20 Jun 2019
Mozilla released Firefox 67.0.3 and Firefox ESR 60.7.1 patches and you need to update ASAP. The patches repair a critical zero-day vulnerability that hackers have been repeatedly exploiting recently. Firefox for Android, iOS, and Amazon Fire TV are not affected, but any desktop Firefox is at risk.
Samuel Groß, cybersecurity researcher at Google Project Zero, discovered the vulnerability and reported it. The vulnerability, identified as CVE-2019-11707, leads to Universal Cross-site Scripting (UXSS) attacks which when combined with a sandbox escape issue would allow hackers to remotely execute arbitrary code and assume complete control of vulnerable systems.
Groß said in a Tweet, “I don’t have any insights into the active exploitation part. I found and then reported the bug on April 15. The first public fix then landed about a week ago (sec fixes are held back until close to the next release. The bug can be exploited for RCE but would then need a separate sandbox escape. However, most likely it can also be exploited for UXSS which might be enough depending on the attacker’s goals.”