SoylentNews is people
SoylentNews
Hackers exploited a pair of potent zero-day vulnerabilities in Firefox to infect Mac users with a largely undetected backdoor, according to accounts pieced together from multiple people.
Mozilla released an update on Tuesday that fixed a code-execution vulnerability in a JavaScript programming method known as Array.pop. On Thursday, Mozilla issued a second patch fixing a privilege-escalation flaw that allowed code to break out of a security sandbox that Firefox uses to prevent untrusted content from interacting with sensitive parts of a computer operating system. Interestingly, a researcher at Google's Project Zero had privately reported the code-execution flaw to Mozilla in mid April.
On Monday, as Mozilla was readying a fix for the array.pop flaw, unknown hackers deployed an attack that combined working exploits for both vulnerabilities. The hackers then used the attack against employees of Coinbase, according to Philip Martin, chief information security officer for the digital currency exchange.
"We've seen no evidence of exploitation targeting customers," Martin added. "We were not the only crypto org targeted in this campaign. We are working to notify other orgs we believe were also targeted." Martin also published cryptographic hashes of code used in the attack, along with IP addresses the code contacted.
(Score: 2) by bzipitidoo on Monday June 24 2019, @09:37PM (5 children)
Just out of curiosity, what is the last good version of Firefox? 56, the last version before the plugin system was changed?
(Score: 0) by Anonymous Coward on Monday June 24 2019, @10:27PM (1 child)
Firefox 3. Mozilla became Mozule by version 4.
(Score: 2) by bzipitidoo on Tuesday June 25 2019, @06:13PM
At the current rate of about 7 versions per year, we will see Firefox 666 in the year 2105.
(Score: 0) by Anonymous Coward on Monday June 24 2019, @10:57PM (1 child)
I was thinking palemoon.
(Score: 1, Informative) by Anonymous Coward on Tuesday June 25 2019, @02:24AM
Pale Moon has been pretty reliable and I've been using it as my daily driver browser on the desktop/laptop for years (over 4 at least). Finding working extensions is a PITA but once you have them, they seem to keep working fine. I also have Waterfox as my backup just in case. I'll never use straight Firefox again (and haven't for quite some time). I will never use Goog's Chrome or any Microsoft browser ever again.
(Score: 0) by Anonymous Coward on Tuesday June 25 2019, @09:55AM
There are zero days in all of them. Firefox 38-ESR would have been the last of the real 'old' ones, followed by 45 and 52, but both of the latter had already started breaking addons.
I am not sure about Palemoon now, but FF38 or so was also the last cross-compatible release for the two, at least at the time I last ran Palemoon (which unfortunately had broken socks proxy support. I haven't verified if FF from the same era did as well since I haven't run a version that old since migrating to Tor Browser Bundle, which itself is underfunded and has a variety of privacy breaking issues, notably that cookies in Firefox's Private/Incognito mode aren't visible to plugins to scrub, and they remain until you start a new identity or exit the browser... I am not 100 percent certain that new identity properly scrubs cookies or javascript state either.)
At this point in time, assume any browser you use is allowing you to be spied on or your browsing habits correlated. The best you can hope for at the moment is a normal non-private browser instance, some of the TBB patches to 'standardize' browser information displayed to remote sites, uMatrix(edit config to set javascript and cookies off by default, and cookies scrubbed every few minutes, whitelist per site and only as needed)+uBlock+your usual privacy plugins. Anything less is leaking far more than you would like to discover.)