Hackers exploited a pair of potent zero-day vulnerabilities in Firefox to infect Mac users with a largely undetected backdoor, according to accounts pieced together from multiple people.
Mozilla released an update on Tuesday that fixed a code-execution vulnerability in a JavaScript programming method known as Array.pop. On Thursday, Mozilla issued a second patch fixing a privilege-escalation flaw that allowed code to break out of a security sandbox that Firefox uses to prevent untrusted content from interacting with sensitive parts of a computer operating system. Interestingly, a researcher at Google's Project Zero had privately reported the code-execution flaw to Mozilla in mid April.
On Monday, as Mozilla was readying a fix for the array.pop flaw, unknown hackers deployed an attack that combined working exploits for both vulnerabilities. The hackers then used the attack against employees of Coinbase, according to Philip Martin, chief information security officer for the digital currency exchange.
"We've seen no evidence of exploitation targeting customers," Martin added. "We were not the only crypto org targeted in this campaign. We are working to notify other orgs we believe were also targeted." Martin also published cryptographic hashes of code used in the attack, along with IP addresses the code contacted.
(Score: 3, Funny) by Gaaark on Monday June 24 2019, @03:17PM (3 children)
They came for the Macs, but i wasn't a Mac user, so i said "Meh!"
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 3, Insightful) by takyon on Monday June 24 2019, @04:16PM (1 child)
Then they came for everybody, because every single device on the planet is vulnerable.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 1, Funny) by Anonymous Coward on Monday June 24 2019, @06:44PM
he said, "MEH!!!!!"
(Score: 2) by edIII on Monday June 24 2019, @10:17PM
Reminds me of a saying, "If a tree falls in the middle of forest, and hits a mime, does anybody care?"
This is like a walled garden of happy shiny chickens. FireFox went through the backdoor, and killed a bunch of chickens. Yet, you look in the garden today and can only see happy shiny chickens clucking about pecking out tweets like nothing happened.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 1) by jmichaelhudsondotnet on Monday June 24 2019, @05:55PM (6 children)
So after breaking all add-ons, forcing automatic updates, declaring tracking features nullified with a single feature(lol wut?), forcing all users to opt out of a 'studies' program and pushing out emergency 'updates' through that 'studies program, within a month, there are such serious bugs in their version of the most basic operational tool of the internet that banking institutions are paralyzed.
Anyone who can still blame this on incompetence has had toooo much koolaid.
You cannot trust institutions like mozilla and gorgle to provide privacy features. Mozilla is basically a bunch of deep cover fbi, cia and mossad agents singing kumbaya at this point.
A corporation will never make free software. Not a red corporation, not a blue corporation, not a big or small corporation, not a flying corporation or underwater corporation, not a corporation run by jesus or god or godzilla.
Until you create an institution that is antithetical to the corporation, you will continue to get the thesis of a corporation, which is top down control.
And you aren't at the top.
What I do not understand is how I seem to be one of very few voices pointing out that mozilla threw out all the good and now all that's left is the bad, but with extra marketing!
(Score: 2) by bzipitidoo on Monday June 24 2019, @09:37PM (5 children)
Just out of curiosity, what is the last good version of Firefox? 56, the last version before the plugin system was changed?
(Score: 0) by Anonymous Coward on Monday June 24 2019, @10:27PM (1 child)
Firefox 3. Mozilla became Mozule by version 4.
(Score: 2) by bzipitidoo on Tuesday June 25 2019, @06:13PM
At the current rate of about 7 versions per year, we will see Firefox 666 in the year 2105.
(Score: 0) by Anonymous Coward on Monday June 24 2019, @10:57PM (1 child)
I was thinking palemoon.
(Score: 1, Informative) by Anonymous Coward on Tuesday June 25 2019, @02:24AM
Pale Moon has been pretty reliable and I've been using it as my daily driver browser on the desktop/laptop for years (over 4 at least). Finding working extensions is a PITA but once you have them, they seem to keep working fine. I also have Waterfox as my backup just in case. I'll never use straight Firefox again (and haven't for quite some time). I will never use Goog's Chrome or any Microsoft browser ever again.
(Score: 0) by Anonymous Coward on Tuesday June 25 2019, @09:55AM
There are zero days in all of them. Firefox 38-ESR would have been the last of the real 'old' ones, followed by 45 and 52, but both of the latter had already started breaking addons.
I am not sure about Palemoon now, but FF38 or so was also the last cross-compatible release for the two, at least at the time I last ran Palemoon (which unfortunately had broken socks proxy support. I haven't verified if FF from the same era did as well since I haven't run a version that old since migrating to Tor Browser Bundle, which itself is underfunded and has a variety of privacy breaking issues, notably that cookies in Firefox's Private/Incognito mode aren't visible to plugins to scrub, and they remain until you start a new identity or exit the browser... I am not 100 percent certain that new identity properly scrubs cookies or javascript state either.)
At this point in time, assume any browser you use is allowing you to be spied on or your browsing habits correlated. The best you can hope for at the moment is a normal non-private browser instance, some of the TBB patches to 'standardize' browser information displayed to remote sites, uMatrix(edit config to set javascript and cookies off by default, and cookies scrubbed every few minutes, whitelist per site and only as needed)+uBlock+your usual privacy plugins. Anything less is leaking far more than you would like to discover.)
(Score: 0) by Anonymous Coward on Monday June 24 2019, @10:25PM
It's a conspiracy!
(Score: 0) by Anonymous Coward on Saturday June 29 2019, @03:11PM
Because it's enabled on every sucker's browser!