Mozilla Firefox 67.0.3 Patches Actively Exploited Zero-Day

Mozilla released Firefox 67.0.3 and Firefox ESR 60.7.1 to patch an actively exploited and critical severity vulnerability which could allow attackers to remotely execute arbitrary code on machines running vulnerable Firefox versions.

As Mozilla's security advisory says, the Firefox developers are "aware of targeted attacks in the wild abusing this flaw" which could allow attackers who exploit this vulnerability to take control of affected systems.

The Firefox and Firefox ESR zero-day flaw fixed by Mozilla was reported by Google Project Zero's Samuel Groß and the Coinbase Security team.

The type confusion vulnerability tracked as CVE-2019-11707 occurs "when manipulating JavaScript objects due to issues in Array.pop."

Attackers could potentially trigger the type confusion by deceiving users of unpatched Firefox versions into visiting a maliciously crafted web page and, subsequently, executing arbitrary code on their systems.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also issued an alert advising users "to review the Mozilla Security Advisory for Firefox 67.0.3 and Firefox ESR 60.7.1 and apply the necessary updates."

While there is no other information related to this flaw, all users are advised to install the patched Firefox releases from the following links:

• Firefox 67.0.3 for Windows 64-bit
• Firefox 67.0.3 for Windows 32-bit
• Firefox 67.0.3 for macOS
• Firefox 67.0.3 for Linux 64-bit
• Firefox 67.0.3 for Linux 32-bit

This is not the first Firefox zero-day that gets an emergency fix since, back in 2016, Mozilla patched another one with the release of Firefox 50.0.2 and 45.5.1 ESR, while the Tor Project released Tor Browser 6.0.7 to fix the same issue.

At that time, the vulnerability was exploited by attackers to de-anonymize Tor Browser users and collect data including their IP addresses, MAC addresses, and hostnames.

Google issued its own zero-day patch during early March with the release of Google Chrome 72.0.3626.121 which came with a warning that the vulnerability patched in the release was actively exploited in the wild.

The 0day flaw tracked as CVE-2019-5786 and rated as high severity was use-after-free flaw present in the browser's FileReader API, an API designed to allow the browser to access and read locally stored files.

Microsoft also released an out-of-band security update that fixed an actively exploited remote code execution vulnerability in Internet Explorer in December 2018, a flaw discovered by Google’s Threat Analysis Group which observed the vulnerability being used in targeted attacks.