Firefox Zero-Day Exploited to Deliver Malware to Cryptocurrency Exchanges

[silversurfer]

The recently patched Firefox vulnerability tracked as CVE-2019-11707 has been exploited to deliver Windows and Mac malware to the employees of cryptocurrency exchanges.
 
Mozilla announced on Tuesday that the latest update for Firefox patched a critical type confusion zero-day that had been exploited in targeted attacks. The Tor Project has also updated its browser, which is based on Firefox, to address the vulnerability.
 
The flaw was reported to Mozilla by the security team at cryptocurrency exchange Coinbase and Samuel Groß of Google Project Zero, but initially no details were made available on the attacks.
 
Philip Martin of the Coinbase security team revealed on Twitter that CVE-2019-11707 had been used alongside another unpatched Firefox vulnerability, a sandbox escape weakness, to target Coinbase employees. Martin said the attackers also targeted other cryptocurrency-related organizations.

SOURCE: https://www.securityweek.com/firefox-zer...-exchanges

[silversurfer]

Mozilla Patches Second Firefox Zero-Day Used in Cryptocurrency Attacks
 
The flaw, tracked as CVE-2019-11708, has been described by Mozilla as a high-severity sandbox escape issue.
 
“Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer,” Mozilla said in its advisory

SOURCE: https://www.securityweek.com/mozilla-pat...cy-attacks