Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/19/2019
04:30 PM
50%
50%

Critical Firefox Vuln Used in Targeted Attacks

Mozilla has released patches for the bug reported by Coinbase.

Mozilla has patched a critical vulnerability under active exploit in the Firefox browser. 

Digital currency exchange Coinbase reported the vulnerability to Mozilla after discovering it in use for targeted attacks. According to the Mozilla advisory, the type confusion vulnerability (CVE-2019-11707) "can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash." 

The researcher who discovered the flaw – Samuel Groß of Google Project Zero and Coinbase Security – stated on Twitter: "The bug can be exploited for RCE but would then need a separate sandbox escape. However, most likely it can also be exploited for UXSS which might be enough depending on the attacker's goals."

The vulnerability has been fixed in Firefox 67.0.3 and Firefox ESR 60.7.1. Read more here and here.

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/21/2019 | 1:54:16 PM
Software Management Policies
Organizations that don't have a strong software management policy or an efficient patch management platform will find this quite difficult to remediate. It is quite easy to upgrade but if the previous prerequisites are not met, it will result in inconsistent versions spread throughout the environment making identification difficult and QA UAT testing a bit more stressful post patch.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/4/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13842
PUBLISHED: 2020-06-05
An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, 8.1, 9, and 10 (MTK chipsets). A dangerous AT command was made available even though it is unused. The LG ID is LVE-SMP-200010 (June 2020).
CVE-2020-13843
PUBLISHED: 2020-06-05
An issue was discovered on LG mobile devices with Android OS software before 2020-06-01. Local users can cause a denial of service because checking of the userdata partition is mishandled. The LG ID is LVE-SMP-200014 (June 2020).
CVE-2020-13839
PUBLISHED: 2020-06-05
An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, 8.1, 9, and 10 (MTK chipsets). Code execution can occur via a custom AT command handler buffer overflow. The LG ID is LVE-SMP-200007 (June 2020).
CVE-2020-13840
PUBLISHED: 2020-06-05
An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, 8.1, 9, and 10 (MTK chipsets). Code execution can occur via an MTK AT command handler buffer overflow. The LG ID is LVE-SMP-200008 (June 2020).
CVE-2020-13841
PUBLISHED: 2020-06-05
An issue was discovered on LG mobile devices with Android OS 9 and 10 (MTK chipsets). An AT command handler allows attackers to bypass intended access restrictions. The LG ID is LVE-SMP-200009 (June 2020).