Second Firefox Zero-Day Announced - CVE-2019-11708

The Threat

On June 20^th, 2019, Mozilla released security patches to address a zero-day vulnerability being exploited in the wild [1]. The vulnerability (CVE-2019-11708) allows for sandbox escape using Prompt:Open. Sandbox escape, in the context of web-browsers, could allow for malicious code to escape a secure environment and reach the user’s machine. Although the vulnerability is not critical on its own, if linked with the “type confusion” vulnerability (CVE-2019-11707) released yesterday, a threat actor can achieve remote code execution.

Due to its use in attacks in the wild, security patches to address CVE-2019-11708 should be applied as soon as possible.

What we’re doing about it

• The Threat Intelligence team is monitoring this topic for additional information
• MVS (formerly esRECON) is in the process of releasing plugins to identify this vulnerability

What you should do about it

• After performing a business impact review, apply the latest update for Firefox (Firefox 67.0.4 / Firefox ESR 60.7.2)

Additional information

CVE-2019-11708 is due to an insufficient vetting of parameters passed with the Prompt:Open IPC message. The vulnerability was originally discovered in mid-April by Google’s Project Zero. Patch release was prompted after Coinbase, a cryptocurrency exchange, reported attacks utilizing both CVE-2019-11707 and CVE-2019-11708 [2].

For more information on (CVE-2019-11707) see the eSentire advisory Firefox Zero-Day Vulnerability [3].

References:

[1] https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/

[2] https://www.zdnet.com/article/mozilla-fixes-second-firefox-zero-day-exploited-in-the-wild/

[3] https://www.esentire.com/security-advisories/firefox-zero-day-vulnerability/