Mozilla has fixed the Firefox and Firefox ESR
zero-day vulnerabilities with the release of its latest versions, Firefox
67.0.3 and Firefox ESR 60.7.1. These flaws were rampantly exploited by the
hackers to remotely execute arbitrary code onto the systems of the users who ran
vulnerable versions of the Browser.
The zero-day flaw tracked as CVE-2019-11707 takes
place when JavaScript objects are manipulated because of the issues in
Array.pop; before Mozilla came up with the patch, hackers could set off the
attack by misguiding users using vulnerable versions of the browser to visit a
malicious web address which is designed to take control of the infected systems
and consequently, execute arbitrary code onto the machines.
Referencing from the statements given by security
advisory of Mozilla, the Browser developers are "aware of targeted attacks
in the wild abusing this flaw" that could allow hackers who take advantage
of this zero-day flaw to take over the affected machines.
As a security measure against the Firefox and Firefox ESR zero-day
vulnerabilities which were reported to Mozilla by Coinbase Security team and
Samuel Groß from Google Project
Zero, the
U.S. Cybersecurity and Infrastructure Security Agency (CISA) put forth an advise suggesting users "to review the
Mozilla Security Advisory for Firefox 67.0.3 and Firefox ESR 60.7.1 and apply
the necessary updates."
Commenting on the matter, Groß tweeted, “The bug can be
exploited for RCE [remote code execution] but would then need a separate
sandbox escape,”
“However, most likely it can also be exploited for UXSS
[universal cross-site scripting] which might be enough depending on the
attacker’s goals.” he added.
Mozilla has released a similar emergency patch, Firefox
50.0.2 and 45.5.1 ESR, earlier in 2016 as well. Back in 2016, the flaw was
exploited by cybercriminals to de-anonymize Tor Browser users and
accumulate their private data such as MAC addresses, hostnames, and IP addresses.
