Mozilla patches ‘type confusion’ zero-day exploit in Firefox

According to a security advisory from Mozilla, the company has patched a zero-day exploit in its Firefox browser. The update in question was released for Firefox as patch 67.0.3 and Firefox ESR as patch 60.7.1. Initially reported by Samuel Groß (Google Project Zero, Coinbase Security), the vulnerability CVE-2019-11707 is classified as critical and involves type confusion in Array.pop. The security report states the following about CVE-2019-11707:

A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw.

For the uninitiated, Microsoft gave a good explanation in an old blog post on type confusion as follows:

Usually, when a piece of code doesn’t verify the type of object that is passed to it, and uses it blindly without type-checking, it leads to type confusion. Type confusion can be very dangerous because a type is expressed as a layout of memory in the lower level implementation of Flash Player. Also with type confusion, wrong function pointers or data are fed into the wrong piece of code. In some circumstances this can lead to code execution.

In the wake of this news, high-ranking organizations are alerting Firefox users about the patch. One such example is the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which stated in an alert that it “encourages users and administrators to review the Mozilla Security Advisory for Firefox 67.0.3 and Firefox ESR 60.7.1 and apply the necessary updates” to protect against type confusion attacks.

Mozilla should be commended for tackling this type confusion zero-day as efficiently as they have. The downside is that no matter how quickly they were able to release a patch, the company itself admits that CVE-2019-11707 has been used by black hats in the wild already. There are no public data collections on just how many individuals may have been compromised pre-patch, and for this reason, all users of Firefox and Firefox ESR should lookout for malicious activity. Before the patch there is no telling how many users have had arbitrary code executed on their system and should be very aware of this.

Featured image: Mozilla

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Amazon SES unveils new Bring Your Own IP feature

You’ve heard of Bring Your Own Device, and now there’s Bring Your Own IP. Here’s a look at this useful…

16 hours ago

Why API security is becoming the next big challenge

The shift to REST APIs has an unintended consequence for DevOps: new attack vectors. A security expert walks us through…

21 hours ago

Can ‘silent meetings’ solve your IT planning woes?

Companies are adopting the concept of silent meetings as a way to make business meetings more productive. Does this work?

24 hours ago

CES 2020: Latest innovations in laptops and smartphones

CES 2020 was more than just wild gadgets and crazy gizmos. There were some serious unveilings of new smartphones and…

2 days ago

WordPress vulnerability puts 300,000 at risk for attack

A WordPress vulnerability that could affect 300,000 users has been identified and patched. By if admins don’t update, they remain…

2 days ago

PowerShell jobs — because you have better things to do than wait

If you run PowerShell commands that take a while to complete, consider using PowerShell jobs, which will allow the command…

2 days ago