’s flagship browser. Not much has been shared about the exploit itself, most likely due to the sensitive nature of the new exploit and to stop it from more malicious hackers to use the exploit. However, we do know that this exploit can cause a type confusion in Javascript when manipulating objects due to issues in array pop, causing an exploitable crash, as reported by Mozilla engineers in a security advisory today.
Earlier today the Mozilla team released a patch in Firefox version 67.0.3. Again, it is critical that all Firefox users, whether cryptocurrency users or not, update their browsers as soon as possible.
(Like now, yes you.)
Also published on Medium.
