- Published on
Firefox 0 day flaw update
In my second post for Plugging In The Holes entitled GatsbyJS and Security yesterday, I mentioned that The Hacker News had come out with an article about the patch to a critical zero day vulnerability in the browser software that Firefox released that day. I immediately went into Firefox and updated to the latest version.
Then today, Hacker News came out with an update to the status of the Firefox 0 day vulnerability. The first patch didn't quite cut it! Hacker News put it very well:
Okay, folks, it's time to update your Firefox web browser once again—yes, for the second time this week.
Apparently the vulnerability did not end with a patch to fix vulnerability CVE-2019-11707. Subsequently there was vulnerability CVE-2019-11708 to patch up as well. This was a "sandbox escape" vulnerability, which, according to Hacker News,
…if chained together with the previously patched "type confusion" bug (CVE-2019-11707), allows a remote attacker to execute arbitrary code on victims' computers just by convincing them into visiting a malicious website.
And what is browser sandboxing?
Browser sandboxing is a security mechanism that keeps third-party processes isolated and confined to the browser, preventing them from damaging other sensitive parts of a computer's operating system.
What is most interesting about all this is that both vulnerabilities were exploited by hackers together to
…target employees from the Coinbase platform and users of other cryptocurrency firms.
Boy am I glad I never got mixed up in any of that crypto stuff. I firmly believe that it is on its way out. Flash in the pan baby!
But there was one thing in the article which I would like to highlight and comment upon. The article states
Though Firefox installs latest available updates automatically, users are still advised to ensure they are running Firefox 67.0.4 or later.
Yes, that is true, but only really true if you are constantly quitting the browser. But who all really does that? I don't unless I have to. For example, after reading that line, I opened Firefox (it was already open but residing in the dock) to check what version I had running. It was NOT 67.0.4. It was still 67.0.3. I quit the browser, relaunched and updated immediately.
Advice? Keep abreast of cyber security news. Not that you have to be an expert in the field. Just be aware of what is going on around you and the tools you use every day. It's really a new world for so many of us. And those of us who were born into it, be sensitive to it as well.
I will be embedding this episode of Plugging in The Holes along with a transcript in the form of a post on interglobalmedianetwork.com for your hearing and reading pleasure. Bye for now!