Bitcoin Forum
January 26, 2020, 09:33:32 AM *
News: Latest Bitcoin Core release: 0.19.0.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Firefox: zero-day critical zero-day vulnerability  (Read 139 times)
DdmrDdmr
Hero Member
*****
Offline Offline

Activity: 742
Merit: 3239


There are lies, damned lies and statistics. MTwain


View Profile WWW
January 09, 2020, 04:51:44 PM
Merited by vapourminer (2), NeuroticFish (1), SFR10 (1), hugeblack (1), hosseinimr93 (1), DroomieChikito (1), o_e_l_e_o (1), Coyster (1)
 #1

Quote
Mozilla has released security updates to address a vulnerability in Firefox and Firefox ESR. An attacker could exploit this vulnerability to take control of an affected system. This vulnerability was detected in exploits in the wild.
The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisory for Firefox 72.0.1 and Firefox ESR 68.4.1 and apply the necessary updates.
https://www.us-cert.gov/ncas/current-activity/2020/01/08/mozilla-patches-critical-vulnerability

This warning was launched yesterday by the CISA (Cybersecurity and Infrastructure Security Agency), but I haven’t found any echo of it here to date.

It seems that the zero-day vulnerability requires an immediate update of Firefox, since it could lead to hackers taking control of the system. Although the details are scarce, how a bloody browser get to potentially allow a third party to take control beats me.

Note that the update should take you up to version Firefox 72.0.1 or Firefox ESR 68.4.1. We only just barely updated to Firefox 72.0 and Firefox ESR 68.4, so we should not get confused between the two.

https://www.welivesecurity.com/2020/01/09/mozilla-rushes-patch-firefox-zero-day/

Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
hugeblack
Legendary
*
Online Online

Activity: 938
Merit: 1079


Avatar for Rent for 3 weeks. PM me


View Profile
January 09, 2020, 05:22:40 PM
 #2

You will find a lot of information on Twitter as I noticed that some developers posted the warning more than 24 hours ago.
So far, many details have not been clarified, but once many people download the browser, the rest of the information will be released.
Generally it appears that the vulnerability needs an affected system in order to succeed, but no details have been published about which operating system is more vulnerable and whether all systems must be updated.

MagicByt3
Sr. Member
****
Offline Offline

Activity: 420
Merit: 255



View Profile
January 09, 2020, 05:41:09 PM
Merited by vapourminer (1)
 #3

https://www.mozilla.org/en-US/security/advisories/mfsa2020-01/


Seems like it was a known attack vector and being exploited in the wild for some time before the CVE came out.
This is concerning that attackers are having free roam with exploits for such a long time before anyone is even aware of them.

Mozilla need to up there game in the security department big time. 

Incorrect Padding! Tongue
hosseinimr93
Hero Member
*****
Offline Offline

Activity: 868
Merit: 582


First 100% Liquid Stablecoin Backed by Gold


View Profile
January 09, 2020, 05:55:33 PM
 #4

Thanks for the warning.
I was using Firefox 71.0. I couldn't find any information whether the vulnerability affects older versions or not.
Anyway, I think it's better to update older versions too, as soon as possible. I just updated it and it was automatically updated to 72.0.1. Hope it is safe now.

Welsh
Staff
Legendary
*
Offline Offline

Activity: 1834
Merit: 1881



View Profile
January 09, 2020, 11:31:06 PM
Merited by vapourminer (2), DdmrDdmr (1)
 #5

Full details are usually not given until an update is rolled out, and a lot of the user base has already had time to update to avoid any issues. I've talked about this a lot recently, but this is an example of when isolation of your computer using computer compartmentalization technology or by physically separating your computers from a insecure device, and a more secure device is important. If you have your computers physically separated, then the network could still be compromised if a browser goes haywire. Therefore, I think a software based approach would be the better option. You could run a level 2 virtual machines for your browser, network, and other software while remaining as safe as possible if one of them gets compromised. Firefox is probably the second most used browser on the internet, and millions of users were exposed to this vulnerability, and I'd agree with Ddmr how bad it is for a browser to get complete control of the operating system.

