Mozilla has released a second security update this week to patch a second zero-day that was being exploited in the wild to attack Coinbase employees and other cryptocurrency organizations.
Firefox 67.0.4 and Firefox ESR 60.7.2 are now available for Firefox users through the browser’s built-in update mechanism.
This second bug was used together with another one that Mozilla patched two days ago, through the release of Firefox 67.0.3 and Firefox ESR 60.7.1.
The two zero-days
The first one was described as a “remote code execution” vulnerability that allowed remote attackers to run malicious code inside Firefox’s native process.
The bug (CVE-2019-11707) was discovered on April 15 by a Google Project Zero researcher and reported to Mozilla, who only patched it this week after the Coinbase security team reported attacks exploiting the vulnerability, together with a second zero-day (CVE-2019-11708).
This second zero-day, which Mozilla described as a “sandbox escape” allowed malicious threat actors to escape from the Firefox protected process and execute code on the underlying operating system.
When combined, the two bugs provide a quick avenue for running malicious code from within a website on a visiting user’s computer.
The two zero-days used in the same attacks
As ZDNet broke the news earlier today, these two zero-days were being used by an unknown hacking group in attempts to infect the Coinbase staff.
Coinbase employees would receive spear-phishing emails that would contain links to malicious sites. If they clicked the links and visited the sites — if they used Firefox — the page would download and run an info-stealer on their systems that would collect and exfiltrate browser passwords, and other data.
The attacks were tailored for both Mac and Windows users, with different malware strains delivered for each OS. The attacks have been going on for weeks before being detected, and Coinbase said they also targeted other cryptocurrency organizations, and not just their employees.
The Firefox bugfix for the second zero-day is expected to land in the Tor Browser in the coming days. Today, the Tor Browser team updated to version 8.5.2, which includes the fix for the first zero-day.
More browser coverage: