The Threat

On June 20th, 2019, Mozilla released security patches to address a zero-day vulnerability being exploited in the wild [1]. The vulnerability (CVE-2019-11708) allows for sandbox escape using Prompt:Open. Sandbox escape, in the context of web-browsers, could allow for malicious code to escape a secure environment and reach the user’s machine. Although the vulnerability is not critical on its own, if linked with the “type confusion” vulnerability (CVE-2019-11707) released yesterday, a threat actor can achieve remote code execution.

Due to its use in attacks in the wild, security patches to address CVE-2019-11708 should be applied as soon as possible. 

What we’re doing about it

  • The Threat Intelligence team is monitoring this topic for additional information
  • MVS (formerly esRECON) is in the process of releasing plugins to identify this vulnerability 

What you should do about it

  • After performing a business impact review, apply the latest update for Firefox (Firefox 67.0.4 / Firefox ESR 60.7.2)

Additional information

CVE-2019-11708 is due to an insufficient vetting of parameters passed with the Prompt:Open IPC message. The vulnerability was originally discovered in mid-April by Google’s Project Zero. Patch release was prompted after Coinbase, a cryptocurrency exchange, reported attacks utilizing both CVE-2019-11707 and CVE-2019-11708 [2].

For more information on (CVE-2019-11707) see the eSentire advisory Firefox Zero-Day Vulnerability [3].

References:

[1] https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/

[2] https://www.zdnet.com/article/mozilla-fixes-second-firefox-zero-day-exploited-in-the-wild/

[3] https://www.esentire.com/security-advisories/firefox-zero-day-vulnerability/ 

See the latest security advisories

Articles and reports written by eSentire staff and our Threat Intelligence Research Group.

Ready to get started?
We're here to help.

Get Started
Reach out to schedule a meeting and learn more about our Managed Detection and Response, Risk Advisory and Managed Prevention capabilities.