
Mozilla patches Firefox zero-day abused in the wild - LinuxBender
https://www.zdnet.com/article/mozilla-patches-firefox-zero-day-abused-in-the-wild/
======
CryptoBard
Someone I know was hit by this in a very targeted attack on June 6th. They
managed to capture the binary it dropped on their mac with some other
gatekeeper bypass vulnerability (perhaps
[https://www.bleepingcomputer.com/news/security/new-
unpatched...](https://www.bleepingcomputer.com/news/security/new-unpatched-
macos-gatekeeper-bypass-published-online/)). It is a mac port of the binary
discussed in this research paper by Exatel:
[https://exatel.pl/advisory/paranoicy-raport-
socexatel.pdf](https://exatel.pl/advisory/paranoicy-raport-socexatel.pdf)

~~~
sterlind
Sounds extremely targeted, if an attacker is porting the attack to Macs
(presumably a lot of work), and combining it with other loaders... I wonder
how long this 0-day was in the wild.

Your friend should probably be browsing as a non-admin in a continuously-
reimaged VM, separate from an air-gapped machine, if you have those kinds of
attackers after you. Spooky..

~~~
saidajigumi
_if an attacker is porting the attack to Macs (presumably a lot of work)_

It's worth noting that a professional security and pentest company I know of
had a Python-based exploit authoring DSL that automatically generated exploit
code across a very wide range of processor architectures and OSes. This was
about fifteen years ago.

~~~
kseifried
You mean Core Impact? =).

~~~
saidajigumi
dingdingdingdingding!

------
factismo
It's a JIT bug, you can see the fix here:
[https://hg.mozilla.org/releases/mozilla-
release/rev/99a829d2...](https://hg.mozilla.org/releases/mozilla-
release/rev/99a829d2a2a7859b10508b6f05e99780c5e2dc68)

~~~
pdkl95
Assuming this[1] test for sparse indexes with extra properties in the unfixed
version of the file as part of the bugged code, the annotations suggest that
the bug _MIGHT_ have been (partially?) introduced by this[2] changeset. If so,
that means all versions of Firefox >= 38.0a1 (21 Apr _2015_ ) might be
vulnerable to the bug.

If the bug is really that old, it's certainly possible it might have been
abused in the wild, perhaps in more ways than the just the "targeted attacks"
mentioned the report.

[1] [https://hg.mozilla.org/releases/mozilla-
release/rev/99a829d2...](https://hg.mozilla.org/releases/mozilla-
release/rev/99a829d2a2a7859b10508b6f05e99780c5e2dc68#l1.62)

[2] [https://hg.mozilla.org/releases/mozilla-
release/rev/6bfcb81d...](https://hg.mozilla.org/releases/mozilla-
release/rev/6bfcb81d3716bfcdcd0045d0fb80153159513a83)

------
ademup
"A type confusion vulnerability can occur when manipulating JavaScript objects
due to issues in Array.pop. This can allow for an exploitable crash. We are
aware of targeted attacks in the wild abusing this flaw."

I'm at a loss imagining how this might work, can anyone expound on this? How
might this actually occur?

~~~
dang
This quote is from [https://www.mozilla.org/en-
US/security/advisories/mfsa2019-1...](https://www.mozilla.org/en-
US/security/advisories/mfsa2019-18/).

We merged that thread
([https://news.ycombinator.com/item?id=20220804](https://news.ycombinator.com/item?id=20220804))
into this one.

~~~
akerro
> You are not authorized to access bug 1544386. To see this bug, you must
> first log in to an account with the appropriate permissions.

------
amaccuish
It's in moments like this where I really dislike running Ubuntu and having to
wait for the new build to be released.

~~~
jlgaddis
You could download the 64-bit Linux build [0] and use it until a new Ubuntu
package is available.

[0]: [https://download.mozilla.org/?product=firefox-latest-
ssl&os=...](https://download.mozilla.org/?product=firefox-latest-
ssl&os=linux64&lang=en-US)

~~~
amaccuish
Thanks, for some reason I thought they only provided source and not builds.

------
user17843
How useful is blocking third party scripts and frames against this?

------
im3w1l
Took me a good while to find out how to check my version and update, as that
functionality has moved around in the UI.

~~~
wlesieutre
If anybody else is hunting for this:

 _Hamburger menu - > Help -> About Firefox_

Your version number is listed under the big heading, and if there’s an update
available there should be a button next to that.

My question, I'm on beta channel and updated to 68.0b11 today and don't see
detailed release notes.

67.0.3 (normal channel) lists "Security fix" [https://www.mozilla.org/en-
US/firefox/67.0.3/releasenotes/](https://www.mozilla.org/en-
US/firefox/67.0.3/releasenotes/)

But beta channel only says 68.0beta released May 22nd, no info on newer beta
versions. This is the link in the about box: [https://www.mozilla.org/en-
US/firefox/68.0beta/releasenotes/](https://www.mozilla.org/en-
US/firefox/68.0beta/releasenotes/)

I totally get not wanting to write fine grained release notes on every single
beta version, but 0-day fixed feel the kind of thing that ought to be
explicitly pointed out. I'm assuming that the same fix from release channel
was also pushed in the 68.0b11 update but a release note about that would be
swell.

~~~
the_jeremy
On mac, it's _Firefox menu - > About Firefox_, then wait for it to download
the update and click restart

------
cozzyd
Let's see how long it takes Fedora to deploy an update...

