Again Firefox asks to update to Firefox 67.0.4 and 60.7.2 due to a second zero day bug

Bug in Firefox

Yesterday one of our colleagues reported some bugs found that affect all versions of Firefox because a zero day vulnerability was discovered in the browser and is actively exploited in targeted attacks. The security breach was revealed through Google's Project Zero and affects all versions of Firefox.

Now a day later, Mozilla again asks all browser users to update again to a new superior version which is already released, this with the reason that a second zero day vulnerability was discovered in the browser.

A second zero day bug in Firefox

Mozilla has released Firefox 67.0.4 to fix a vulnerability security that has been used in targeted attacks against cryptocurrency firms such as Coinbase. Firefox users should install this update immediately.

Located behind Firefox 67.0.3 and 60.7.1, Additional corrective versions 67.0.4 and 60.7.2 were released, eliminating the second zero day vulnerability (CVE-2019-11708), which allows bypassing the browser sandbox isolation mechanism.

The problem allows to use the command request to open the manipulation of IPC calls to open web content in a child process that does not use a sandbox.

Combined with another vulnerability, this issue allows you to bypass all levels of protection and organize the execution of the code in the system.

Before being repaired, the vulnerabilities identified in the last two versions of Firefox They were used to stage an attack against employees of cryptocurrency exchange Coinbase and were also used to spread malware for the macOS platform.

Insufficient verification of the parameters passed with the Prompt: Open IPC message between the child and parent processes can cause the non-sandboxed parent process to open the web content chosen by a compromised child process. When combined with additional vulnerabilities, this could result in the execution of arbitrary code on the user's computer.

This week, Mozilla released Firefox 67.0.3 to fix a critical remote code execution vulnerability that was being used in targeted attacks.

Since its release, the vulnerability and another unknown were discovered to have been chained together as part of a spoofing attack to remove and execute malicious payloads on the victim's machines.

It is alleged that Information about the first vulnerability was sent to Mozilla by a Google Project Zero participant on April 15 and fixed on June 10 in the beta version of Firefox 68 (the attackers probably analyzed the published solution and prepared the exploit using another vulnerability to avoid sandbox isolation).

How to update Firefox browser on Linux?

In order to update the new corrective versions of the browser to this one and even install it if you do not have it, you can do so by following the instructions that we share below.

Users of Ubuntu, Linux Mint or some other derivative of Ubuntu, They can install or update to this new version with the help of the browser's PPA.

This can be added to the system by opening a terminal and executing the following command in it:

sudo add-apt-repository ppa:ubuntu-mozilla-security/ppa -y 
sudo apt-get update

Done this now they just have to install with:

sudo apt install firefox

For all other Linux distributions can download the binary packages from the following link.

Or check if the new version has already been incorporated into the repositories of your distro.

Another way to update the browser The latest version is by opening the browser, here users can manually search for new updates in the Firefox menu -> Help -> About Firefox. Firefox will automatically check for a new update and install it.

As well Firefox bug fix is ​​expected for the second zero day fault discovered hit the Tor browser in the next few days.

Since today, the Tor Browser team was updated to version 8.5.2, which includes the fix for the first zero day error that was detected in the Firefox branch.


Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.