Mozilla patches ‘type confusion’ zero-day exploit in Firefox

According to a security advisory from Mozilla, the company has patched a zero-day exploit in its Firefox browser. The update in question was released for Firefox as patch 67.0.3 and Firefox ESR as patch 60.7.1. Initially reported by Samuel Groß (Google Project Zero, Coinbase Security), the vulnerability CVE-2019-11707 is classified as critical and involves type confusion in Array.pop. The security report states the following about CVE-2019-11707:

A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw.

For the uninitiated, Microsoft gave a good explanation in an old blog post on type confusion as follows:

Usually, when a piece of code doesn’t verify the type of object that is passed to it, and uses it blindly without type-checking, it leads to type confusion. Type confusion can be very dangerous because a type is expressed as a layout of memory in the lower level implementation of Flash Player. Also with type confusion, wrong function pointers or data are fed into the wrong piece of code. In some circumstances this can lead to code execution.

In the wake of this news, high-ranking organizations are alerting Firefox users about the patch. One such example is the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which stated in an alert that it “encourages users and administrators to review the Mozilla Security Advisory for Firefox 67.0.3 and Firefox ESR 60.7.1 and apply the necessary updates” to protect against type confusion attacks.

Mozilla should be commended for tackling this type confusion zero-day as efficiently as they have. The downside is that no matter how quickly they were able to release a patch, the company itself admits that CVE-2019-11707 has been used by black hats in the wild already. There are no public data collections on just how many individuals may have been compromised pre-patch, and for this reason, all users of Firefox and Firefox ESR should lookout for malicious activity. Before the patch there is no telling how many users have had arbitrary code executed on their system and should be very aware of this.

Featured image: Mozilla

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

On-premises backup for cloud data and cloud infrastructure protection

On-premises backup is a down-to-earth solution for backing up your cloud data – especially for those with a healthy paranoia…

48 mins ago

Lenovo adds to lineups of ThinkBook laptops for SMBs

Lenovo’s new ThinkBook lineup brings agile collaboration features and enterprise-grade infrastructure and security to SMBs.

5 hours ago

Control your business data: Managing the unmanaged mobile devices

Can we allow companies to control their business data while allowing employees to access that data on their personal mobile…

8 hours ago

IFA 2019: All the top smartphone announcements and unveilings

IFA 2019, this year’s version of the annual consumer electronics trade show, did not disappoint. Is one of these smartphones…

1 day ago

Outlook connectivity: Troubleshooting and solving common issues

IT professionals all dread getting this fevered message from employees and clients: “I’m having Outlook connectivity issues!” Here’s what you…

1 day ago

Using tags with Azure runbook automation to control your costs

Here’s a script designed to start and stop virtual machines based on tags associated at the resource group level. It…

1 day ago