Critical Vulnerability with Active Zero-Day Attacks: CVE-2019-11707

Critical Vulnerability with Active Zero-Day Attacks: CVE-2019-11707

Yesterday the Mozilla Foundation released information on a critical vulnerability in Firefox that was discovered in the wild during a targeted attack. Currently the details of this attack are not public, ostensibly to provide sufficient time for Mozilla to rush patch and allow users sufficient time to begin the patching process before publicized details potentially lead to further abuse.

What we do know is that this vulnerability, reported through Google's Project Zero by Samuel Groß from Coinbase Security, involves the JavaScript Array.pop library and can be exploited for remote command execution. The exploit itself does not appear to carry a risk of sandbox escape, but this does not diminish its potential in a targeted attack, and should be taken seriously and patched urgently.

According to Groß via Twitter, the details of its active exploitation have been reported by Mozilla but are currently widely known.

"The bug can be exploited for RCE but would then need a separate sandbox escape. However, most likely it can also be exploited for UXSS which might be enough depending on the attacker's goals. Looking forward to more details from @mozsec and @coinbase."

Samuel Groß (@5aelo)

19 Jun 2019

What should you do?

Mozilla has addressed these vulnerabilities in Firefox 67.0.3 and Firefox Extended Support Release (ESR) 60.7.1.

  1. If you are running an earlier version of Firefox, please update immediately.
  2. If you suspect that you may have suffered a compromise via this vector please contact your Cybersecurity Incident Response team immediately.
  3. If you represent an organization in need of expert support, Revolutionary Security is available to assist.

Contact Us

Topics

Vulnerability Management: Where is Your Company’s Achilles Heel?
Why Asset Management is Critical to Your Vulnerability Management Program