Firefox Drops F-Bomb on Zero-Day JavaScript-Triggering Vulnerability

Earlier this week, Firefox announced that an emergency patch had been released for what appeared to be a JavaScript-triggering vulnerability. According to Philip Martin, Coinbase’s head of cybersecurity, the flaw, which shall remain nameless henceforth, initially targeted Coinbase, a secure platform for buying and selling cryptocurrencies like Ethereum or the ever-popular Bitcoin.

Martin’s proof-of-concept revealed that the malware was able to seep into the machine during a cryptocurrency exchange by taking advantage of an outdated JavaScript. The security breach has gaped, but the company refused to offer any comments on the type of malware.

Is my computer at risk if I continue to use Mozilla’s Firefox?

I really don’t think there’s any risk of this getting out of hand again. Or, at least, that’s what Martin’s statement appears to indicate. As of Thursday, Firefox has not one, but two patches, both aimed at fixing the cryptocurrency exchange issue. Why would you need two?

For that, let’s get back to what Martin had to say about this zero-day vulnerability. So, the security flaw that shall not be named was able to trigger a browser crash by targeting a specific JavaScript. From there, it was able to infiltrate the machine and to run malicious code.

Yes, I know that every browser has an in-built security sandbox that should, theoretically, be more than capable of containing such fraud attempt, but it would seem that this malware somehow was capable of avoiding detection and detention.

Luckily for us, both issues have been dealt with, which means that Coinbase account holders can continue buying, selling, and stockpiling cryptocurrency without an issue. Well, this is one very happy ending nobody was hoping for, but there’s just one more thing on the plate: how did the malware exactly trigger the browser error in the first place?

As it happens, the viral payload was able to circumvent the usual safeguard through phishing. Yes, the nasty began wreaking havoc in your machine if you were oblivious enough to follow a link found in the body of an email or perhaps a pop-up ad on a spoofed website.

Well, at this point, these are all educated guesses since Firefox was careful enough not to blow the whistle on this little indiscretion.

That’s it for the home front. However, this doesn’t mean that the issue has been dealt with entirely. Patrick Wardle, the Mac cybersecurity think-tank, revealed that the very same issue could also give Mac users a run for their money.

What’s even more daunting is the fact that Mac cybersecurity experts have yet to find a fix for this issue. And, yes, it’s that bad – Wardle admitted that the unpatched gap could compromise machines that are up to date.

Wrap-up

Well, this isn’t good news for all those out there who wanted to give Coinbase a try. Of course, this is not the first time hackers have tried to spoof cryptocurrency websites, but it’s still a black ball for Firefox.

So, what’s your take on this whole Coinbase snafu and the company’s hush-hush policy? Hit the comments section and let me know.

About Daniel Sadler

Old-school PC gamer, poetry buff, cat lover, tech wiz. His writing career began almost two decades ago when he modestly acknowledged that hindsight or, lack thereof, can compromise security. He enjoys spending quality time with his friends and family. Most of his friends refer to Daniel as a "man of a few words, but, man, what words!" His interests include cybersecurity, IT, blogging, and, of course, everything related to technology.

Leave a Reply

Your email address will not be published. Required fields are marked *

Shares