Mozilla patched two Firefox zero-day flaws in one week

Remember last week’s urgent warning over a Firefox remote code execution zero-day vulnerability – CVE-2019-11707 – that criminals were said to be exploiting in real-world attacks?

Two days later, it emerged that there was a second sandbox escape zero-day flaw, CVE-2019-11708, being used in conjunction with this as part of an organised campaign targeting cryptocurrency exchanges.

The first, as we explained, was a type confusion flaw “when manipulating JavaScript objects due to issues in Array.pop”, while the second was a sandbox escape giving access to the OS layer.

Two emergency zero days affecting a browser in one week counts as unusual, especially when they pop up as separate alerts two days apart, as part of targeted attacks on a single business sector.

The 18 June 2019 patch for the first fix took Firefox to 67.0.3 (ESR 60.7.1), while the second bumped that to 67.0.4 (ESR 60.7.2), the current version for the Tor browser, based on Firefox, is version 8.5.3).

But there was more – the zero days were intended to work together to facilitate a malware backdoor called Netwire that dates back several years and is known to infect macOS and Linux systems.

The first big clue about the campaign behind this emerged on 19 June 2019 when Philip Martin, chief information security officer for cryptocurrency exchange Coinbase tweeted:

On Monday, Coinbase detected & blocked an attempt by an attacker to leverage the reported 0-day, along with a separate 0-day Firefox sandbox escape, to target Coinbase employees.

This was reported to Mozilla on the same day while noting that it was aimed at the company itself rather than its customers:

We were not the only crypto org targeted in this campaign. We are working to notify other orgs we believe were also targeted. We’re also releasing a set of IOCs that orgs can use to evaluate their potential exposure.

Double trouble

An intriguing detail from all this is that the Google Project Zero researcher who reported the original CVE-2019-11707 vulnerability to Mozilla on 15 April 2019, Samuel Groß, seems to have made clear all along that it needed a separate sandbox escape to function.

The bug can be exploited for RCE but would then need a separate sandbox escape. However, most likely it can also be exploited for UXSS which might be enough depending on the attacker's goals. Looking forward to more details from @mozsec and @coinbase

— Samuel Groß (@5aelo) June 19, 2019

It’s not clear how the cybercriminals behind the attacks found out that the flaws worked as a pair but the involvement of Netwire emerged from Apple security expert Patrick Wardle of Digita Security, who was forwarded details of its involvement about it by a second unnamed victim.

Wardle even got hold of the phishing email used to target that company, which posed as a communication from Cambridge University’s Adams Prize for mathematics.

Netwire was first noticed in 2012 when it was known as OSX.Netwire. It’s since been modified significantly but retains the same basic purpose of stealing data from under victim’s noses. It’s different enough to bypass macOS’s XProtect anti-malware and Gatekeeper in 2019, without being completely distinct from the 2012 sample, observed Wardle:

If I had to guess, they are both written by the same author (or team) but serve unique purposes (i.e. the 2012 sample is only concerned with stealing passwords).

Separately, researcher Vitali Kremez raised the possibility that the mysterious Netwire might also have been used to target Windows computers, wielded by a threat group that exploited two recent zero days, namely CVE-2018-20250 (the infamous WinRAR flaw dating back 19 years), and CVE-2017-0261 (an Office remote code execution flaw).

In summary, anyone assuming that Apple and Firefox’s smaller user bases might afford them some protection from advanced cybercrime got a timely wakeup call.