The Hacker NewsTHN:9CC3E667EC316D78F27C05405A91663BFirefox Releases Critical Patch Update to Stop Ongoing Zero-Day Attacks
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.772 High
EPSS
Percentile
97.9%
**Important Update [21 June 2019]****β**Mozilla on Thursday released another update Firefox version 67.0.4 to patch a second zero-day vulnerability.
If you use the Firefox web browser, you need to update it right now.
Mozilla earlier today released Firefox 67.0.3 and Firefox ESR 60.7.1 versions to patch a critical zero-day vulnerability in the browsing software that hackers have been found exploiting in the wild.
Discovered and reported by Samuel GroΓ, a cybersecurity researcher at Google Project Zero, the vulnerability could allow attackers to remotely execute arbitrary code on machines running vulnerable Firefox versions and take full control of them.
The vulnerability, identified as CVE-2019-11707, affects anyone who uses Firefox on desktop (Windows, macOS, and Linux) β whereas, Firefox for Android, iOS, and Amazon Fire TV are not affected.
According to an advisory, the flaw has been labeled as a type confusion vulnerability in Firefox that can result in an exploitable crash due to issues in Array.pop which can occur when manipulating JavaScript objects.
At the time of writing, neither the researcher nor Mozilla has yet released any further technical details or proof-of-concept for this flaw.
Through Firefox automatically installs latest updates and activate new version after a restart, users are still advised to ensure they are running the latest Firefox 67.0.3 and Firefox (Extended Support Release) 60.7.1 or later.
Update
The researcher later today shared a few more details about the flaw with The Hacker News, saying the reported flaw primarily leads to Universal Cross-site Scripting (UXSS) attacks, but if combined with a sandbox escape issue, it could also allow attackers to execute arbitrary code remotely on a targeted systems.
βI donβt have any insights into the active exploitation part. I found and then reported the bug on April 15. The first public fix then landed about a week ago (sec fixes are held back until close to the next release):β GroΓ said on Twitter.
βThe bug can be exploited for RCE but would then need a separate sandbox escape. However, most likely it can also be exploited for UXSS which might be enough depending on the attackerβs goals.β
Found this article interesting? Follow THN on Facebook, Twitter ο and LinkedIn to read more exclusive content we post.
Related
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.772 High
EPSS
Percentile
97.9%