Mozilla, the parent company of the popular Firefox browser, will release the second patch in one week after another zero-day flaw was found. The first flaw allowed attackers to perform remote code execution on a vulnerable system and run malicious code execution, taking over a victim’s computer. The second bug was described as a sandbox escape and allows criminals to escape the Firefox-protected process and execute code on the underlying operating system. When these flaws are used together, it allows attackers easy access to the victim’s systems while using the attacker’s website. The primary target found by researchers was the staff of a cryptocurrency trading site named Coinbase. Coinbase employees would receive targeted phishing emails, otherwise known as spear-phishing, in the hopes that the employee was using Firefox and once they went to that site, the attacker would download an info-stealer malware to collect data from the victim. The malware was crafted so that it would infect both PC and Mac users. Coinbase stated that that the attackers targeted other cryptocurrency organizations as well.
Mozilla has released a new patch, Firefox 67.0.4 and Firefox ESR 60.7.2, and it is recommended that users apply this patch immediately. Both patches can be found through the Mozilla website.