Security advisories | Jun 20, 2019
Second Firefox Zero-Day Announced - CVE-2019-11708
The Threat
On June 20th, 2019, Mozilla released security patches to address a zero-day vulnerability being exploited in the wild [1]. The vulnerability (CVE-2019-11708) allows for sandbox escape using Prompt:Open. Sandbox escape, in the context of web-browsers, could allow for malicious code to escape a secure environment and reach the user’s machine. Although the vulnerability is not critical on its own, if linked with the “type confusion” vulnerability (CVE-2019-11707) released yesterday, a threat actor can achieve remote code execution.
Due to its use in attacks in the wild, security patches to address CVE-2019-11708 should be applied as soon as possible.
What we’re doing about it
- The Threat Intelligence team is monitoring this topic for additional information
- MVS (formerly esRECON) is in the process of releasing plugins to identify this vulnerability
What you should do about it
- After performing a business impact review, apply the latest update for Firefox (Firefox 67.0.4 / Firefox ESR 60.7.2)
Additional information
CVE-2019-11708 is due to an insufficient vetting of parameters passed with the Prompt:Open IPC message. The vulnerability was originally discovered in mid-April by Google’s Project Zero. Patch release was prompted after Coinbase, a cryptocurrency exchange, reported attacks utilizing both CVE-2019-11707 and CVE-2019-11708 [2].
For more information on (CVE-2019-11707) see the eSentire advisory Firefox Zero-Day Vulnerability [3].
References:
[1] https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/
[2] https://www.zdnet.com/article/mozilla-fixes-second-firefox-zero-day-exploited-in-the-wild/
[3] https://www.esentire.com/security-advisories/firefox-zero-day-vulnerability/