Vulnerability in Mozilla Firefox Could Allow for Arbitrary Code Execution[1]
A vulnerability has been discovered in Mozilla Firefox and Firefox Extended Support Release (ESR), which could allow for arbitrary code execution.[2] Mozilla Firefox is a web browser used to access the Internet. Mozilla Firefox ESR is a version of the web browser intended to be deployed in large organizations. Successful exploitation of this vulnerability could allow for arbitrary code execution through an exploitable crash. Mozilla is currently aware of targeted attacks in the wild abusing this flaw. Mozilla Firefox versions prior to 67.0.3 and Mozilla Firefox ESR versions prior to 60.7.1 are vulnerable. A second vulnerability was discovered in the same software which could allow for sandbox escape.[3] Successful exploitation of this vulnerability could bypass the sandbox safety feature to allow unsafe web content to be loaded into the browser. Mozilla is aware of these two vulnerabilities being chained together and exploited in the wild to deliver malware payloads via phishing emails. Mozilla Firefox prior to 67.0.4 and Mozilla Firefox ESR prior to 60.7.2 are vulnerable. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Details:
A vulnerability has been discovered in Mozilla Firefox and Firefox Extended Support Release (ESR), which could allow for arbitrary code execution. A type of confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This may allow for an exploitable crash (Mitre:CVE-2019-11707). A second vulnerability discovered in the same software could bypass the sandbox safety feature to allow for unsafe web content to be loaded into the browser. A programming error does not properly validate the parameters passed between parent and child processes using the IPC message Prompt:Open. This could allow unsafe web content to be loaded into the parent process by a compromised child process (Mitre:CVE-2019-11708). Successful exploitation of these vulnerabilities could allow for arbitrary code execution that bypasses Firefox’s sandbox safety feature. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Recommended Remediation:
- Apply appropriate updates provided by Mozilla to vulnerable systems, immediately after appropriate testing.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
- Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
- Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
- Apply the Principle of Least Privilege to all systems and services.
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11707
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11708
Wapack Labs is located in New Boston, NH. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com
[1] MS-ISAC ADVISORY NUMBER: 2019-067
[2] https://www.mozilla.org/en-US/security/advisories/mfsa2019-18/
[3] https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/
Comments