Mozilla Patches Two Zero-Day Vulnerabilities in Firefox Used to Install Backdoors on Macs, Update Now

Mozilla has patched two zero-day security vulnerabilities in Firefox that allowed backdoors to be installed on Macs, bypassing Apple's usual XProtect and Gatekeeper protections. Firefox users should update the browser immediately.

Ars Technica's Dan Goodin:

Mozilla released an update on Tuesday that fixed a code-execution vulnerability in a JavaScript programming method known as Array.pop. On Thursday, Mozilla issued a second patch fixing a privilege-escalation flaw that allowed code to break out of a security sandbox that Firefox uses to prevent untrusted content from interacting with sensitive parts of a computer operating system.

The zero-days were exploited by unnamed hackers this week, but so far, attacks are known only to have targeted Mac users involved in cryptocurrency.

3/ We’ve seen no evidence of exploitation targeting customers. We were not the only crypto org targeted in this campaign. We are working to notify other orgs we believe were also targeted. We’re also releasing a set of IOCs that orgs can use to evaluate their potential exposure.
— Philip Martin (@SecurityGuyPhil) June 19, 2019

As noted by Mac security expert Patrick Wardle, XProtect and Gatekeeper provided no protection in this case, as they only scan applications that have a quarantine flag set. Fortunately, this may change in macOS Catalina.

Firefox users on Mac should update the web browser to version 67.0.4 as soon as possible to keep themselves protected.

More details can be read at Ars Technica.

Tags: Mozilla, Firefox

Top Rated Comments

(View all)

___joshuaturner

24 weeks ago

Why does this article of rather large importance get stuck in the sidebar blog while articles about Google not making tablets anymore are in the main feed for everyone to see?

Rating: 18 Votes

Morod

24 weeks ago

THANKS!

Rating: 4 Votes

coolfactor

24 weeks ago

I updated yesterday, but still don't use Firefox as my main browser. I am impressed by how much that browser has improved in terms of its elegance and design. It used to feel foreign on the Mac, but now it feels much more native.

Rating: 3 Votes

Secondempire

24 weeks ago

And if you're using Tor Browser, don't forget to update it to version 8.5.3 (it's based on Firefox)

Rating: 3 Votes

thisisnotmyname

24 weeks ago

What about macOS version that can't support FF 67? Any ESR updates or does this only effect modern engine?

Official support goes all the way back to Mavericks, what are you running that you can't update?

Rating: 2 Votes

JosephAW

24 weeks ago

Official support goes all the way back to Mavericks, what are you running that you can't update?

Mac Pro 1,1. Snow Leopard. :p
Last official macOS is 10.7. Yeah yeah I know you can replace boot file with pikers file but I'd rather run an official OS from Apple. Oh course Windows X 64 bit runs fine.

Rating: 2 Votes

Narial Taster

24 weeks ago

How to know if one has been affected or not?

Rating: 1 Votes

nouveau_redneck

24 weeks ago

I really hate the modern software world, there is just no stability. You update an app today, tomorrow its another update. You just keep updating forever. I understand this is a security risk but I am tired of downloading the same app 3-4 times a week for "bug fixes and general improvements".

Back in the day, an update meant an upgrade and it happened at most once a year.

For real? You are complaining that security updates get pushed as soon as possible?

Rating: 1 Votes

thisisnotmyname

24 weeks ago

Looks like ESR 60.7.1 received the patch too but that's still only good back to Mavericks. I don't think Snow Leopard has been supported since Firefox 52 was released. I think you're out of luck :-(

Rating: 1 Votes