 |
| Image Source: Wikipedia |
The vulnerability, CVE-2019011707, is a type of confusion in Array.pop. It has been fixed in Firefox 67.0.3 and in Firefox ESR 60.7.1. Mozilla announced the patch Tuesday but the vulnerability was discovered by Samuel Groß of Google Project Zero on April 15 and implemented the fix after the digital currency Coinbase report exploiting the vulnerability for targeted spearphishing attacks.
"On Monday, June 17, 2019, Coinbase reported a vulnerability used as part of targeted attacks for a spear phishing campaign," said Selena Deckelmann, senior director of Firefox Browser Engineering, TechNewsWorld. "In less than 24 hours we have issued a correction for exploration."
The meaning of Hack Coinbase
So far this year, tens of millions of dollars worth of crypto courses have been stolen from the stock exchanges, the Cointelegraph said.
Cybercriminals stole almost a billion dollars in crypto-coins in the third quarter of last year, according to Ciphertrace. The attack on Coinbase is in line with the trend.
The exchange was directed repeatedly. In 2018, a series of hacks cost more than 40 bitcoins.
In January, Coinbase temporarily froze all negotiations on the Ethereum Classic after detecting an attack on the cryptomeo network.
Spearphishing attacks may be an attempt to gain control of most of the power of a blockchain network, in what is called the "51% attack".
David Vorick, co-founder of the storage platform of archives based on SIA blockchain declared 2019 as the year of the 51 percent attack.
Failure technical details
A type confusion vulnerability can occur when handling JavaScript objects due to problems in Array.pop, Mozilla said.
An array in JavaScript is a single variable used to store multiple elements. Usually used when developers want to store a list of elements and access them with a single variable.
A type, or data type, is a data attribute that tells the compiler or interpreter how the programmer wants to use the data. It restricts the values that expression, such as a variable or a function, can assume by defining the operations that can be performed on the data, the meaning of the data, and how values of that type can be stored.
Type confusion occurs when a program uses a type to allocate or initialize a resource, such as an object, pointer, or variable, but later uses another type that is incompatible with the first one to access this feature. This can trigger logical errors because the feature does not have the expected properties. In some cases, this can lead to code execution.
The pop () method removes the last element from an array, returns that element, and changes the size of the array.
"Array.pop is typically used with Array.push to exclude and add new values to the array by developers," noted Usman Rahim, digital security and operations manager for The Media Trust.
"This technique is also used by many malicious agents to shuffle malicious code during execution," he told Tech News World.
The level of threat
Groß said that the failure can be exploited for remote code execution (RCE) and cross-site scripting (UXSS). Both methods have been widely used in past attacks by hackers.
RCE "will have the user at the mercy of an attacker completely compromising the application and the Web server," said Rahim. Sophisticated assailants who know what they are looking for "can cause a hard blow."
UXSS is equally dangerous because it opens doors for attackers to inject malicious code and to bypass or disable browser security features, he noted. It "can also be used as a first step to disabling security in conjunction with other attacks."
Most of the reported holdings "are theoretical with no evidence of active use," said Rob Enderle, principal analyst at Enderle Group.
"This has evidence of active use, which means it's known and people are already enjoying it," he told TechNewsWorld.
"Given that it was used in an attack, it is very dangerous, but it has been fixed," Enderle said. "This demonstrates that keeping your software products, especially browsers, up-to-date and up-to-date is extremely important. The patch remains your best defense. "
* When a software vendor releases a product that has an unknown security issue for both it and antivirus companies, this vulnerability is called zero-day.
Source: Linuxinsider.
COMMENTS