zero-day vulnerabilities with the release of its latest versions, Firefox
67.0.3 and Firefox ESR 60.7.1. These flaws were rampantly exploited by the
hackers to remotely execute arbitrary code onto the systems of the users who ran
vulnerable versions of the Browser.
Array.pop; before Mozilla came up with the patch, hackers could set off the
attack by misguiding users using vulnerable versions of the browser to visit a
malicious web address which is designed to take control of the infected systems
and consequently, execute arbitrary code onto the machines.
advisory of Mozilla, the Browser developers are “aware of targeted attacks
in the wild abusing this flaw” that could allow hackers who take advantage
of this zero-day flaw to take over the affected machines.
As a security measure against the Firefox and Firefox ESR zero-day
vulnerabilities which were reported to Mozilla by Coinbase Security team and
Samuel Groß from Google Project
U.S. Cybersecurity and Infrastructure Security Agency (CISA) put forth an advise suggesting users “to review the
Mozilla Security Advisory for Firefox 67.0.3 and Firefox ESR 60.7.1 and apply
the necessary updates.”
exploited for RCE [remote code execution] but would then need a separate
[universal cross-site scripting] which might be enough depending on the
attacker’s goals.” he added.
50.0.2 and 45.5.1 ESR, earlier in 2016 as well. Back in 2016, the flaw was
exploited by cybercriminals to de-anonymize Tor Browser users and
accumulate their private data such as MAC addresses, hostnames, and IP addresses.