This article originally appeared in Tech News World on June 20, 2019.
Mozilla is urging users of its Firefox browsers to update them immediately to fix a critical zero-day vulnerability. Anyone using Firefox on a Windows, macOS or Linux desktop is at risk.
The vulnerability, CVE-2019011707, is a type confusion in Array.pop. It has been patched in Firefox 67.0.3 and Firefox ESR 60.7.1.
Mozilla announced the patch Tuesday, but the vulnerability was discovered by Samuel Groß of Google Project Zero on April 15.
Mozilla implemented the fix after digital currency exchange Coinbase reported exploitation of the vulnerability for targeted spearphishing attacks.
“On Monday, June 17, 2019, Coinbase reported a vulnerability used as part of targeted attacks for a spear phishing campaign,” Selena Deckelmann, senior director, Firefox Browser Engineering, told TechNewsWorld. “In less than 24 hours, we released a fix for the exploit.”
The Significance of the Coinbase Hack
Hackers have been going after cryptocurrency with a vengeance. There have been as many attacks in the first half of this year as there were through the whole of last year, according to Cointelegraph.
So far this year, tens of millions of dollars’ worth of cryptocurrencies been stolen have from exchanges, Cointelegraph said.
Cybercriminals stole nearly one billion dollars’ worth of cryptocurrency by Q3 last year, Ciphertrace reported.
The attack on Coinbase is in keeping with the trend.
The exchange has been targeted repeatedly. In 2018, astring of hacks cost it more than 40 bitcoins.
In January, Coinbase temporarily froze all trading on Ethereum Classic after it detected an attack on the cryptocurrency’s network.
The spearphishing attacks could be an attempt to gain control of the majority of a blockchain network’s power, in what’s called a ” 51 percent attack.”
David Vorick, cofounder of blockchain-based file storaeg platform SIA declared 2019 the year of the 51 percent attack.
Technical Details of the Flaw
A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop, Mozilla said.
An array in JavaScript is a single variable used to store multiple elements. It often is used when devs want to store a list of elements and access them with a single variable.
A type, or data type, is an attribute of data that tells the compiler or interpreter how the programmer intends to use the data. It constrains the values that an expression such as a variable or a function might take, defining the operations that can be carried out on the data, the meaning of the data, and the way values of that type can be stored.
Type confusion occurs when a program uses one type to allocate or initialize a resource, such as an object, pointer or variable, but later uses another type that is incompatible with the first to access that resource. That can trigger logical errors because the resource does not have the expected properties. In some cases, it can lead to code execution.
The pop() method removes the last element from an array, returns that element, and changes the array’s length.
“Array.pop is usually used with Array.push to delete and add new values to the array by developers,” remarked Usman Rahim, digital security and operations manager at The Media Trust.
“This technique is also used by many malicious actors to shuffle obfuscated malicious code during execution,” he told TechNewsWorld.
The Threat Level
Groß said the flaw can be exploited for remote code execution (RCE) and for universal cross-site scripting (UXSS).
Both methods have been used widely in past hack attacks.
RCE “will have the user at an attacker’s mercy by thoroughly compromising the application and the Web server,” Rahim said. Sophisticated attackers who know what they are looking for “can deal a severe blow.”
UXSS is just as dangerous because it opens gates for attackers to inject malicious code and bypass or disable the browser’s security features, he noted. It “can also be used as a first step to disable security in conjunction with other attacks.”
Most exploits reported “are theoretical without evidence of active use,” said Rob Enderle, principal analyst at the Enderle Group.
“This one has evidence of active use, meaning it’s known and already people are taking advantage of it,” he told TechNewsWorld.
“Given it was used in an attack, it’s very dangerous, but it has been fixed,” Enderle said. “This showcases that keeping your software products, particularly browsers, patched and up to date is incredibly important. Patching remains your best defense.”