Skip navigation
Browser Security Zero-Day Backdoors
Industry News

Browser Security: Mozilla’s 2-for-1 Zero-Day Flaws

Browser zero-day weak areas are thee worst. Can we all agree to that? Recently Mozilla’s Firefox browser patched not one, but two zero-day bugs in one week. The bugs were used in tandem by malicious actors to target the employees of Coinbase, a cryptocurrency exchange marketplace and wallet.  

Mozilla announced they “are aware of targeted attacks using this flaw” and urge all Firefox users to update their browser immediately with their latest discovery of a zero-day vulnerability.

Zero-day vulnerabilities could potentially expose customers without warning and opens them up to the potential breach.

Mozilla has been a leader in browser privacy controls and consumer data protection. But they are still a non-profit and like any technology, bugs exist. Mozilla was aware of the bug in (CVE-2019-11707) in April but only patched it in June after a spear-phishing campaign was reported by Coinbase that used that zero-day bug combined with another zero-day bug (CVE-2019-11708) that lured employees to a website “designed to automatically download and run an info-stealer if it's loaded on Firefox. The malware they used worked on both Mac and Windows and could collect passwords and other data,” according to Engadget.com.  

The Firefox browser zero-day bugs were a one-two-punch. ZDNet.com reported that the first zero-day bug was "remote code execution" vulnerability that allowed remote attackers to run malicious code inside Firefox's native process. And the second zero-day was a “sandbox escape”  that allowed malicious actors to bypass the Firefox protected process and execute code on the underlying operating session. 

How Duo Helps With Zero-Day Browser Attacks

Whether your company uses Firefox or Chrome as a browser, it is difficult to know if or how much risk exists due to outdated devices, software or browsers.

Duo’s multi-factor authentication (MFA) gives you clear visibility into outdated devices. Duo offers built-in self-remediation software that automatically alerts users to update their software when a new patch is released — and stops devices from accessing risky applications until they do. And admins can set policies to allow or deny access based on what software version users have on their devices.

Another browser concern is the extension ecosystem, and it can be difficult for organizations to know which third-party extensions are compatible with their security standards. These extensions can be risky to user endpoint security and are often overlooked.

The CRXcavator

Duo Labs has created a free solution called CRXcavator (rhymes with “excavator”) that analyzes Chrome extensions and produces comprehensive security reports.

An image of some data from 2019 shwoing how many extensions Duo has uncovered using CRXcavator
For more information on CRXcavator, click on this infographic

When these events take place, most companies are reactive and are unable to avoid the risk it may pose to their firms. Duo Security believes in leveraging technology to close the gap between security and ease of use. Duo Trusted Access allows an organization to implement browser based policies for all applications while simultaneously offering user-based remediation to eliminate the resource taxation historically placed on IT administrators. 

Check out Duo for yourself and sign up for a free trial.