According to a security advisory from Mozilla, the company has patched a zero-day exploit in its Firefox browser. The update in question was released for Firefox as patch 67.0.3 and Firefox ESR as patch 60.7.1. Initially reported by Samuel Groß (Google Project Zero, Coinbase Security), the vulnerability CVE-2019-11707 is classified as critical and involves type confusion in Array.pop. The security report states the following about CVE-2019-11707:
A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw.
For the uninitiated, Microsoft gave a good explanation in an old blog post on type confusion as follows:
Usually, when a piece of code doesn’t verify the type of object that is passed to it, and uses it blindly without type-checking, it leads to type confusion. Type confusion can be very dangerous because a type is expressed as a layout of memory in the lower level implementation of Flash Player. Also with type confusion, wrong function pointers or data are fed into the wrong piece of code. In some circumstances this can lead to code execution.
In the wake of this news, high-ranking organizations are alerting Firefox users about the patch. One such example is the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which stated in an alert that it “encourages users and administrators to review the Mozilla Security Advisory for Firefox 67.0.3 and Firefox ESR 60.7.1 and apply the necessary updates” to protect against type confusion attacks.
Mozilla should be commended for tackling this type confusion zero-day as efficiently as they have. The downside is that no matter how quickly they were able to release a patch, the company itself admits that CVE-2019-11707 has been used by black hats in the wild already. There are no public data collections on just how many individuals may have been compromised pre-patch, and for this reason, all users of Firefox and Firefox ESR should lookout for malicious activity. Before the patch there is no telling how many users have had arbitrary code executed on their system and should be very aware of this.
Featured image: Mozilla
