Mozilla Patches Two Zero-Day Vulnerabilities in Firefox Used to Install Backdoors on Macs, Update Now

Mozilla has patched two zero-day security vulnerabilities in Firefox that allowed backdoors to be installed on Macs, bypassing Apple's usual XProtect and Gatekeeper protections. Firefox users should update the browser immediately.


Ars Technica's Dan Goodin:
Mozilla released an update on Tuesday that fixed a code-execution vulnerability in a JavaScript programming method known as Array.pop. On Thursday, Mozilla issued a second patch fixing a privilege-escalation flaw that allowed code to break out of a security sandbox that Firefox uses to prevent untrusted content from interacting with sensitive parts of a computer operating system.
The zero-days were exploited by unnamed hackers this week, but so far, attacks are known only to have targeted Mac users involved in cryptocurrency.


As noted by Mac security expert Patrick Wardle, XProtect and Gatekeeper provided no protection in this case, as they only scan applications that have a quarantine flag set. Fortunately, this may change in macOS Catalina.

Firefox users on Mac should update the web browser to version 67.0.4 as soon as possible to keep themselves protected.

More details can be read at Ars Technica.

Top Rated Comments

(View all)
Avatar
24 weeks ago
Why does this article of rather large importance get stuck in the sidebar blog while articles about Google not making tablets anymore are in the main feed for everyone to see?
Rating: 18 Votes
Avatar
24 weeks ago
THANKS!
Rating: 4 Votes
Avatar
24 weeks ago
I updated yesterday, but still don't use Firefox as my main browser. I am impressed by how much that browser has improved in terms of its elegance and design. It used to feel foreign on the Mac, but now it feels much more native.
Rating: 3 Votes
Avatar
24 weeks ago
And if you're using Tor Browser, don't forget to update it to version 8.5.3 (it's based on Firefox)
Rating: 3 Votes
Avatar
24 weeks ago

What about macOS version that can't support FF 67? Any ESR updates or does this only effect modern engine?


Official support goes all the way back to Mavericks, what are you running that you can't update?
Rating: 2 Votes
Avatar
24 weeks ago

Official support goes all the way back to Mavericks, what are you running that you can't update?

Mac Pro 1,1. Snow Leopard. :p
Last official macOS is 10.7. Yeah yeah I know you can replace boot file with pikers file but I'd rather run an official OS from Apple. Oh course Windows X 64 bit runs fine.
Rating: 2 Votes
Avatar
24 weeks ago
How to know if one has been affected or not?
Rating: 1 Votes
Avatar
24 weeks ago

I really hate the modern software world, there is just no stability. You update an app today, tomorrow its another update. You just keep updating forever. I understand this is a security risk but I am tired of downloading the same app 3-4 times a week for "bug fixes and general improvements".

Back in the day, an update meant an upgrade and it happened at most once a year.


For real? You are complaining that security updates get pushed as soon as possible?
Rating: 1 Votes
Avatar
24 weeks ago

Mac Pro 1,1. Snow Leopard. :p
Last official macOS is 10.7. Yeah yeah I know you can replace boot file with pikers file but I'd rather run an official OS from Apple. Oh course Windows X 64 bit runs fine.


Looks like ESR 60.7.1 received the patch too but that's still only good back to Mavericks. I don't think Snow Leopard has been supported since Firefox 52 was released. I think you're out of luck :-(
Rating: 1 Votes
Avatar
24 weeks ago

Mac Pro 1,1. Snow Leopard. :p
Last official macOS is 10.7. Yeah yeah I know you can replace boot file with pikers file but I'd rather run an official OS from Apple. Oh course Windows X 64 bit runs fine.


You're going to have a lot more security issues than just this firefox bug if you're still on snow leopard
Rating: 1 Votes
[ Read All Comments ]