Mozilla patches Firefox’s zero-day wild abuse


The Mozilla team released Firefox browser version 67.0.3 earlier today to address a critical vulnerability currently being abused in the wild.

“A vulnerability can occur if JavaScript objects are manipulated because of problems with Array.pop,” Mozilla engineers wrote in today’s security advisory. Check for mozilla vulnerability scanner here.

“It can make an exploitable crash possible,” they added. Samuel Groß, a security researcher with a Google Project Zero security team, and the Coinbase Security team were honored with discovering Firefox Zero-Day, tracked as CVE-2019-11707. “We know of targeted wild attacks that abuse the flaw.”

Apart from a brief description of this security flaw or ongoing attacks on the Mozilla site, there are no other details.

On the basis of who reported the security error, we can safely assume that the security error was exploited during cryptocurrency attacks against owners.

Groß did not respond to a Cybersguards comment request for additional information on the attacks.

Zero-day Firefox is pretty rare. The last time a Firefox zero-day was patched by the Mozilla team in December 2016 was when they fixed a security flaw that was then abused to disclose and de-anonymize Tor Browser users.

Google’s fellow browser maker patched a zero-day in its browser this year in March. The zero-day was used as part of a complex exploit chain with a Windows 7 zero-day.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.