Mozilla Releases Firefox 67.0.3 to Urgently Fix Zero Day Vulnerability

firefox zero day

Si you are a Firefox user, let me tell you that it is time to update your browser yes or yes. And that recently a zero day vulnerability has been discovered in the browser and is actively exploited in targeted attacks.

The security breach was revealed through Google's Project Zero and affects all versions of Firefox. However, the good news is that there is a patch available from June 18 in Firefox 67.0.3 and Firefox ESR 60.7.1 versions.

Additionally, Mozilla strongly recommends users to upgrade.

About the security breach

In a security bulletin, Mozilla engineers gave some explanations on the nature of the fault.

For example, they explain that this is a vulnerability that can be activated by manipulating JavaScript elements due to problems in the Array.pop method (which removes the last element of a JavaScript array).

It is also reported that the errorr benefits from the confusion over the data type in JavaScript.

“A confusion vulnerability can occur when handling JavaScript objects due to issues found in Array.pop. This can lead to an exploitable accident. We are aware of targeted attacks that exploit this flaw, "says the explicitly vague note.

Aside from the short description posted on the Mozilla site, there are no other details about this security vulnerability or attacks in progress.

After a request for additional details, They mention that the bug could be exploited for remote code execution (RCE), but then it would require a separate escape from the sandbox to run the code in an underlying subsystem.

"However, it is likely that it can also be exploited for cross-scripting, which may be sufficient depending on the attacker's goals," they added.

Cross-site scripting (shortened to XSS) is a type of website security flaw that allows content to be injected into a page, causing actions in the web browsers that visit the page.

The possibilities of XSS are very wide, since the attacker can use all the languages ​​supported by the browser (JavaScript, Java, Flash…) and new possibilities are discovered regularly, especially with the arrival of new technologies such as HTML5.

For example, it is possible to redirect to another site for phishing or to steal the session by retrieving cookies.

On the other hand, they also argue that they do not have details at the moment about how this zero day flaw was used in the browser that Coinbase Security could learn more about the discovered attacks.

“I have no idea about the part related to active exploitation. I found and reported the bug on April 15, "said a Google security researcher.

However, some might say that based on the other entity that reported the security hole (Coinbase Security), we can assume that this security hole was exploited during attacks on cryptocurrency owners.

How to update Firefox browser on Linux?

In order to update the new corrective versions of the browser to this one and even install it if you do not have it, you can do so by following the instructions that we share below.

Users of Ubuntu, Linux Mint or some other derivative of Ubuntu, They can install or update to this new version with the help of the browser's PPA.

This can be added to the system by opening a terminal and executing the following command in it:

sudo add-apt-repository ppa:ubuntu-mozilla-security/ppa -y && sudo apt-get update

Done this now they just have to install with:

sudo apt install firefox

In the case of Arch Linux users and derivatives, just run in a terminal:

sudo pacman -Syu

Or to install with:

sudo pacman -S firefox

For all other Linux distributions can download the binary packages from the following link.  

Another way to update the browser to the latest version is by opening the browser and clicking the question mark in the menu bar.

Here we are going to select "About Firefox" and this will automatically start the download and installation of the new version.

Firefox released fixes are 67.0.3 and 60.7.1, in which the critical vulnerability (CVE-2019-11707) has been fixed.


Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.