Page 1 of 2

Firefox zero-day exploit (CVE-2019-11707 and CVE-2019-11708)

Posted: Thu Jun 20, 2019 10:37 pm
by barbaz
https://arstechnica.com/information-tec ... s-on-macs/

I use Waterfox 68, and I believe it is patched against the Array.pop vulnerability (the one fixed in Firefox 67.0.3) but not the other one (which seems to be bug 1560192). Given that I run Waterfox in a firejail sandbox, how vulnerable am I to this on a site I allow in NoScript?

Re: Firefox zero-day exploit (CVE-2019-11707 and CVE-2019-11708)

Posted: Fri Jun 21, 2019 5:23 pm
by barbaz

Re: Firefox zero-day exploit (CVE-2019-11707 and CVE-2019-11708)

Posted: Mon Jun 24, 2019 1:54 pm
by kukla
Hi barbaz, not sure I understand the implications of the link in your second post (including Alex's eventual reply), but, apparently, as the second zero day has still not been patched, neither in the 52.6 (what I use) nor in the 68, I'm reluctantly running the FF ESR until a WF patch arrives. Can't keep browsing in WF not allowing any site with NoScript. Seems with the FF patches out now, it wouldn't be all that difficult for someone to reverse engineer an exploit that affects the forks. Or even publish and sell it somewhere, so any clown can use it.

Wondering how safe you feel continuing to run the 68, as yet unpatched?

Re: Firefox zero-day exploit (CVE-2019-11707 and CVE-2019-11708)

Posted: Mon Jun 24, 2019 5:10 pm
by barbaz
Actually 68 is now patched - https://github.com/MrAlex94/Waterfox/co ... 2cb62dac36

I'm going to do a new build later today.

Re: Firefox zero-day exploit (CVE-2019-11707 and CVE-2019-11708)

Posted: Tue Jun 25, 2019 4:06 am
by barbaz
... and 56 is now patched as well - https://github.com/MrAlex94/Waterfox/co ... 79b17bccee

Re: Firefox zero-day exploit (CVE-2019-11707 and CVE-2019-11708)

Posted: Tue Jun 25, 2019 1:38 pm
by kukla
barbaz wrote: Tue Jun 25, 2019 4:06 am ... and 56 is now patched as well - https://github.com/MrAlex94/Waterfox/co ... 79b17bccee
Above, for the 68, you say "I'm going to do a new build later today."

Not seeing anything new for the 56 actually released to users. This is well above my pay grade, but do you mean that based on that github commit you linked, you are going to do a new build for yourself? I have less than zero idea how to do that for the 56, if that's what you mean. Certainly isn't patched for me.

At the reddit site, the dev says "I'm not so sure - it's a very targeted attack vector. Still, it is important, but I may push it out with the other security fixes in two weeks time."
https://www.reddit.com/r/waterfox/comme ... h_patched/

Re: Firefox zero-day exploit (CVE-2019-11707 and CVE-2019-11708)

Posted: Tue Jun 25, 2019 2:38 pm
by barbaz
kukla wrote: Tue Jun 25, 2019 1:38 pm Above, for the 68, you say "I'm going to do a new build later today."

[...] This is well above my pay grade, but do you mean that based on that github commit you linked, you are going to do a new build for yourself?
Yeah, I do my own Waterfox builds from their latest gecko68 branch whenever it suits me.
kukla wrote: Tue Jun 25, 2019 1:38 pm I have less than zero idea how to do that for the 56, if that's what you mean.
The hard part is getting set up to do it. Once you're set up, building Waterfox is straightforward (although time-consuming).

Sorry I have no idea how to do the setup on Mac OS anymore or for anything current, it's been years since I built Gecko-based stuff on Mac OS.

Re: Firefox zero-day exploit (CVE-2019-11707 and CVE-2019-11708)

Posted: Wed Jun 26, 2019 2:38 pm
by kukla
Looks like there's a lot of complacency around security for most WF users, at least those who participate in the support site. And sometimes, especially for this issue, the dev included, who's trying to juggle too many balls at once, wants to be all things to all people -- different devices, formats, versions, OSs (perhaps to maximize contributions?), and becomes neglectful. Too much for a one man band. Until now, I've pretty much been living with the usual security patch delays, but this one is nothing to take chances with. I'm pretty pissed off about his decision to postpone a patch for the second zero day. Makes me want to give up on WF completely.

