Date: 20th June 2019
Mozilla Firefox is a popular cross platform web browser used by approximately 500 million users and is used extensively within organisations.
A zero-day vulnerability has been discovered in Mozilla Firefox and Firefox Extended Support Release (ESR) which permits an arbitrary code execution by the bad actors. This vulnerability has already been detected and exploited in the wild.
Whilst critical vulnerabilities in browsers are not uncommon, the severity of this vulnerability combined with the in-the-wild attacks observed has led to a number of notifications from global government organisations. Owing to the broad install base, it is highly likely that this report is relevant to Invinsec customers.
Tactics, Techniques and Procedures
Targeted attacks are being reported although the specific details of these, including targeted geographies, industries and likely end goals are not yet publicised.
It is most likely that exploitation is delivered through UXSS [ Universal Cross-Site Scripting] attacks on websites. Users are lured to affected pages through methods such as:
- Phishing emails containing a link to an infected web page
a legitimate web page with exploit code
- Through methods such as Cross Site Scripting on forum type sites
- Following a compromise of the target website
- Compromising the supply chain of the website to include exploits in external scripts such as advertising
All Windows, MacOS and Linux machines which are running Firefox are affected.
- Mozilla Firefox versions prior to 67.0.3
- Mozilla Firefox ESR versions prior to 60.7.1
Invinsec recommends the following activities:
- Apply appropriate updates provided by the Official Mozilla website to the vulnerable systems.
- All software should be run as a non-privileged user to deprecate the effects of successful attacks.