Mozilla Firefox Fixes Zero-Day Exploits That Impacted Coinbase Employees, Mac Users Involved in Cryptocurrency Exchange

Mozilla has patched a couple of zero-day vulnerabilities on Firefox through two separate security updates. While the first zero-day flaw was described as a "remote code execution" vulnerability that enabled remote attackers to run a malicious code within the native process of the Firefox browser, the second one was known as a "sandbox escape" that allowed hackers to execute arbitrary code on the operating system by escaping from Firefox' security sandbox. Some anonymous attackers used the two Firefox security loopholes to plan an attack against Coinbase employees. The issue was confirmed by Coinbase Chief Information Security Officer (CISO) Philip Martin. Separately, one of the patched zero-day vulnerabilities has been found to give backdoor access to Mac machines used for a cryptocurrency exchange.

The remote code execution bug listed as CVE-2019-11707 was first reported by a Google Project Zero researcher. It was patched earlier this week, just before fixing the sandbox escape issue that has been described as CVE-2019-11708. Both flaws notably enabled the attackers to impact the Coinbase staff, which was noted by ZDNet.

"On Monday, Coinbase detected and blocked an attempt by an attacker to leverage the reported zero-day along with a separate zero-day Firefox sandbox escape, to target Coinbase employees," said Coinbase CISO Martin on Twitter. "We walked back the entire attack, recovered, and reported the zero-day to Firefox, pulled apart the malware and infra[structure] used in the attack and are working with various orgs to continue burning down [the] attacker infrastructure and digging into the attacker involved."

Martin added that the attack didn't target customers, though it was aimed at other cryptocurrency organisations as well that were notified.

"We're also releasing a set of IOCs (indicators of compromise) that orgs can use to evaluate their potential exposure," he continued.

The indicators of compromise shared by Martin suggests that attackers would send a spear-phishing email to influence the recipients to visit a webpage that can run a collect personal data stored on Firefox. The attack was notably designed for both Mac and Windows users.

Mozilla brought the Firefox 67.0.3 and Firefox ESR 60.7.1 to fix the initial zero-day bug. Later, it released the Firefox 67.0.4 and Firefox ESR 60.7.2 to patch the second zero-day vulnerability that was associated with the sandbox escape issue and contributed to the Coinbase exploit.

In other news, the remote code execution bug in Firefox that has been listed as CVE-2019-11707 is found to enabled attackers to install a Mac malware. The malware can be installed particularly on machines where a cryptocurrency exchange took place "until fairly recently," macOS security researcher Patrick Wardle pointed out in his blog.

As explained by Ars Technica, the overrides Apple's default security measures, including XProtect and Gatekeeper, to install malicious content on Mac machines through Firefox.

"I do not have direct evidence [Windows users] were targeted as a result of this exploit," independent reverse engineer Vitali Kremez told Ars Technica.

That being said, Windows and Mac both users are highly recommended to install the updated Firefox browser on their computers to avoid uncertain instances.