by Martin Brinkmann on March 23, 2019 in Firefox – 4 comments
Mozilla has just released Firefox 66.0.1 and Firefox 60.6.1 ESR to the public. The two new versions of Firefox patch critical security vulnerabilities in the web browser.
Firefox users should receive the updates automatically if automatic updates is turned on in the browser (which it is by default). The new versions are also available as standalone downloads from Mozilla’s official website.
Firefox users may select Menu > Help > About Firefox to run a manual check for updates to download the new version immediately. It takes a while as Firefox does not run real-time update checks.
Firefox 66.0.1 and Firefox 60.6.1 ESR
Mozilla patched two critical security vulnerabilities in Firefox 66.0.1. and Firefox 60.6.1 ESR (Extended Support Release).
The vulnerabilities are listed on the official Firefox Security Advisories website:
CVE-2019-9810: IonMonkey MArraySlice has incorrect alias information
Incorrect alias information in IonMonkey JIT compiler for Array.prototype.slice method may lead to missing bounds check and a buffer overflow.
CVE-2019-9813: Ionmonkey type confusion with __proto__ mutations
Incorrect handling of __proto__ mutations may lead to type confusion in IonMonkey JIT code and can be leveraged for arbitrary memory read and write.
Additional information is not provided at this time, the linked bug listings are blocked from the public.
The two researchers that discovered the vulnerabilities are Richard Zhu and Amat Cama, and it is probably no coincidence that the researchers attacked Firefox successful in this year’s Pwn2Own competition.
The security researchers managed to use an exploit in Firefox to execute code at the system level if a user visited a specifically prepared website.
They leveraged a JIT bug in the browser, then used an out-of-bounds write in the Windows kernel to effectively take over the system. They were able to execute code at SYSTEM level just by using Firefox to visit their specially crafted website.
The competition saw another successful targeting Firefox. Niklas Baumstark exploited a JIT bug in Firefox to escape the sandbox which would allow an attacker to run code on the device with the same permissions as the signed-in user.
He used a JIT bug in the browser followed by a logic bug to escape the sandbox. In a real-world scenario, an attacker could use this to run their code on a target system at the level of the logged-on user.
It is recommended to update to the new patched versions of Firefox to protect the browser and underlying system from attacks targeting these vulnerabilities.