Mozilla Patches Two Zero-Day Vulnerabilities in Firefox Used to Install Backdoors on Macs, Update Now

MacRumors

macrumors bot
Original poster
Apr 12, 2001
49,996
11,263



Mozilla has patched two zero-day security vulnerabilities in Firefox that allowed backdoors to be installed on Macs, bypassing Apple's usual XProtect and Gatekeeper protections. Firefox users should update the browser immediately.


Ars Technica's Dan Goodin:
Mozilla released an update on Tuesday that fixed a code-execution vulnerability in a JavaScript programming method known as Array.pop. On Thursday, Mozilla issued a second patch fixing a privilege-escalation flaw that allowed code to break out of a security sandbox that Firefox uses to prevent untrusted content from interacting with sensitive parts of a computer operating system.
The zero-days were exploited by unnamed hackers this week, but so far, attacks are known only to have targeted Mac users involved in cryptocurrency.

3/ We've seen no evidence of exploitation targeting customers. We were not the only crypto org targeted in this campaign. We are working to notify other orgs we believe were also targeted. We're also releasing a set of IOCs that orgs can use to evaluate their potential exposure. - Philip Martin (@SecurityGuyPhil) June 19, 2019

As noted by Mac security expert Patrick Wardle, XProtect and Gatekeeper provided no protection in this case, as they only scan applications that have a quarantine flag set. Fortunately, this may change in macOS Catalina.

Firefox users on Mac should update the web browser to version 67.0.4 as soon as possible to keep themselves protected.

More details can be read at Ars Technica.

Article Link: Mozilla Patches Two Zero-Day Vulnerabilities in Firefox Used to Install Backdoors on Macs, Update Now
 
  • Like
Reactions: NickName99

NoBoMac

Moderator
Staff member
Jul 1, 2014
2,891
1,216
How to know if one has been affected or not?
Another take-away: the Patrick Wardle blog post linked in the story. That blog has a link in there to the KnockKnock program, to scan for any issues.

KnockKnock can also reveal the infection (after the fact), by detecting the malware’s (2x) persistence:
 
Last edited:

Sasparilla

macrumors 65832
Jul 6, 2012
1,500
2,388
Thanks for the heads up, noticed my Mac Firefox updated yesterday (Thursday) for this on a restart.
 

JosephAW

macrumors 68040
May 14, 2012
3,249
3,812
What about macOS version that can't support FF 67? Any ESR updates or does this only effect modern engine?
 

MacBH928

macrumors 601
May 17, 2008
4,578
1,696
I really hate the modern software world, there is just no stability. You update an app today, tomorrow its another update. You just keep updating forever. I understand this is a security risk but I am tired of downloading the same app 3-4 times a week for "bug fixes and general improvements".

Back in the day, an update meant an upgrade and it happened at most once a year.
 
  • Like
Reactions: fairuz

coolfactor

macrumors 601
Jul 29, 2002
4,738
4,919
Vancouver, BC
I really hate the modern software world, there is just no stability. You update an app today, tomorrow its another update. You just keep updating forever. I understand this is a security risk but I am tired of downloading the same app 3-4 times a week for "bug fixes and general improvements".

Back in the day, an update meant an upgrade and it happened at most once a year.
We live in a very different world with software that's 100x more complex.

What you describe is exactly why Firefox and Chrome update automatically behind the scenes. If you don't update manually, it will update for you during your next app launch. At least that's the default behaviour.

With Firefox, you really don't have to do anything. What is your primary concern exactly? Do you leave your browser running for days at a time and don't like to restart it?
 

fairuz

macrumors 68020
Aug 27, 2017
2,486
2,589
Silicon Valley
We live in a very different world with software that's 100x more complex.

What you describe is exactly why Firefox and Chrome update automatically behind the scenes. If you don't update manually, it will update for you during your next app launch. At least that's the default behaviour.

With Firefox, you really don't have to do anything. What is your primary concern exactly? Do you leave your browser running for days at a time and don't like to restart it?
IDK about Chrome, but Firefox doesn't really update behind the scenes, rather it blocks you from using it as it updates next time you start. Wouldn't be so bad by itself, but when every single third-party app is doing that kind of thing, I can understand the frustration.

Also, game updates can be awful. One day your game breaks, or you have to wait for a 6GiB update, or they release updates that actually *remove* content due to licensing problems (GTA IV did this). Dude, I'd rather just pop in the disc and play. But idc about games anymore.
 

