UPDATE

Mozilla has released updates for the Firefox browser addressing a critical vulnerability that is being actively exploited in targeted attacks against Coinbase employees – and potentially other cryptocurrency organizations.

The critical flaw (CVE-2019-11707) is a type confusion vulnerability in the Array.pop, which is an array method that is used in JavaScript objects in Firefox. The vulnerability, under active attack, enables bad actors to take full control of systems running the vulnerable Firefox versions.

“On Monday, June 17, 2019, Coinbase reported a vulnerability used as part of targeted attacks for a spear phishing campaign,” Selena Deckelmann, senior director of Firefox Browser Engineering, told Threatpost. “In less than 24 hours, we released a fix for the exploit.”

The Mozilla Foundation said that the issue is fixed in Firefox 67.0.3 and Firefox ESR 60.7.1. Anyone using Firefox on a Windows, macOS or Linux desktop is impacted.

“A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop,” according to the Tuesday advisory. “This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw.”

Critical Flaw

The flaw was discovered by Samuel Groß of Google Project Zero and the Coinbase Security team. In a Twitter thread, Groß said he found and reported the vulnerability on April 15 and that the first public fix was deployed “about a week ago.”

Essentially the object in the Array.pop method could be manipulated due to a type confusion vulnerability to execute malicious JavaScript on webpages.

“The bug can be exploited for RCE [remote code execution] but would then need a separate sandbox escape,” Groß said on Twitter. “However, most likely it can also be exploited for UXSS [universal cross-site scripting] which might be enough depending on the attacker’s goals.”

I don't have any insights into the active exploitation part. I found and then reported the bug on April 15. The first public fix then landed about a week ago (sec fixes are held back until close to the next release): https://t.co/O34f9dou3E https://t.co/K6GfZN1XkH — Samuel Groß (@5aelo) June 19, 2019

Both malicious actions are serious. Remote code execution enables an attacker to access devices and make changes, and UXSS is a type of attack that exploits client-side vulnerabilities in the browser in order to execute malicious code.

Attack Details Scant

Coinbase chief information security officer Philip Martin said on Twitter, Wednesday, that Coinbase had actually spotted two zero days being exploited by an attacker who was targeting Coinbase employees.

Martin said he has seen no evidence of attacks targeting Coinbase customers – and that Coinbase was not the only cryptocurrency organization targeted in the campaign.

1/ A little more context on the Firefox 0-day reports. On Monday, Coinbase detected & blocked an attempt by an attacker to leverage the reported 0-day, along with a separate 0-day firefox sandbox escape, to target Coinbase employees. — Philip Martin (@SecurityGuyPhil) June 19, 2019

“We walked back the entire attack, recovered and reported the 0-day to firefox, pulled apart the malware and infra used in the attack and are working with various orgs to continue burning down attacker infrastructure and digging into the attacker involved,” he said on Twitter.

On Twitter, Groß said he didn’t have any insights into the active exploitation of the flaw.

Recently Mozilla has been stomping out critical flaws in its Firefox browser. In May, Mozilla patched several critical vulnerabilities with the release of its Firefox 67 browser. The worst of the bugs patched are two memory safety flaws that could allow attackers to exploit the vulnerabilities to take control of an affected system, according to a security bulletin issued by United States Computer Emergency Readiness Team.

Ransomware is on the rise: Don’t miss our free Threatpost webinar on the ransomware threat landscape, June 19 at 2 p.m. ET. Join Threatpost and a panel of experts from Malwarebytes, Recorded Future and Moss Adams as they discuss how to manage the risk associated with this unique attack type, with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers.

This story was updated on June 19 at 10am ET with Mozilla comments; and on June 20 at 9am ET with further information about the active exploitation attacks.