Firefox Users Warned to Patch Critical Flaw

June 20, 2019

Firefox Users Warned to Patch Critical Flaw
Firefox Users Warned to Patch Critical Flaw
featured image

Original Source: Tech News World

Article URL: https://www.technewsworld.com/story/86090.html

This article originally appeared in Tech News World on June 20, 2019.

Mozilla is urging users of its Firefox browsers to update them immediately to fix a critical zero-day vulnerability. Anyone using Firefox on a Windows, macOS or Linux desktop is at risk.

The vulnerability, CVE-2019011707, is a type confusion in Array.pop. It has been patched in Firefox 67.0.3 and Firefox ESR 60.7.1.

Mozilla announced the patch Tuesday, but the vulnerability was discovered by Samuel Groß of Google Project Zero on April 15.

Mozilla implemented the fix after digital currency exchange Coinbase reported exploitation of the vulnerability for targeted spearphishing attacks.

“On Monday, June 17, 2019, Coinbase reported a vulnerability used as part of targeted attacks for a spear phishing campaign,” Selena Deckelmann, senior director, Firefox Browser Engineering, told TechNewsWorld. “In less than 24 hours, we released a fix for the exploit.”

The Significance of the Coinbase Hack

Hackers have been going after cryptocurrency with a vengeance. There have been as many attacks in the first half of this year as there were through the whole of last year, according to Cointelegraph.

So far this year, tens of millions of dollars’ worth of cryptocurrencies been stolen have from exchanges, Cointelegraph said.

Cybercriminals stole nearly one billion dollars’ worth of cryptocurrency by Q3 last year, Ciphertrace reported.

The attack on Coinbase is in keeping with the trend.

The exchange has been targeted repeatedly. In 2018, astring of hacks cost it more than 40 bitcoins.

In January, Coinbase temporarily froze all trading on Ethereum Classic after it detected an attack on the cryptocurrency’s network.

The spearphishing attacks could be an attempt to gain control of the majority of a blockchain network’s power, in what’s called a ” 51 percent attack.”

David Vorick, cofounder of blockchain-based file storaeg platform SIA declared 2019 the year of the 51 percent attack.

Technical Details of the Flaw

A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop, Mozilla said.

An array in JavaScript is a single variable used to store multiple elements. It often is used when devs want to store a list of elements and access them with a single variable.

A type, or data type, is an attribute of data that tells the compiler or interpreter how the programmer intends to use the data. It constrains the values that an expression such as a variable or a function might take, defining the operations that can be carried out on the data, the meaning of the data, and the way values of that type can be stored.

Type confusion occurs when a program uses one type to allocate or initialize a resource, such as an object, pointer or variable, but later uses another type that is incompatible with the first to access that resource. That can trigger logical errors because the resource does not have the expected properties. In some cases, it can lead to code execution.

The pop() method removes the last element from an array, returns that element, and changes the array’s length.

“Array.pop is usually used with Array.push to delete and add new values to the array by developers,” remarked Usman Rahim, digital security and operations manager at The Media Trust.

“This technique is also used by many malicious actors to shuffle obfuscated malicious code during execution,” he told TechNewsWorld.

The Threat Level

Groß said the flaw can be exploited for remote code execution (RCE) and for universal cross-site scripting (UXSS).

Both methods have been used widely in past hack attacks.

RCE “will have the user at an attacker’s mercy by thoroughly compromising the application and the Web server,” Rahim said. Sophisticated attackers who know what they are looking for “can deal a severe blow.”

UXSS is just as dangerous because it opens gates for attackers to inject malicious code and bypass or disable the browser’s security features, he noted. It “can also be used as a first step to disable security in conjunction with other attacks.”

Most exploits reported “are theoretical without evidence of active use,” said Rob Enderle, principal analyst at the Enderle Group.

“This one has evidence of active use, meaning it’s known and already people are taking advantage of it,” he told TechNewsWorld.

“Given it was used in an attack, it’s very dangerous, but it has been fixed,” Enderle said. “This showcases that keeping your software products, particularly browsers, patched and up to date is incredibly important. Patching remains your best defense.”

Related Content

Canada’s Foreign Ministry Hacked

In the News

Nothing quite gets the public's attention like a broken website. It's even worse if that site provides government services.…

Instagram flaw shows the importance of managing third-party apps, images

In the News

According to Chris Olson, CEO, "What I worry about more is that most companies are focused on protecting their…

Response Comment: Google Docs Down

In the News

Mike Bitter, Associate Director of Digital Security Operations, discusses the risk posed by outsourced or externally developed code.

Be in the know

Subscribe to our newsletter

"*" indicates required fields