Firefox zero-day exploit (CVE-2019-11707 and CVE-2019-11708)

Talk about internet security, computer security, personal security, your social security number...
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Firefox zero-day exploit (CVE-2019-11707 and CVE-2019-11708)

Post by barbaz »

https://arstechnica.com/information-tec ... s-on-macs/

I use Waterfox 68, and I believe it is patched against the Array.pop vulnerability (the one fixed in Firefox 67.0.3) but not the other one (which seems to be bug 1560192). Given that I run Waterfox in a firejail sandbox, how vulnerable am I to this on a site I allow in NoScript?
*Always* check the changelogs BEFORE updating that important software!
-
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Firefox zero-day exploit (CVE-2019-11707 and CVE-2019-11708)

Post by barbaz »

*Always* check the changelogs BEFORE updating that important software!
-
kukla
Senior Member
Posts: 317
Joined: Mon May 04, 2009 12:08 am

Re: Firefox zero-day exploit (CVE-2019-11707 and CVE-2019-11708)

Post by kukla »

Hi barbaz, not sure I understand the implications of the link in your second post (including Alex's eventual reply), but, apparently, as the second zero day has still not been patched, neither in the 52.6 (what I use) nor in the 68, I'm reluctantly running the FF ESR until a WF patch arrives. Can't keep browsing in WF not allowing any site with NoScript. Seems with the FF patches out now, it wouldn't be all that difficult for someone to reverse engineer an exploit that affects the forks. Or even publish and sell it somewhere, so any clown can use it.

Wondering how safe you feel continuing to run the 68, as yet unpatched?
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Firefox/60.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Firefox zero-day exploit (CVE-2019-11707 and CVE-2019-11708)

Post by barbaz »

Actually 68 is now patched - https://github.com/MrAlex94/Waterfox/co ... 2cb62dac36

I'm going to do a new build later today.
*Always* check the changelogs BEFORE updating that important software!
-
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Firefox zero-day exploit (CVE-2019-11707 and CVE-2019-11708)

Post by barbaz »

... and 56 is now patched as well - https://github.com/MrAlex94/Waterfox/co ... 79b17bccee
*Always* check the changelogs BEFORE updating that important software!
-
kukla
Senior Member
Posts: 317
Joined: Mon May 04, 2009 12:08 am

Re: Firefox zero-day exploit (CVE-2019-11707 and CVE-2019-11708)

Post by kukla »

barbaz wrote: Tue Jun 25, 2019 4:06 am ... and 56 is now patched as well - https://github.com/MrAlex94/Waterfox/co ... 79b17bccee
Above, for the 68, you say "I'm going to do a new build later today."

Not seeing anything new for the 56 actually released to users. This is well above my pay grade, but do you mean that based on that github commit you linked, you are going to do a new build for yourself? I have less than zero idea how to do that for the 56, if that's what you mean. Certainly isn't patched for me.

At the reddit site, the dev says "I'm not so sure - it's a very targeted attack vector. Still, it is important, but I may push it out with the other security fixes in two weeks time."
https://www.reddit.com/r/waterfox/comme ... h_patched/
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Firefox/60.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Firefox zero-day exploit (CVE-2019-11707 and CVE-2019-11708)

Post by barbaz »

kukla wrote: Tue Jun 25, 2019 1:38 pm Above, for the 68, you say "I'm going to do a new build later today."

[...] This is well above my pay grade, but do you mean that based on that github commit you linked, you are going to do a new build for yourself?
Yeah, I do my own Waterfox builds from their latest gecko68 branch whenever it suits me.
kukla wrote: Tue Jun 25, 2019 1:38 pm I have less than zero idea how to do that for the 56, if that's what you mean.
The hard part is getting set up to do it. Once you're set up, building Waterfox is straightforward (although time-consuming).

Sorry I have no idea how to do the setup on Mac OS anymore or for anything current, it's been years since I built Gecko-based stuff on Mac OS.
*Always* check the changelogs BEFORE updating that important software!
-
kukla
Senior Member
Posts: 317
Joined: Mon May 04, 2009 12:08 am

Re: Firefox zero-day exploit (CVE-2019-11707 and CVE-2019-11708)

Post by kukla »

Looks like there's a lot of complacency around security for most WF users, at least those who participate in the support site. And sometimes, especially for this issue, the dev included, who's trying to juggle too many balls at once, wants to be all things to all people -- different devices, formats, versions, OSs (perhaps to maximize contributions?), and becomes neglectful. Too much for a one man band. Until now, I've pretty much been living with the usual security patch delays, but this one is nothing to take chances with. I'm pretty pissed off about his decision to postpone a patch for the second zero day. Makes me want to give up on WF completely.
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Firefox/60.0
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Firefox zero-day exploit (CVE-2019-11707 and CVE-2019-11708)

Post by therube »

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:52.0) Gecko/20100101 SeaMonkey/2.49.5
kukla
Senior Member
Posts: 317
Joined: Mon May 04, 2009 12:08 am