Re: Firefox zero-day exploit (CVE-2019-11707 and CVE-2019-11708)

Posted: Tue Jul 02, 2019 4:05 pm
by therube

Re: Firefox zero-day exploit (CVE-2019-11707 and CVE-2019-11708)

Posted: Mon Jul 08, 2019 5:45 pm
by kukla
I'm in no position to evaluate this claim by the WF dev, but just wonder if this really lets WF unpatched for #2 zero-day off the hook:
Unfortunately I am travelling and it’s difficult. But from what I’ve seen in the bug reports this is a sandbox escape, which in of itself needs another exploit to do anything...Of course it’s an important issue, but unless there’s another zero-day it should be okay until I can sit and release. https://www.reddit.com/r/waterfox/comme ... h_patched/
From the FF release notes:
When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer. https://www.mozilla.org/en-US/security/ ... sa2019-19/
Not really sure why an "additional vulnerability" would have to mean a new zero-day.

In the meantime, not taking any chances, and continuing to run FF.

Re: Firefox zero-day exploit (CVE-2019-11707 and CVE-2019-11708)

Posted: Mon Jul 08, 2019 9:29 pm
by barbaz
Well, now it's different than when I started this thread. Now Mozilla is going to release Firefox 68 TOMORROW, and with that a new batch of vulnerabilities will be disclosed. Likely some of those will apply to Waterfox 56 as well. I would *not* feel comfortable risking the combo of a known zero-day "gateway vulnerability" that's been sitting around a while + a fresh batch of publicly known vulnerabilities.

As I see it, if you can't build Waterfox yourself from latest source, you have two options for using Waterfox fairly safely:

1) Run Waterfox in a sandbox inside a disposable VM whenever you want to (Temp-)Allow a new/unknown site in NoScript. I use Xubuntu 18.04 64-bit, VirtualBox (currently latest 5.2.x), and firejail sandboxing.
(For surfing where you just stick to known-trusted sites or don't allow any other site to run JS - if you have NoScript and uBlock Origin appropriately configured, you're probably fine, since this is a JS exploit.)

2) As this specific patch only patches JS files, you could see if the patch can be "hacked" directly into omni.ja.

If it were me, I'd probably go with option (1) first, and maybe use the disposable VM to investigate option (2).

Re: Firefox zero-day exploit (CVE-2019-11707 and CVE-2019-11708)

Posted: Wed Jul 10, 2019 1:28 am
by kukla
I would *not* feel comfortable risking the combo of a known zero-day "gateway vulnerability" that's been sitting around a while + a fresh batch of publicly known vulnerabilities.
That doesn't sound good at all. There's a bunch of new vulns. I will look into those suggestions for getting some kind of protection on to WF, so hopefully, won't get caught like this again. In the meantime, I think I'm just going to stick with the 60esr until WF gets all caught up. Which may take a very long time, considering.

Thanks for the tips. May have to come back and ask a few questions about #1 later.

Re: Firefox zero-day exploit (CVE-2019-11707 and CVE-2019-11708)

Posted: Wed Jul 10, 2019 1:39 am
by barbaz
barbaz wrote: Mon Jul 08, 2019 9:29 pm Well, now it's different than when I started this thread. Now Mozilla is going to release Firefox 68 TOMORROW, and with that a new batch of vulnerabilities will be disclosed. Likely some of those will apply to Waterfox 56 as well. I would *not* feel comfortable risking the combo of a known zero-day "gateway vulnerability" that's been sitting around a while + a fresh batch of publicly known vulnerabilities.
Good news is Alex is now currently in process of releasing updated Waterfox - https://www.reddit.com/r/waterfox/comme ... _security/

I guess this timing suggests he would agree with my assessment.

Re: Firefox zero-day exploit (CVE-2019-11707 and CVE-2019-11708)

Posted: Thu Jul 11, 2019 2:17 pm
by kukla
Thanks, just got around to updating. Awaiting a patch, had been using FF for so long I quite got used to it. Now WF looks a bit strange to me. I realize that, besides being able to run the older XUL addons, at least in the 56.2, one of WF's main purported advantages, is that it doesn't send all that much back to the mothership. I had asked at the WF support forum quite a while ago, what about disabling everything telemetry in FF, and if that would bring the 2 more in line with each other regarding privacy. Never got a reply there, but wonder what you think?

Re: Firefox zero-day exploit (CVE-2019-11707 and CVE-2019-11708)

Posted: Thu Jul 11, 2019 2:56 pm
by therube
(I think FF, Mozilla, should no longer be "trusted". You might use their product, but can longer trust them.
Other then that Quantum is in a state of continual change. Quantum has been known to reset users settings. So the way you "lock down" FF, now, will be different - almost literally, tomorrow. Quantum can no longer be considered a stable application. And all that said, FF is still better then whatever else is out there [so essentially, only Chrome] - "legacy" browsers aside; SeaMonkey, Pale Moon, Waterfox...)