Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases now! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon

A second zero-day found in Firefox was used to attack Coinbase employees; fix released in Firefox 67.0.4 and Firefox ESR 60.7.2

Save for later
  • 4 min read
  • 21 Jun 2019

article-image

Earlier this week, Mozilla fixed a zero-day vulnerability that was being actively exploited by attackers. It released another security update yesterday when the Coinbase Security team detected a second zero-day vulnerability in Firefox. This update has landed in Firefox 67.0.4 and Firefox ESR 60.7.2.

The two zero-day vulnerabilities


The first one was a type confusion vulnerability tracked as CVE-2019-11707 that occurs “when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash.” It enables an attacker to run malicious code inside Firefox’s native process. This vulnerability was reported by both Coinbase Security team and Samuel Groß, a security researcher with Google Project Zero security team. Groß has reported the vulnerability on Bugzilla back in April 15th.

https://twitter.com/5aelo/status/1141273394723414016

Sharing the implications of the vulnerability, the tech researcher said, “the bug can be exploited for RCE [remote code execution] but would then need a separate sandbox escape to run code on an underlying operating system. However, most likely it can also be exploited for UXSS [universal cross-site scripting] which might be enough depending on the attacker’s goals.

The second zero-day vulnerability was described as “sandbox escape using Prompt:Open” and is assigned CVE-2019-11708. This highly-critical vulnerability enables the escape of malware from the Firefox protected process and its execution on the targeted host. “Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process,” the advisory page reads.

The Coinbase attack


Not much detail was out about these attacks and vulnerabilities until yesterday when Martin Phil, Chief Information Security Officer at Coinbase, and his team detected an attack targeting Coinbase employees. Coinbase also said that the attacker might have targeted other cryptocurrency organizations as well. It is now notifying the organizations that it believes have been possibly targeted.

https://twitter.com/SecurityGuyPhil/status/1141466335592869888

Fortunately, the attack was detected before it was able to do any damage. If it had been left undetected, the attacker could have gained access to the Coinbase backend network and stole funds from exchanges. Phil in his tweets also shared a couple of Indicators of Compromise (IOC) that will give the indication whether a system is affected or not.

https://twitter.com/SecurityGuyPhil/status/1141466339518767104

Vitali Kremez who specializes in Information Security, Malware Hunting & Carding, Cybercrime Intelligence, speculated that these IOCs were linked to a username “powercat”.

https://twitter.com/VK_Intel/status/1141540229951709184

Going by the IOCs, we can say that the attacker would have sent a spear-phishing email to lure victims to a web page. So, if the victims were using a vulnerable Firefox version, the web page would have downloaded and installed the malware on their systems.

The macOS backdoor attack


Not only cryptocurrency organizations, it looks like the attacker has also targeted other Firefox users as well. Yesterday, Patrick Wardle, a macOS security expert published an analysis of a Mac malware. This malware was sent by a user who claimed that it was installed in his fully updated Mac through Firefox’s zero-day vulnerability. Here’s how the email sent by the attacker to this user looked like:

a-second-zero-day-found-in-firefox-was-used-to-attack-coinbase-employees-fix-released-in-firefox-67-0-4-and-firefox-esr-60-7-2-img-0

Unlock access to the largest independent learning library in Tech for FREE!
Get unlimited access to 7500+ expert-authored eBooks and video courses covering every tech area you can think of.
Renews at €18.99/month. Cancel anytime

Source: Objective-See


The malware that was installed on the user’s system was called Finder.app, the hash of which completely matched with one of the hashes provided by Martin.

This news sparked a discussion on Hacker News. Many users found it unsettling that Mozilla took two months to deliver the security patch to fix a very crucial bug report. “Really, that Mozilla would let a reported RCE vulnerability simmer for two months until it bit someone would seem to reflect very poorly on their priorities and competence,” a user commented.

Others were rather interested to know how Coinbase discovered this attack. A user commented, “I am more interested in how Coinbase employees discovered the attack. I am assuming nobody clicked the suspicious link and instead took it to a vm for reversing and analysis. It would have been game over if the exploit was actually executed on a non-sandboxed machine.

Mozilla releases Firefox 67.0.3 and Firefox ESR 60.7.1 to fix a zero-day vulnerability, being abused in the wild

Firefox releases v66.0.4 and 60.6.2 to fix the expired certificate problem that ended up disabling add-ons

Firefox 67 enables AV1 video decoder ‘dav1d’, by default on all desktop platforms