Security researchers discover a zero-day vulnerability in Mozilla Firefox used in targeted attacks.
Background
On June 18, the Mozilla Foundation published a security advisory to address a zero-day vulnerability in Mozilla Firefox being used in targeted attacks in the wild.
Analysis
According to the security advisory, CVE-2019-11707 is a type confusion vulnerability in Mozilla Firefox that can result in an exploitable crash due to issues in Array.pop which can occur when manipulating JavaScript objects.
The vulnerability was reported to Mozilla by Google Project Zero’s Samuel Groß and the Coinbase Security team. Further details about the vulnerability and in-the-wild attacks are not public, as the Bugzilla report is currently restricted, and neither Google Project Zero nor Coinbase Security has published a blog about it. We believe this is to allow time for users to update to a patched version of Firefox.
Solution
Mozilla has released Firefox 67.0.3 and Firefox Extended Support Release (ESR) 60.7.1 to address this vulnerability.
Identifying affected systems
A list of Tenable plugins to identify this vulnerability will appear here as they’re released.
Get more information
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.