On June 18th, 2019, Mozilla released a critical advisory (CVE-2019-11707) for a 'type confusion' vulnerability that is being actively exploited in the wild . If successful, exploitation enables remote malicious actors to take full control of any vulnerable system(s).
The researcher that discovered this flaw indicates the bug can be exploited for UXSS (Universal Cross-Site Scripting) or RCE (Remote Code Execution) . While both methods are serious, it is worth noting RCE would require additional complexities for successful exploitation (e.g. sandbox escape), while UXSS is a type of attack that could necessitate the execution of malicious code via client-side vulnerabilities.
Mozilla has indicated the following versions are fixed and protected against this critical flaw: 67.0.3 and Firefox ESR 60.7.1 . It is highly recommended to apply the security patches after performing a business impact review, as attacks exploiting CVE-2019-11707 are already occurring.
What we’re doing about it
- MVS (formerly esRECON) local plugins identify this vulnerability
- The Threat Intelligence team is monitoring this topic for additional information
What you should do about it
- After performing a business impact review, apply the latest update for Firefox (Firefox 67.0.3 / Firefox ESR 60.7.1)
Attacks in the wild are speculatively believed to be financially motivated and targeting cryptocurrency exchanges.