CRITICAL 0-day active in the wild

Forum Moderators: open

Message Too Old, No Replies

CRITICAL 0-day active in the wild

Update FireFox ASAP

iamlost

2:56 am on Jun 19, 2019 (gmt 0)

If you are running the FireFox browser there is a CRITICAL 0-day active in the wild.
Please update as soon as practicable.

* Mozilla Foundation Security Advisory 2019-18 [mozilla.org]

Security vulnerabilities fixed in Firefox 67.0.3 and Firefox ESR 60.7.1

Announced: June 18, 2019
Impact: critical
Products: Firefox, Firefox ESR
Fixed in Firefox 67.0.3, Firefox ESR 60.7.1

CVE-2019-11707: Type confusion in Array.pop
Reporter: Samuel Groß of Google Project Zero, Coinbase Security
Impact: critical

Description: a type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw.

tangor

3:28 am on Jun 19, 2019 (gmt 0)

Side note: Also affects Thunderbird ...... so do both!

tangor

3:32 am on Jun 19, 2019 (gmt 0)

My bad! The t-bird was yesterday ... slightly different beast!

You are returned to your regularly scheduled programming.

engine

8:16 am on Jun 19, 2019 (gmt 0)

Thanks, that was a quick and easy update to fix.

ken_b

11:19 pm on Jun 19, 2019 (gmt 0)

Thanks for the alert. Updated both, easy as could be.

JS_Harris

12:39 am on Jun 20, 2019 (gmt 0)

Reality: There are probably several "0-day in the wild" type exploits going on that are not yet known or discussed.

We are aware of targeted attacks in the wild abusing this flaw.

That right there is what I'd like to know more about, HOW would they be aware of other people's computers having been compromised without themselves having compromised, err... "monitored" said computers? Hackers today only need to know that back doors exist, find them, and exploit the access for themselves.

Truly secure would mean secure even from the good guys. Anyway, glad they still report some things, update, update!

engine

8:11 am on Jun 20, 2019 (gmt 0)

HOW would they be aware of other people's computers having been compromised

Could be the crash reporter?

iamlost

6:59 pm on Jun 20, 2019 (gmt 0)

Good explanation [zdnet.com] of how the FF zero days (yes, apparently there were two used in series) were found in the wild: a spearphishing attack against crytocurrency employees.

iamlost

7:40 pm on Jun 20, 2019 (gmt 0)

Mozilla has just issued another quick update [mozilla.org] labelled Impact: HIGH.
From the description below I think that this is the second of the chained 0-days mentioned above.

CVE-2019-11708: sandbox escape using Prompt:Open

Reporter: Coinbase Security
Impact: HIGH

Description: insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer.

mcneely

11:18 pm on Jun 20, 2019 (gmt 0)

I think that this is the second of the chained 0-days mentioned above.

Oh great -- .03 just came down the repos "today" and now I gotta sit around and wait for the .04

tangor

10:27 pm on Jun 23, 2019 (gmt 0)

June 23 ... I've had my THIRD FF update ... all "critical" ... so what the heck is going on?

iamlost

4:11 am on Jun 24, 2019 (gmt 0)

I've had my THIRD FF update ... all "critical" ... so what the heck is going on?

You're critical to the meaning of life, the universe, and everything?

tangor

8:02 pm on Jun 24, 2019 (gmt 0)

Of course I am! :)

KnowOneSpecial

3:26 am on Jun 25, 2019 (gmt 0)

tangor says....
I've had my THIRD FF update ... all "critical" ... so what the heck is going on?

iamiost says...
You're critical to the meaning of life, the universe, and everything?

@tangor
The answer to your question is "42"

tangor

11:51 pm on Jun 25, 2019 (gmt 0)

Perhaps ... 29 years ago.