Mozilla has patched an actively exploited zero-day flaw in Firefox browser just recently. They rolled-out the fix with the release of Firefox 67.0.3. However, two days after the fix, they had to roll-out Firefox 67.0.4 as well as they patch another zero-day bug under active exploitation.
Another Actively Exploited Firefox Zero-Day
After fixing the zero-day flaw in Firefox browser and rolling out the urgent update, Mozilla spotted another zero-day bug. Like the previous one, this vulnerability also demanded an urgent fix owing its active exploit in the wild.
In a recent advisory published on June 20, 2019, two days after the previous patch, Mozilla explained the new flaw. Reportedly, the sandbox escape vulnerability (CVE-2019-11708), together with other bugs, could allow a bad actor to execute arbitrary codes. As stated in the advisory,
Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user’s computer.
Firefox 67.0.4 Released With A Fix
The vulnerability CVE-2019-11708 caught Mozilla’s attention following a report from the Coinbase Security team. While it remained somewhat uncertain about how the previously reported flaw (CVE-2019-11707) went under active exploits, things now seem clear. The two bugs, CVE-2019-11707 and CVE-2019-11708, together troubled the Coinbase employees. These vulnerabilities let the attackers target the cryptocurrency firm’s staff in a single spearphishing attempt. According to what Philip Martin, Coinbase security member, told ZDNet,
On Monday, Coinbase detected & blocked an attempt by an attacker to leverage the reported 0-day, along with a separate 0-day Firefox sandbox escape, to target Coinbase employees.
Following the reports, Mozilla patched the second zero-day as well with the release of Firefox 67.0.4. Moreover, they have also fixed both the vulnerabilities for their Thunderbird email client as well, as they released Thunderbird 60.7.2.
The users must ensure updating their systems with the latest Firefox and Thunderbird versions to stay protected from potential mishaps.
Take your time to comment on this article.