Mozilla Patches Two Zero-Day Vulnerabilities in Firefox Used to Install Backdoors on Macs, Update Now

Mozilla has patched twozero-day security vulnerabilities in Firefox that allowed backdoors to be installed on Macs, bypassing Apple’s usual XProtect and Gatekeeper protections. Firefox users should update the browser immediately.


Ars Technica‘s Dan Goodin:

Mozilla released an update on Tuesday that fixed a code-execution vulnerability in a JavaScript programming method known as Array.pop. On Thursday, Mozilla issued a second patch fixing a privilege-escalation flaw that allowed code to break out of a security sandbox that Firefox uses to prevent untrusted content from interacting with sensitive parts of a computer operating system.

The zero-days were exploited by unnamed hackers this week, but so far, attacks are known only to have targeted Mac users involved in cryptocurrency.



As noted by Mac security expert Patrick Wardle, XProtect and Gatekeeper provided no protection in this case, as they only scan applications that have a quarantine flag set. Fortunately, this may change in macOS Catalina.

Firefox users on Mac should update the web browser to version 67.0.4 as soon as possible to keep themselves protected.

More details can be read at Ars Technica.