Mozilla patches Firefox zero-day abused in the wild

New Firefox logo
Image: Mozilla

The Mozilla team has released earlier today version 67.0.3 of the Firefox browser to address a critical vulnerability that is currently being abused in the wild.

“A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop,” Mozilla engineers wrote in a security advisory posted today.

“This can allow for an exploitable crash,” they added. “We are aware of targeted attacks in the wild abusing this flaw.”

Samuel Groß, a security researcher with Google Project Zero security team, and the Coinbase Security team were credited with discovering the Firefox zero-day — tracked as CVE-2019-11707.

Outside of the short description posted on the Mozilla site, there are no other details about this security flaw or the ongoing attacks.

Based on who reported the security flaw, we can safely assume the security flaw was being exploited in attacks aimed at cryptocurrency owners.

Groß did not respond to a request for comment from ZDNet seeking additional details about the attacks.

Firefox zero-days are quite rare. The last time the Mozilla team patched a Firefox zero-day was in December 2016, when they fixed a security flaw that was being abused at the time to expose and de-anonymize users of the privacy-first Tor Browser.

Fellow browser maker Google patched a zero-day in its browser in March this year. The zero-day was being used together with a Windows 7 zero-day as part of a complex exploit chain.

More browser coverage:

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *