Yesterday the Mozilla Foundation released information on a critical vulnerability in Firefox that was discovered in the wild during a targeted attack. Currently the details of this attack are not public, ostensibly to provide sufficient time for Mozilla to rush patch and allow users sufficient time to begin the patching process before publicized details potentially lead to further abuse.
According to Groß via Twitter, the details of its active exploitation have been reported by Mozilla but are currently widely known.
"The bug can be exploited for RCE but would then need a separate sandbox escape. However, most likely it can also be exploited for UXSS which might be enough depending on the attacker's goals. Looking forward to more details from @mozsec and @coinbase."
Samuel Groß (@5aelo)
19 Jun 2019
What should you do?
Mozilla has addressed these vulnerabilities in Firefox 67.0.3 and Firefox Extended Support Release (ESR) 60.7.1.
- If you are running an earlier version of Firefox, please update immediately.
- If you suspect that you may have suffered a compromise via this vector please contact your Cybersecurity Incident Response team immediately.
- If you represent an organization in need of expert support, Revolutionary Security is available to assist.