Its worth noting that you'll likely have to manually update Firefox, and double check after the update has finished whether or not you're running the version in the OP.



Seems like it was a known attack vector and being exploited in the wild for some time before the CVE came out.
This is concerning that attackers are having free roam with exploits for such a long time before anyone is even aware of them.

Mozilla need to up there game in the security department big time.  

This is usually the case for most exploits. However, most exploits are used against specific targets, and won't be much of a threat to "normal" users. Unfortunately, there's no way of preventing this from happening, and vulnerabilities will always be found in software, especially in newly released updates.  There's a lot of debate among software engineers whether you should update or stick with a older version a little longer than usual. This is why a lot of companies keep a up to date long term support option.

LTU_btc
Hero Member
*****
Offline Offline

Activity: 1484
Merit: 800



View Profile WWW
January 10, 2020, 12:24:33 AM
 #6

I already got updated my Firefox to 72.0.1 yesterday, because I have auto updated turned on. All these security vulnerabilities is really concerning because you probably may not even notice that someone have control of your computer. So, thanks for warning, it's really needed, because until now I haven't heard about this issue.




▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄    ▄▄▄▄                  ▄▄▄   ▄▄▄▄▄        ▄▄▄▄▄   ▄▄▄▄▄▄▄▄▄▄▄▄    ▄▄▄▄▄▄▄▄▄▄▄▄▄▄   ▄▄▄▄▄▄▄▄▄▄▄▄▄▄   ▄▄▄▄▄▄▄▄▄▄▄
 ▀████████████████▄  ████                 █████   ▀████▄    ▄████▀  ▄██████████████   ████████████▀  ▄█████████████▀  ▄█████████████▄
              ▀████  ████               ▄███▀███▄   ▀████▄▄████▀               ████   ████                ████                   ▀████
   ▄▄▄▄▄▄▄▄▄▄▄█████  ████              ████   ████    ▀██████▀      ██████████████▄   ████████████▀       ████       ▄▄▄▄▄▄▄▄▄▄▄▄████▀
   ██████████████▀   ████            ▄███▀     ▀███▄    ████        ████        ████  ████                ████       ██████████████▀
   ████              ████████████▀  ████   ██████████   ████        ████████████████  █████████████▀      ████       ████      ▀████▄
   ▀▀▀▀              ▀▀▀▀▀▀▀▀▀▀▀   ▀▀▀▀   ▀▀▀▀▀▀▀▀▀▀▀▀  ▀▀▀▀        ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀   ▀▀▀▀▀▀▀▀▀▀▀▀        ▀▀▀▀       ▀▀▀▀        ▀▀▀▀▀

#1 CRYPTO CASINO & SPORTSBOOK
 WELCOME
BONUS
.INSTANT & FAST.
.TRANSACTION.....
.PROVABLY FAIR.
......& SECURE......
.24/7 CUSTOMER.
............SUPPORT.
BTC      |      ETH      |      LTC      |      XRP      |      XMR      |      BNB      |     more
hatshepsut93
Legendary
*
Offline Offline

Activity: 1400
Merit: 1073


Bitcoin realist


View Profile
January 10, 2020, 02:21:22 AM
 #7

I got a popup from the browser today saying "click here to update and restart your browser", which seemed a bit strange since usually updates happen when you launch browser and not when you browse, but I'm glad I clicked it, even though I don't think I was at risk, since I only visit Bitcointalk with this browser.

ETFbitcoin
Legendary
*
Offline Offline

Activity: 1890
Merit: 2168

Use SegWit and enjoy lower fees.


View Profile WWW
January 10, 2020, 08:33:59 AM
 #8

Good thing auto-update is enabled by default on Mozilla Firefox

You could run a level 2 virtual machines for your browser, network, and other software while remaining as safe as possible if one of them gets compromised.

Virtual Machine is pretty demanding for user's regular computer/notebook though, especially if both OS and OS on VM are Windows.

Although the details are scarce, how a bloody browser get to potentially allow a third party to take control beats me.

There are many similar zero-day vulnerability in past on many browser, even though almost all of them found and fixed before it's exploited/used by hacker.

Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!