[ALERT CERT] – Critical Vulnerability on the browser Firefox

Nicolas Besse Alerte CERT

  Context

Firefox has released a recent update on Firefox 67.0.3 and Firefox ESR 60.7.1 to prevent a wave of cyber-attacks using a new “Zero-Day” vulnerability. This vulnerability was discovered and reported by the Google Project Zero cybersecurity researcher Samuel Groß and the security team Coinbase, which affects the Firefox browser by allowing remote control on the machines using these vulnerable versions of Firefox.

CVE-2019-11707

  Criticality

The security level of this vulnerability has been estimated to critical by Devoteam CERT team (due to the large number of vulnerable machines).

 Description

This vulnerability is exploitable on all Firefox Desktop versions for operating systems Windows, MacOs, and Linux whereas mobile versions (Android, IOS) are not affected.

It allows an attacker to remotely control (RCE: Remote Control Execution) target machines (without authentication) using a vulnerable version of Firefox.

This vulnerability occurs in Mozilla Firefox when manipulating an object without checking its type (confusion type), which leads to a crash that can be exploited in the Array.pop method (method to delete and return the last element of an array).

An attacker can generate a custom web page, manipulate a victim to visit it and use the confusion type to execute arbitrary code on the victim’s computer. Depending on the associated privileges with the user, an attacker can install programs, modify or delete data, or create new accounts.

Except this short description on the Mozilla website, there is currently no other details about this security vulnerability or potential attacks. However, based on the team that reported it, it can be assumed that the vulnerability was exploited in attacks targeting cryptocurrency holders.

 Solution

By default, Firefox automatically installs updates when they are available and when the browser is started. As a precaution, the Devoteam CERT recommends to always apply the principle of least privileges on services and apply the proposed patches by manually checking or updating Firefox for its latest verion (Firefox 67.0.3 or higher and 60.7.1 for users of the Extended Support Release program).

  References

https://www.mozilla.org/en-US/security/advisories/mfsa2019-18/

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11707