Okay, folks, it’s time to update your Firefox web browser once again—yes, for the second time this week.
After patching a critical actively-exploited vulnerability in Firefox 67.0.3 earlier this week, Mozilla is now warning millions of its users about a second zero-day vulnerability that attackers have been found exploiting in the wild.
The newly patched issue (CVE-2019-11708) is a “sandbox escape” vulnerability, which if chained together with the previously patched “type confusion” bug (CVE-2019-11707), allows a remote attacker to execute arbitrary code on victims’ computers just by convincing them into visiting a malicious website.
Browser sandboxing is a security mechanism that keeps third-party processes isolated and confined to the browser, preventing them from damaging other sensitive parts of a computer’s operating system.
“Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process,” the advisory explains.
images from Hacker News