On June 20th, 2019, Mozilla released security patches to address a zero-day vulnerability being exploited in the wild . The vulnerability (CVE-2019-11708) allows for sandbox escape using Prompt:Open. Sandbox escape, in the context of web-browsers, could allow for malicious code to escape a secure environment and reach the user’s machine. Although the vulnerability is not critical on its own, if linked with the “type confusion” vulnerability (CVE-2019-11707) released yesterday, a threat actor can achieve remote code execution.
Due to its use in attacks in the wild, security patches to address CVE-2019-11708 should be applied as soon as possible.
What we’re doing about it
- The Threat Intelligence team is monitoring this topic for additional information
- MVS (formerly esRECON) is in the process of releasing plugins to identify this vulnerability
What you should do about it
- After performing a business impact review, apply the latest update for Firefox (Firefox 67.0.4 / Firefox ESR 60.7.2)
CVE-2019-11708 is due to an insufficient vetting of parameters passed with the Prompt:Open IPC message. The vulnerability was originally discovered in mid-April by Google’s Project Zero. Patch release was prompted after Coinbase, a cryptocurrency exchange, reported attacks utilizing both CVE-2019-11707 and CVE-2019-11708 .
For more information on (CVE-2019-11707) see the eSentire advisory Firefox Zero-Day Vulnerability .