Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Firefox IT

Firefox Zero-Day Was Used In Attack Against Coinbase Employees, Not Its Users (zdnet.com) 40

An anonymous reader writes: A recent Firefox zero-day that has made headlines across the tech news world this week was actually used in attacks against Coinbase employees, and not the company's users. Furthermore, the attacks used not one, but two Firefox zero-days, according to Philip Martin, a member of the Coinbase security team, which reported the attacks to Mozilla. One was an RCE reported by a Google Project Zero security researcher to Mozilla in April, and the second was a sandbox escape that was spotted in the wild by the Coinbase team together with the RCE, on Monday.

The question here is how an attacker managed to get hold of the details for the RCE vulnerability and use it for his attacks after the vulnerability was privately reported to Mozilla by Google. The attacker could have found the Firefox RCE on his own, he could have bribed a Mozilla/Google insider, hacked a Mozilla/Google employee and viewed details about the RCE, or hacked Mozilla's bug tracker, like another attacker did in 2015.

This discussion has been archived. No new comments can be posted.

Firefox Zero-Day Was Used In Attack Against Coinbase Employees, Not Its Users

Comments Filter:
  • by stevegee58 ( 1179505 ) on Thursday June 20, 2019 @11:41AM (#58794266) Journal
    How dare they assume the attacker's pronouns! Shame!
    • by deKernel ( 65640 )

      Except in this instance, there is an implied negative connotation against males since the actions are negative so the feminists will be Ok. Basically, if there is credit, it must be shared and if there is something negative, point the finger. See, it is that simple.

  • The attacker could have found the Firefox RCE on his own, he could have bribed a Mozilla/Google insider, hacked a Mozilla/Google employee and viewed details about the RCE, or hacked Mozilla's bug tracker, like another attacker did in 2015.

    Gee, thanks for narrowing it down!

  • One of the so-called zero day exploits was an RCE reported in April. I thought zero-day meant that was previously unknown, not just that wasn't previously in the wild.
    • I've noticed the definition for this seems to be getting squishier and squishier too. I believe the root of "zero day" refers to the time between when a vendor learns a vulnerability exists, ("day zero") and when the patch is released. So by the strictest definition, "zero day" vulnerabilities are never completely unknown.

      By this definition the April RCE would be considered zero day if it was known to Mozilla, but not to the public, and did not have a fix yet.

      Lately it seems to more popularly refer to any v

      • by Anonymous Coward

        A 0day is an exploit unknown to the vendor that is being used in the wild.

  • by thecombatwombat ( 571826 ) on Thursday June 20, 2019 @01:32PM (#58795180)

    The real question in my mind isn't how the hacker got a hold of the RCE vulnerability, it's is that vulnerability fixed yet?

    Firefox 67.0.3's release just mentioned fixing a problem that could crash the browser, so far as I know, not a fix for a much scarier RCE.

New crypt. See /usr/news/crypt.

Working...