Firefox customers ought to replace their browsers instantly to repair a vital zero-day vulnerability. Anyone utilizing Firefox on a Windows, macOS or Linux desktop is in danger. Mozilla issued a patch Tuesday, however, the vulnerability was found by Samuel Groß of Google Project Zero on April 15. Mozilla carried out the repair after digital foreign money alternate Coinbase reported exploitation of the vulnerability for focused spearphishing assaults. Hackers have been going after cryptocurrency with a vengeance.

The critical flaw (CVE-2019-11707) is a type confusion vulnerability in the Array.pop, which is an array method that is used in JavaScript objects in Firefox. The vulnerability, under active attack, enables bad actors to take full control of systems running the vulnerable Firefox versions.

“On Monday, June 17, 2019, Coinbase reported a vulnerability used as part of targeted attacks for a spear phishing campaign,” Selena Deckelmann, senior director of Firefox Browser Engineering, told Threatpost. “In less than 24 hours, we released a fix for the exploit.”

Critical Flaw

The flaw was discovered by Samuel Groß of Google Project Zero and the Coinbase Security team. In a Twitter thread, Groß  said he found and reported the vulnerability on April 15 and that the first public fix was deployed “about a week ago.”

Essentially the object in the Array.pop method could be manipulated due to a type confusion vulnerability to execute malicious JavaScript on webpages.

“The bug can be exploited for RCE [remote code execution] but would then need a separate sandbox escape,” Groß said on Twitter. “However, most likely it can also be exploited for UXSS [universal cross-site scripting] which might be enough depending on the attacker’s goals.”

“We walked back the entire attack, recovered and reported the 0-day to firefox, pulled apart the malware and infra used in the attack and are working with various organization to continue burning down attacker infrastructure and digging into the attacker involved,” he said on Twitter.

On Twitter, Groß said he didn’t have any insights into the active exploitation of the flaw.

Recently Mozilla has been stomping out critical flaws in its Firefox browser. In May, Mozilla patched several critical vulnerabilities with the release of its Firefox 67 browser. The worst of the bugs patched are two memory safety flaws that could allow attackers to exploit the vulnerabilities to take control of an affected system, according to a security bulletin issued by United States Computer Emergency Readiness Team.

Ransomware is on the rise: Don’t miss our free Threatpost webinar on the ransomware threat landscape, June 19 at 2 p.m. ET. Join Threatpost and a panel of experts from Malwarebytes, Recorded Future and Moss Adams as they discuss how to manage the risk associated with this unique attack type, with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers.

This story was updated on June 19 at 10 am ET with Mozilla comments, and on June 20 at 9 am ET with further information about the active exploitation attacks.