Security update week. X-buntu users, as a server, should have already applied some kernel updates that Canonical released earlier this week. On the other hand, Mozilla released version v67.0.3 from their browser to fix a critical security flaw that they told us they knew had been exploiting. Yesterday the same company released Firefox 67.0.4, another update that comes solely and exclusively to correct security flaws.
What they have discovered this time is very similar to what they discovered the day before: a vulnerability zero day that has been used in targeted attacks against cryptocurrency firms such as Coinbase. Interestingly, Firefox 67 introduced a novelty that promised to make us forget the word "cryptocurrencies", but this vulnerability has caused us to see that word in many articles like this one. We remember that the last big update of the fox browser blocks crypto mining and fingerprinting, although right now it still has to be activated manually (it will do so by default soon).
Firefox discovers a new vulnerability zero day
At the beginning of the week, Mozilla released versions 67.0.3 and 60.7.1 (ESR) of its browser. The new versions are 67.0.4 in its "normal" version and 60.7.2 ESR. The list of new features in this version (s) is very short, since there is only one that is described as "Security Fix". If we agree to the link, we can read the following:
Insufficient verification of parameters passed with request: Open IPC message between child and parent processes can cause the non-sandboxed parent process to open the web content chosen by a compromised child process. When combined with additional vulnerabilities, this could result in the execution of arbitrary code on the user's computer.
Mozilla recommends updating as soon as possible. At the time of writing this article, the update has not reached the official repositories of distributions like Ubuntu, but it will do so in the next few hours.