Re: Firefox zero-day exploit (CVE-2019-11707 and CVE-2019-11708)

Post by kukla »

I'm in no position to evaluate this claim by the WF dev, but just wonder if this really lets WF unpatched for #2 zero-day off the hook:
Unfortunately I am travelling and it’s difficult. But from what I’ve seen in the bug reports this is a sandbox escape, which in of itself needs another exploit to do anything...Of course it’s an important issue, but unless there’s another zero-day it should be okay until I can sit and release. https://www.reddit.com/r/waterfox/comme ... h_patched/
From the FF release notes:
When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer. https://www.mozilla.org/en-US/security/ ... sa2019-19/
Not really sure why an "additional vulnerability" would have to mean a new zero-day.

In the meantime, not taking any chances, and continuing to run FF.
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Firefox/60.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Firefox zero-day exploit (CVE-2019-11707 and CVE-2019-11708)

Post by barbaz »

Well, now it's different than when I started this thread. Now Mozilla is going to release Firefox 68 TOMORROW, and with that a new batch of vulnerabilities will be disclosed. Likely some of those will apply to Waterfox 56 as well. I would *not* feel comfortable risking the combo of a known zero-day "gateway vulnerability" that's been sitting around a while + a fresh batch of publicly known vulnerabilities.

As I see it, if you can't build Waterfox yourself from latest source, you have two options for using Waterfox fairly safely:

1) Run Waterfox in a sandbox inside a disposable VM whenever you want to (Temp-)Allow a new/unknown site in NoScript. I use Xubuntu 18.04 64-bit, VirtualBox (currently latest 5.2.x), and firejail sandboxing.
(For surfing where you just stick to known-trusted sites or don't allow any other site to run JS - if you have NoScript and uBlock Origin appropriately configured, you're probably fine, since this is a JS exploit.)

2) As this specific patch only patches JS files, you could see if the patch can be "hacked" directly into omni.ja.

If it were me, I'd probably go with option (1) first, and maybe use the disposable VM to investigate option (2).
*Always* check the changelogs BEFORE updating that important software!
-
kukla
Senior Member
Posts: 317
Joined: Mon May 04, 2009 12:08 am

Re: Firefox zero-day exploit (CVE-2019-11707 and CVE-2019-11708)

Post by kukla »

I would *not* feel comfortable risking the combo of a known zero-day "gateway vulnerability" that's been sitting around a while + a fresh batch of publicly known vulnerabilities.
That doesn't sound good at all. There's a bunch of new vulns. I will look into those suggestions for getting some kind of protection on to WF, so hopefully, won't get caught like this again. In the meantime, I think I'm just going to stick with the 60esr until WF gets all caught up. Which may take a very long time, considering.

Thanks for the tips. May have to come back and ask a few questions about #1 later.
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Firefox/60.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Firefox zero-day exploit (CVE-2019-11707 and CVE-2019-11708)

Post by barbaz »

barbaz wrote: Mon Jul 08, 2019 9:29 pm Well, now it's different than when I started this thread. Now Mozilla is going to release Firefox 68 TOMORROW, and with that a new batch of vulnerabilities will be disclosed. Likely some of those will apply to Waterfox 56 as well. I would *not* feel comfortable risking the combo of a known zero-day "gateway vulnerability" that's been sitting around a while + a fresh batch of publicly known vulnerabilities.
Good news is Alex is now currently in process of releasing updated Waterfox - https://www.reddit.com/r/waterfox/comme ... _security/

I guess this timing suggests he would agree with my assessment.
*Always* check the changelogs BEFORE updating that important software!
-
kukla
Senior Member
Posts: 317
Joined: Mon May 04, 2009 12:08 am

Re: Firefox zero-day exploit (CVE-2019-11707 and CVE-2019-11708)

Post by kukla »

Thanks, just got around to updating. Awaiting a patch, had been using FF for so long I quite got used to it. Now WF looks a bit strange to me. I realize that, besides being able to run the older XUL addons, at least in the 56.2, one of WF's main purported advantages, is that it doesn't send all that much back to the mothership. I had asked at the WF support forum quite a while ago, what about disabling everything telemetry in FF, and if that would bring the 2 more in line with each other regarding privacy. Never got a reply there, but wonder what you think?
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:60.6) Gecko/20100101 Firefox/60.6
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Firefox zero-day exploit (CVE-2019-11707 and CVE-2019-11708)

Post by therube »

(I think FF, Mozilla, should no longer be "trusted". You might use their product, but can longer trust them.
Other then that Quantum is in a state of continual change. Quantum has been known to reset users settings. So the way you "lock down" FF, now, will be different - almost literally, tomorrow. Quantum can no longer be considered a stable application. And all that said, FF is still better then whatever else is out there [so essentially, only Chrome] - "legacy" browsers aside; SeaMonkey, Pale Moon, Waterfox...)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:52.0) Gecko/20100101 SeaMonkey/2.49.5
Post Reply