Firefox Zero-Day Was Used In Attack Against Coinbase Employees, Not Its Users (zdnet.com) 40
An anonymous reader writes: A recent Firefox zero-day that has made headlines across the tech news world this week was actually used in attacks against Coinbase employees, and not the company's users. Furthermore, the attacks used not one, but two Firefox zero-days, according to Philip Martin, a member of the Coinbase security team, which reported the attacks to Mozilla. One was an RCE reported by a Google Project Zero security researcher to Mozilla in April, and the second was a sandbox escape that was spotted in the wild by the Coinbase team together with the RCE, on Monday.
The question here is how an attacker managed to get hold of the details for the RCE vulnerability and use it for his attacks after the vulnerability was privately reported to Mozilla by Google. The attacker could have found the Firefox RCE on his own, he could have bribed a Mozilla/Google insider, hacked a Mozilla/Google employee and viewed details about the RCE, or hacked Mozilla's bug tracker, like another attacker did in 2015.
The question here is how an attacker managed to get hold of the details for the RCE vulnerability and use it for his attacks after the vulnerability was privately reported to Mozilla by Google. The attacker could have found the Firefox RCE on his own, he could have bribed a Mozilla/Google insider, hacked a Mozilla/Google employee and viewed details about the RCE, or hacked Mozilla's bug tracker, like another attacker did in 2015.
Re: (Score:1, Insightful)
Are you a fucking idiot or what? EVERY PROGRAM EVER has zero days. Until they're discovered and patched, nobody knows about them and no they're not all predictable or a relic of "bad" code, AND THEY PATCH IT.
You're a moron. Your SJW fetish is on display bitch.
"use it for 'his' attacks" (Score:5, Funny)
Re: (Score:3)
Except in this instance, there is an implied negative connotation against males since the actions are negative so the feminists will be Ok. Basically, if there is credit, it must be shared and if there is something negative, point the finger. See, it is that simple.
Thanks Man! (Score:1)
The attacker could have found the Firefox RCE on his own, he could have bribed a Mozilla/Google insider, hacked a Mozilla/Google employee and viewed details about the RCE, or hacked Mozilla's bug tracker, like another attacker did in 2015.
Gee, thanks for narrowing it down!
Something reported two months ago is not "zero day (Score:4, Informative)
Re: (Score:3)
I've noticed the definition for this seems to be getting squishier and squishier too. I believe the root of "zero day" refers to the time between when a vendor learns a vulnerability exists, ("day zero") and when the patch is released. So by the strictest definition, "zero day" vulnerabilities are never completely unknown.
By this definition the April RCE would be considered zero day if it was known to Mozilla, but not to the public, and did not have a fix yet.
Lately it seems to more popularly refer to any v
Re: (Score:1)
A 0day is an exploit unknown to the vendor that is being used in the wild.
The real question here (Score:3)
The real question in my mind isn't how the hacker got a hold of the RCE vulnerability, it's is that vulnerability fixed yet?
Firefox 67.0.3's release just mentioned fixing a problem that could crash the browser, so far as I know, not a fix for a much scarier RCE.