~~~
viraptor
Being built already:
[https://koji.fedoraproject.org/koji/buildinfo?buildID=128978...](https://koji.fedoraproject.org/koji/buildinfo?buildID=1289780)

~~~
metta2uall
I'm grateful to QubesOS for being able to easily browse in a disposable VM
whilst waiting for the build. Even without QubesOS starting a disposable VM
manually is probably worth the effort..

------
snaky
The last Nightly Firefox build for Android to date is 68.0.a1 from 2019-05-04.

[https://www.mozilla.org/en-
US/firefox/android/nightly/all/](https://www.mozilla.org/en-
US/firefox/android/nightly/all/)

Does it contain the fix?

~~~
gruez
Looks like nightly builds aren't being published. Even if you browse the
directories manually, they're not there[1]. On google play[2] it's showing as
updated, though.

[1] [https://download-
installer.cdn.mozilla.net/pub/mobile/nightl...](https://download-
installer.cdn.mozilla.net/pub/mobile/nightly/2019/06/) although the ESR builds
are coming in fine, so maybe something broke the build script?

[2]
[https://play.google.com/store/apps/details?id=org.mozilla.fe...](https://play.google.com/store/apps/details?id=org.mozilla.fennec_aurora)

~~~
snaky
While official ESR FAQ say there's no ESR for Android ever.

> Is Mozilla Firefox ESR available for Android and iOS?

> No. Firefox ESR will only be offered for Windows, macOS and Linux for
> desktop computers.

Play Store is confusing, because the actual version is "depends on your
device".

~~~
robotbikes
F-droid has a program called Firefox Updater which downloads the latest apk
from Mozilla directly.

------
thesorrow
How to know if you have been infected ?

~~~
user17843
it looks like it specifically targets cryptocurrency owners.

If one has critical personal data on a computer and use it to casually browse
the web, one should probably rethink that approach and use different physical
devices for different purposes.

------
ga-vu
This seems like an ideal vulnerability for exploits kits, to be honest. Crash
and run code to drop malware on a system.

------
est31
Firefox is supposed to have sandboxing, right? Does this sandboxing help
against such attacks? As in: is there a second attack on the sandbox needed to
get RCE?

~~~
lorenzhs
From the article: _" Following a request for additional details from ZDNet,
Groß said "the bug can be exploited for RCE [remote code execution] but would
then need a separate sandbox escape" in order to run code on an underlying
operating system."_

------
AnaniasAnanas
[https://bugzilla.mozilla.org/show_bug.cgi?id=1544386](https://bugzilla.mozilla.org/show_bug.cgi?id=1544386)

I find it really gross that they do not allow others to access it. This
behavior damages the forks.

~~~
auscompgeek
The source code for the fix is public. Presumably the bug report includes
working exploit code. I don't see how this is "damaging" for forks.

~~~
AnaniasAnanas
It is important to also understand what causes the issue, how it was
exploited, etc. Plus I am pretty sure that they had the bug report before the
fix was released.

~~~
lifthrasiir
Are there any fork that modifies Firefox so thoroughly that one needs a
context to patch SpiderMonkey?

------
beezle
Really unhappy with Mozilla. Does this effect all versions of Firefox? Quantum
only? The bug report itself is not viewable publicly either.

~~~
amaccuish
True they could have been clearer on the versions affected, but tbh you should
keep with the latest supported anyway.

Security bug reports are often restricted for some time after a new release to
help prevent reverse engineering to find the bug.

~~~
beezle
Please do not assume people are not running current release just because they
are lazy and have not upgraded.

The user experience was degraded at FF57 for many individuals who need
extensions that will not work with ff>56 or that developers have abandoned out
of frustration with Mozilla. When all the extensions I find necessary are
functional (or with suitable replacements) I will switch.

~~~
roblabla
If you don't want Firefox Quantum, you should still switch to a supported
browser that kept XUL, such as Basilisk.

Also I'm curious, what extensions are missing? Most of my pre-quantum
extensions, such as Tree Style Tabs, have been updated now.

~~~
coldpie
> I'm curious, what extensions are missing?

There are a couple I sorely miss. Disable Ctrl-Q died, and so did Toggle
Animated GIFs. Now I have to keep an extra tab open with a warn-on-page-close
handler to prevent Ctrl-Q fat-fingering from killing my session. And I've just
disabled video/GIF animations entirely, instead of using the cool extension
which let me start/stop them on demand.

I also used to have a cool cookie exporter extension, which was useful in
combination with wget for scraping sites that required a login. I admit I
haven't searched for a replacement, though, so maybe there is one.

