Mozilla patches ‘type confusion’ zero-day exploit in Firefox

According to a security advisory from Mozilla, the company has patched a zero-day exploit in its Firefox browser. The update in question was released for Firefox as patch 67.0.3 and Firefox ESR as patch 60.7.1. Initially reported by Samuel Groß (Google Project Zero, Coinbase Security), the vulnerability CVE-2019-11707 is classified as critical and involves type confusion in Array.pop. The security report states the following about CVE-2019-11707:

A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw.

For the uninitiated, Microsoft gave a good explanation in an old blog post on type confusion as follows:

Usually, when a piece of code doesn’t verify the type of object that is passed to it, and uses it blindly without type-checking, it leads to type confusion. Type confusion can be very dangerous because a type is expressed as a layout of memory in the lower level implementation of Flash Player. Also with type confusion, wrong function pointers or data are fed into the wrong piece of code. In some circumstances this can lead to code execution.

In the wake of this news, high-ranking organizations are alerting Firefox users about the patch. One such example is the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which stated in an alert that it “encourages users and administrators to review the Mozilla Security Advisory for Firefox 67.0.3 and Firefox ESR 60.7.1 and apply the necessary updates” to protect against type confusion attacks.

Mozilla should be commended for tackling this type confusion zero-day as efficiently as they have. The downside is that no matter how quickly they were able to release a patch, the company itself admits that CVE-2019-11707 has been used by black hats in the wild already. There are no public data collections on just how many individuals may have been compromised pre-patch, and for this reason, all users of Firefox and Firefox ESR should lookout for malicious activity. Before the patch there is no telling how many users have had arbitrary code executed on their system and should be very aware of this.

Featured image: Mozilla

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Deploy Windows from the cloud to on-premises hardware? Yes, you can

Wouldn’t it be nice if you could deploy Windows from the cloud while sipping an…

8 hours ago

Blackbaud data breach after ransomware attack hits universities, nonprofits

Blackbaud, a cloud services provider focused on the education sector and nonprofits, suffered a data…

13 hours ago

Sending email from Linux terminal: Efficient and powerful solution

Knowing how to send email from the Linux command line is important, especially when you…

1 day ago

Family Tree Maker genealogy software experiences data breach

A data breach affecting popular genealogy software Family Tree Maker has been discovered and patched,…

1 day ago

Review: Microsoft 365 monitoring solution GSX Gizmo

In a world of distributed employees, GSX Gizmo provides monitoring of Microsoft 365 and on-premises…

2 days ago

Nmap: All about this free open-source network monitoring tool

Nmap is a free open-source tool used to scan networks, identify vulnerabilities, find open ports,…

2 days ago