US Dept. of Homeland Security CISA: Mozilla Patches Critical 0-Day Vulnerability

TL;DR: “An attacker could exploit this vulnerability to take control of an affected system. This vulnerability was detected in exploits in the wild,” the Cybersecurity and Infrastructure Security Agency (CISA) alerted users regarding a 0-day issue with Mozilla for Firefox browser products, including Thunderbird. A similar pair of attacks was found to have impacted Coinbase about 7 months ago. 

Mozilla Patches Critical 0-Day Vulnerability

Zero-day (0-day) is thought to be in computer security circles a previously unknown. And because it has near-zero record of potential harm, it can be exploited, obviously, until a patch or mitigation can be found — day zero. “The fewer the days since Day Zero,” according to Wikipedia, “the higher the chance no fix or mitigation has been developed. Even after a fix is developed, the fewer the days since Day Zero, the higher is the probability that an attack against the afflicted software will be successful, because not every user of that software will have applied the fix.”

This particular variation allowed the attacker to take control of the impacted computer. A new version of Firefox has apparently been dispatched, and all users are advised to update as soon as possible. Credit for the discovery goes to Qihoo 360 ATA, a Chinese internet security company based in Chaoyang District, Beijing. Qihoo is said to have some half a billion users.

CVE-2019-17026: IonMonkey type confusion with StoreElementHole and FallibleStoreElement are the official titles of the attack. “Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw,” Mozilla explained.

As “the vulnerability is indexed, is a type confusion,” an Ars Technica discussion of the matter elaborated, “a potentially critical error that can result in data being written to, or read from, memory locations that are normally off-limits. These out-of-bounds reads may allow attackers to discover memory locations where malicious code is stored so that protections such as address space layout randomization can be bypassed. Out-of-bounds reads can also cause crashes.” This comes a little more than half a year after Mozilla patched two similar exploits used by the popular cryptocurrency exchange Coinbase.

Coinbase

CONTINUE THE SPICE and check out our piping hot VIDEOS. Our podcast, The CoinSpice Podcast, has amazing guests. Follow CoinSpice on Twitter. Join our Telegram feed to make sure you never miss a post. Drop some BCH at the merch shop — we’ve got some spicy shirts for men and women. Don’t forget to help spread the word about CoinSpice on social media.

DYOR: CoinSpice is your home for just spicy crypto things. We’re not affiliated with any cryptocurrency project or token. Each published piece is intended for information purposes only, not investment advice and not in the hope of impacting speculative markets. There are plenty of trading sites and coin-specific advocacy journals out there, we’re neither. CoinSpice strives for rigorous accuracy in our reporting. Information presented here is contingent usually on a host of factors, and the ecosystem moves fast — prices change, projects change, and at warp speed. Do your own research.

DISCLOSURE: The author holds cryptocurrency as part of his financial portfolio, including BCH.