Last week, Mozilla Firefox released updates for a critical bug that hackers were exploiting in the wild (CVE-2019-11707). Now, a second zero-day bug (CVE-2019-11708) has been discovered, and hackers have used both flaws in tandem to target Coinbase employees.
The attack started as a spear-phishing campaign designed to lure Coinbase employees to a website designed to automatically download and run an info-stealer if it’s loaded on Firefox. Fortunately, Coinbase’ security team was able to detect and block the attack.
“On Monday, Coinbase detected & blocked an attempt by an attacker to leverage the reported zero-day, along with a separate zero-day Firefox sandbox escape, to target Coinbase employees,” said Philip Martin, a member of the Coinbase security team, which reported the attacks to Mozilla.
Following the Coinbase team’s notification, Mozilla issued a patch for the bug, which can be used to collect passwords and other data on both Windows and Mac.
In a statement to ZDNet, Samuel Gross, a security researcher at Google, said he reported a bug in Mozilla Firefox in April of this year. And it appears that two months after Gross’ discovery, “the bug was exploited in live attacks, along with a sandbox escape.”
At this time, it’s unclear how the Coinbase attackers knew about the vulnerability since Gross reported it via Mozilla’s private Bugzilla bug tracker.
However, users are advised to update their browsers to Firefox 67.0.4 and Firefox ESR 60.7.2.