JosephAW

macrumors 68040
May 14, 2012
3,249
3,812
Official support goes all the way back to Mavericks, what are you running that you can't update?
Mac Pro 1,1. Snow Leopard. :p
Last official macOS is 10.7. Yeah yeah I know you can replace boot file with pikers file but I'd rather run an official OS from Apple. Oh course Windows X 64 bit runs fine.
 

ikramerica

macrumors 6502
Apr 10, 2009
449
433
The important thing about this article is pointing out that all versions of OS X are exposed as completely insecure because all it takes is a poorly coded trusted app to allow a third party to infiltrate your system.

I thought the whole point of OSX security was to specifically not let this happen.
 

justperry

macrumors G4
Aug 10, 2007
11,022
6,884
I'm a rolling stone.
The important thing about this article is pointing out that all versions of OS X are exposed as completely insecure because all it takes is a poorly coded trusted app to allow a third party to infiltrate your system.

I thought the whole point of OSX security was to specifically not let this happen.

Bit off topic but related.

Just a remark, not really a complaint.
Better use OS X/macOS.
It's been almost 5 years since Apple renamed OS X to macOS.
 

ScottishDuck

macrumors 6502a
Feb 17, 2010
565
246
Argyll, Scotland
Mac Pro 1,1. Snow Leopard. :p
Last official macOS is 10.7. Yeah yeah I know you can replace boot file with pikers file but I'd rather run an official OS from Apple. Oh course Windows X 64 bit runs fine.
You're going to have a lot more security issues than just this firefox bug if you're still on snow leopard
 
  • Like
Reactions: JosephAW

ikramerica

macrumors 6502
Apr 10, 2009
449
433
Bit off topic but related.

Just a remark, not really a complaint.
Better use OS X/macOS.
It's been almost 5 years since Apple renamed OS X to macOS.
True, but all versions if OS X, no longer being updated, are basically insecure.

macOS is still getting security updates at least back 3 if not to all 5 versions.
 

thisisnotmyname

macrumors 68020
Oct 22, 2014
2,348
4,931
known but velocity indeterminate
Mac Pro 1,1. Snow Leopard. :p
Last official macOS is 10.7. Yeah yeah I know you can replace boot file with pikers file but I'd rather run an official OS from Apple. Oh course Windows X 64 bit runs fine.
Looks like ESR 60.7.1 received the patch too but that's still only good back to Mavericks. I don't think Snow Leopard has been supported since Firefox 52 was released. I think you're out of luck :-(
 
  • Like
Reactions: JosephAW

MacBH928

macrumors 601
May 17, 2008
4,578
1,696
Which app did you download 4 times this week?
Microsoft Outlook seems to be, Amazon and eBay on weekly basis, so is Twitter. Its not surprising to download an app, and the next day you wake up there is a new update again.
[doublepost=1561240861][/doublepost]
We live in a very different world with software that's 100x more complex.

What you describe is exactly why Firefox and Chrome update automatically behind the scenes. If you don't update manually, it will update for you during your next app launch. At least that's the default behaviour.

With Firefox, you really don't have to do anything. What is your primary concern exactly? Do you leave your browser running for days at a time and don't like to restart it?
1-I have a lot of tabs open
2-For every bug they fix, another thing breaks or a feature is gone
3-I have used the same software for years and noticed 0 difference updating "bug fixes and improvements"

I don't understand why they say software today is more complex than it used to be. Maybe some new stuff, but a lot of the software does the same exact thing they used to do 2 decades ago. Microsoft Office, web browsers, instant messengers, PC games, Search engines.

The only new thing I see is Syncing and cloud backups, this didn't exist.
 

Gravydog316

macrumors 6502
May 17, 2016
424
155
Canada
I had to downgrade Firefox, since is used all my memory.. even with wifi off & no extensions active, etc, etc...
& Safari sucks & Chrome makes my laptop restart, so...
[doublepost=1561277122][/doublepost]
Which app did you download 4 times this week?
he means updating the app(s).
He's being facetious.
 

Morgenland

macrumors 6502a
May 28, 2009
870
859
Europe
I updated yesterday, but still don't use Firefox as my main browser. I am impressed by how much that browser has improved in terms of its elegance and design. It used to feel foreign on the Mac, but now it feels much more native.
Backdoors are not elegant ;-)
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.