New Firefox Exploits Can be Combined Into a Devastating Crypto Attack

Elaborated in the most recent Mozilla Security Advisory, the new exploit named ‘CVE-2019-11708’ effects all earlier versions of Mozilla’s Firefox and Firefox ESR web browsers. The flaw has now been patched in the new Firefox 67.0.4 and Firefox ESR 60.7.2.

A full description of the bug, as described by Mozilla is outlined below;

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user’s computer.

Mozilla rated the latest Firefox exploit as high impact, a designation reserved for vulnerabilities that can gather sensitive user data or inject code into sites visited by the user during normal browsing sessions.

The new exploit is unusual in that it was detected after being spotted being used in the wild. As is common with many zero-day exploits, the technique was first used to target cryptocurrency owners and users.

Coinbase Targeted

According to ZDNet, both an earlier Firefox exploit and the new one were combined into a two-step attack to target several cryptocurrency organizations, including Coinbase.

The exploit was unraveled after Philip Martin, Chief Information Security Officer at Coinbase reported the attack to Mozilla.

Together, the two exploits would have allowed the attacker to extract sensitive data from affected machines, and potentially escape the Firefox sandbox to run code without permission. Had this been successful, Coinbase and other affected sites could have suffered catastrophic losses.

It remains unclear how the attacker had discovered the Remote Code Execution (RCE) bug, but it may have been independently discovered, or leaked by a Mozilla insider.

To protect yourself from the vulnerability, you will need to update Firefox by navigating to ‘About Firefox’ in the menu panel to access the automatic update feature.

What is your opinion on Firefox as a browser? Do the recent exploits highlight a need to switch to alternatives, like Brave? Let us know your thoughts in the comments!