Welcome to WebmasterWorld Guest from 54.211.135.32

Forum Moderators: open

Featured Home Page Discussion

CRITICAL 0-day active in the wild

Update FireFox ASAP

     
2:56 am on Jun 19, 2019 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 25, 2003
posts:1315
votes: 414


If you are running the FireFox browser there is a CRITICAL 0-day active in the wild.
Please update as soon as practicable.

* Mozilla Foundation Security Advisory 2019-18 [mozilla.org]

Security vulnerabilities fixed in Firefox 67.0.3 and Firefox ESR 60.7.1

Announced: June 18, 2019
Impact: critical
Products: Firefox, Firefox ESR
Fixed in Firefox 67.0.3, Firefox ESR 60.7.1

CVE-2019-11707: Type confusion in Array.pop
Reporter: Samuel Groß of Google Project Zero, Coinbase Security
Impact: critical

Description: a type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw.
3:28 am on June 19, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:9880
votes: 967


Side note: Also affects Thunderbird ...... so do both!
3:32 am on June 19, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:9880
votes: 967


My bad! The t-bird was yesterday ... slightly different beast!

You are returned to your regularly scheduled programming.
8:16 am on June 19, 2019 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:26174
votes: 960


Thanks, that was a quick and easy update to fix.
11:19 pm on June 19, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member ken_b is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Oct 5, 2001
posts:5879
votes: 113


Thanks for the alert. Updated both, easy as could be.
12:39 am on June 20, 2019 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:July 29, 2007
posts:1974
votes: 192


Reality: There are probably several "0-day in the wild" type exploits going on that are not yet known or discussed.

We are aware of targeted attacks in the wild abusing this flaw.


That right there is what I'd like to know more about, HOW would they be aware of other people's computers having been compromised without themselves having compromised, err... "monitored" said computers? Hackers today only need to know that back doors exist, find them, and exploit the access for themselves.

Truly secure would mean secure even from the good guys. Anyway, glad they still report some things, update, update!
8:11 am on June 20, 2019 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:26174
votes: 960


HOW would they be aware of other people's computers having been compromised


Could be the crash reporter?
6:59 pm on June 20, 2019 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 25, 2003
posts:1315
votes: 414


Good explanation [zdnet.com] of how the FF zero days (yes, apparently there were two used in series) were found in the wild: a spearphishing attack against crytocurrency employees.
7:40 pm on June 20, 2019 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 25, 2003
posts:1315
votes: 414


Mozilla has just issued another quick update [mozilla.org] labelled Impact: HIGH.
From the description below I think that this is the second of the chained 0-days mentioned above.


CVE-2019-11708: sandbox escape using Prompt:Open

Reporter: Coinbase Security
Impact: HIGH

Description: insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer.
11:18 pm on June 20, 2019 (gmt 0)

Preferred Member

10+ Year Member Top Contributors Of The Month

joined:July 23, 2004
posts:587
votes: 97


I think that this is the second of the chained 0-days mentioned above.


Oh great -- .03 just came down the repos "today" and now I gotta sit around and wait for the .04
10:27 pm on June 23, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:9880
votes: 967


June 23 ... I've had my THIRD FF update ... all "critical" ... so what the heck is going on?
4:11 am on June 24, 2019 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 25, 2003
posts:1315
votes: 414



I've had my THIRD FF update ... all "critical" ... so what the heck is going on?

You're critical to the meaning of life, the universe, and everything?
8:02 pm on June 24, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:9880
votes: 967


Of course I am! :)
3:26 am on June 25, 2019 (gmt 0)

New User from US 

Top Contributors Of The Month

joined:June 21, 2019
posts: 29
votes: 1



tangor says....
I've had my THIRD FF update ... all "critical" ... so what the heck is going on?



iamiost says...
You're critical to the meaning of life, the universe, and everything?


@tangor
The answer to your question is "42"
11:51 pm on June 25, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:9880
votes: 967


Perhaps ... 29 years ago.