“This can allow for an exploitable crash,” reads Mozilla’s latest patch note. “We are aware of targeted attacks in the wild abusing this flaw.”
Samuel Groß, one of the security researchers who found and reported the bug, confirmed he did so way back on April 15 — over two months ago.
“The first public fix then landed about a week ago,” Groß tweeted earlier today. He then said security fixes for Firefox are usually held back until the next full release is prepared to launch.
According to Groß, hackers are able to exploit the bug for “Remote Control Execution“, or RCE, but it would only be effective under certain conditions.
RCE usually affords attackers complete control over a targeted web server. In this case, considering the contents of Mozilla’s patch notes, it seems major cryptocurrency exchange Coinbase has been targeted directly.
“However, most likely it can be exploited for [Universal Cross-Site Scripting (UXSS) attacks] which might be enough depending on the attacker’s goals,” Groß continued.
UXSS attacks often lead to loss of sensitive information, such as usernames, passwords, and other critical credentials.
So far, no specific details of how the bug has been exploited have been released. Hard Fork has reached out to Coinbase for more information, and will update this piece should we receive a reply.
Mozilla has now released a patch, and urged users to update their browsers as soon as possible.
Published June 19, 2019 — 14:20 UTC