Published , by Brittany Vincent
Published , by Brittany Vincent
Firefox users, beware. Mozilla has released critical updates for the browser meant to address a vulnerability that's being used in a variety of targeted attacks.
The fix is for critical flaw CVE-2019-11707, which has to do with an array method that's used in JavaScript objects within Firefox itself. The vulnerability allows those who wish to do harm to take control of systems still running any versions of Firefox with the exploit unmatched.
“On Monday, June 17, 2019, Coinbase reported a vulnerability used as part of targeted attacks for a spear phishing campaign,” sad Selena Deckelmann, senior director of Firefox Browser Engineering, in a statement to Threatpost. “In less than 24 hours, we released a fix for the exploit.”
According to Mozilla, the issue has been resolved in versions Firefox 67.0.3 and Firefox ESR 60.7.1. Unfortunately, anyone continuing to use Firefox on a PC via Windows, macOS, or Linux would be affected by the vulnerability. It was originally found by Samuel Groß of Google Project Zero and the Coinbase Security team, and further disseminated in a Twitter thread. The vulnerability was first reported on April 15 and the first public fix was then sent out "about a week ago."
There aren't any details about the flaw's exploits floating around in the wild to pore over, and Mozilla didn't immediately respond to Threatpost's request for comment on the matter. However, it seems that since the flaw has been resolved, it's not so much a critical problem anymore, but it's still worth making sure you've been upgraded to the latest version of Firefox and aren't using any outdated browsers that could potentially put you at risk. It's always a good idea to stay up to date on things like these, even if there aren't any immediate risks involved.
Thanks to jcupitt for bringing this to our attention with his Chatty thread.