A type confusion bug exists in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could exploit this by causing a denial of service, or executing arbitrary code.
Exploit code for CVE-2019-11707 on Firefox 66.0.3 running on Ubuntu
Exploit code for CVE-2019-11707 Full write-up can be found here
SpiderMonkey - CVE-2019-11707 Bug: bugschromiumorg/p/project-zero/issues/detail?id=1820 Screenshots Files exploitjs - Actual exploit, prepended by saelo's utiljs & Int64js stagerjs - Used for creating constants, prepended by saelo's utiljs & Int64js stagerpy - Used to assemble instructions using keystone Output is fed to stagerj
An updated collection of resources targeting browser-exploitation.
Browser-Pwn The world of Browsers is dominated by 4 major players: Chromium/Chrome (Blink-Engine) Firefox (Gecko-Engine) Safari (WebKit-Engine) Edge (Blink-Engine (former EdgeHTML-Engine) The following is split into two parts: Information that helps to understand their architecture and implementation and how to build them from sources Information that helps finding their cal
a list of web browser vulnerabilities
web-browser-vulnerabilities Steps for building old versions of Firefox: Steps for building old versions of Chrome: Firefox vulnerabilities This is a list of vulnerabilities that is reproducible in old versions of Firefox CVE ID Version Type Exploited? Link CVE-2017-7784 560 UAF CVE-2017-7828 560 UAF CVE-2018-5093 570 heap buffer overflow CVE-2018-5094 5
PoC in GitHub 2020 CVE-2020-0014 It is possible for a malicious application to construct a TYPE_TOAST window manually and make that window clickable This could lead to a local escalation of privilege with no additional execution privileges needed User action is needed for exploitationProduct: AndroidVersions: Android-80 Android-81 Android-9 Android-10Android ID: A-1286745
PoC auto collect from GitHub.
PoC in GitHub 2020 CVE-2020-0022 In reassemble_and_dispatch of packet_fragmentercc, there is possible out of bounds write due to an incorrect bounds calculation This could lead to remote code execution over Bluetooth with no additional execution privileges needed User interaction is not needed for exploitationProduct: AndroidVersions: Android-80 Android-81 Android-9 Andr
These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data.
According to Kaspersky Security Network,
Q2 2019 will be remembered for several events.
First, we uncovered a large-scale financial threat by the name of Riltok, which targeted clients of not only major Russian banks, but some foreign ones too.
Second, we detected the new Trojan.AndroidOS.MobOk malware, tasked with stealing money from mobil...
Mozilla has fixed a high-severity vulnerability in its Firefox browser being actively exploited in the wild.
The vulnerability (CVE-2019-11709) is separate from a critical flaw under active attack that was patched earlier this week (CVE-2019-11707). However, both vulnerabilities were discovered by Coinbase Security, who said that the flaws were being used in active spear phishing attacks targeting Coinbase employees.
The high-severity sandbox-escape flaw stems from insufficient vetti...
Patch released after crypto-currency biz sounded alarm
The development and release of a critical Firefox security patch this week was, in part, triggered by an attempted cyber-heist of crypto-coin exchange Coinbase.
Tor Browser has updated to version 8.5.2, to address a critical security flaw in Mozilla’s Firefox browser that is under active exploit in the wild.
The issue af...
The employees of Coinbase and other cryptocurrency firms were the target of an attack utilizing a recent Firefox zero-day and malware payloads in order to gain access to victim's computers, networks, and sensitive information.
This past week, Mozilla released an emergency Firefox update to fix a critical remote execution vulnerability that was actively used in targeted attacks in the wild. This bug was given a CVE ID of CVE-2019-11707 and was stated to have been reported by both Google P...
Just make sure you're running the latest version
Mozilla has released an emergency critical update for Firefox to squash a zero-day vulnerability that is under active attack.
This is a bad thing.
Mozilla released Firefox 72.0.1 and Firefox ESR 68.4.1 to patch a critical and actively exploited severity vulnerability that could potentially allow attackers to execute code or trigger crashes on machines running vulnerable Firefox versions.
As Mozilla's security advisory says, the Firefox developers are "aware of targeted attacks in the wild abusing this flaw" which could make it possible for attackers who successfully exploit it to abuse affected systems.
The Firefox and Fire...
Mozilla released Firefox 67.0.3 and Firefox ESR 60.7.1 to patch an actively exploited and critical severity vulnerability which could allow attackers to remotely execute arbitrary code on machines running vulnerable Firefox versions.
As Mozilla's security advisory says, the Firefox developers are "aware of targeted attacks in the wild abusing this flaw" which could allow attackers who exploit this vulnerability to take control of affected systems.
The Firefox and Firefox ESR zero-d...