Mozilla patches ‘type confusion’ zero-day exploit in Firefox

According to a security advisory from Mozilla, the company has patched a zero-day exploit in its Firefox browser. The update in question was released for Firefox as patch 67.0.3 and Firefox ESR as patch 60.7.1. Initially reported by Samuel Groß (Google Project Zero, Coinbase Security), the vulnerability CVE-2019-11707 is classified as critical and involves type confusion in Array.pop. The security report states the following about CVE-2019-11707:

A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw.

For the uninitiated, Microsoft gave a good explanation in an old blog post on type confusion as follows:

Usually, when a piece of code doesn’t verify the type of object that is passed to it, and uses it blindly without type-checking, it leads to type confusion. Type confusion can be very dangerous because a type is expressed as a layout of memory in the lower level implementation of Flash Player. Also with type confusion, wrong function pointers or data are fed into the wrong piece of code. In some circumstances this can lead to code execution.

In the wake of this news, high-ranking organizations are alerting Firefox users about the patch. One such example is the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which stated in an alert that it “encourages users and administrators to review the Mozilla Security Advisory for Firefox 67.0.3 and Firefox ESR 60.7.1 and apply the necessary updates” to protect against type confusion attacks.

Mozilla should be commended for tackling this type confusion zero-day as efficiently as they have. The downside is that no matter how quickly they were able to release a patch, the company itself admits that CVE-2019-11707 has been used by black hats in the wild already. There are no public data collections on just how many individuals may have been compromised pre-patch, and for this reason, all users of Firefox and Firefox ESR should lookout for malicious activity. Before the patch there is no telling how many users have had arbitrary code executed on their system and should be very aware of this.

Featured image: Mozilla

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Google hikes payouts on Chrome bug-bounty program

In an attempt to make its products safer, Google is enticing the best and brightest with higher payouts in its…

2 days ago

A simple five-step plan for network troubleshooting

There is no magical solution for network troubleshooting. Sometimes, the best you can do is roll up your sleeves and…

3 days ago

Google Data Catalog metadata management service now in public beta

Google Data Catalog, which allows users to discover, manage, and analyze data within Google Cloud, is now in public beta.…

3 days ago

Using Office 365 DLP policies to protect your precious IT data

Because many breaches come from data leaked from inside your organization, using DLP policies can help by blocking users from…

3 days ago

Amazon Personalize now available to all AWS users

Amazon Personalize is tool that lets users create customized personalization recommendations for applications — and it’s now available to all…

4 days ago

Use baselines to ensure patch compliance for Hyper-V virtual machines

It is important that virtual machine infrastructure is kept up to date. Here’s how to use baselines to ensure patch…

4 days ago