Author

Topic: To all Firefox users, UPDATE your browser now before it's too late. (Read 383 times)

hero member
Activity: 1680
Merit: 655
Reports are already showing that hackers are able to exploit the bug for Remote Control Execution which makes the hacker gain control with their targeted web servers. Rumors are also telling that Coinbase might be the direct target with this kind of attack but there are still no reports of stolen fund from its users or for any websites out there yet. 
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
You should be able to disable this by going to about:config, searching for browser.tabs.unloadOnLowMemory, and changing from "true" to "false".

Thanks for this information Smiley

I try some other options in about:config which I found on internet and which should have fix this problem, but nothing is work at that time. I will try with your advice, but I must say that some other browsers I use now (Brave, Opera and even Chrome) are working much better then Firefox in terms of speed and loads of RAM. Yet this is just my subjective thinking, and I'm sure personal experience depends on user hardware and OS.
legendary
Activity: 2268
Merit: 18711
I'm just wondering if I'm at risk considering that I did browse my bank and logged in using FF yesterday?
An "exploitable crash", as this issue was, is just that - a way to crash your browser which results in arbitrary code being run on your machine. If your browser did not crash, then you personally were not attacked. If you have now updated, then it is no longer an issue for you.

wondering whether online-related services are also exploited.
It is possible there are companies or services still using an older version of Firefox who would still be at risk of being attacked, but there is nothing you or I could do about that.

So, it's a good idea to grab and old PC or Laptop, install the freshest Linux, and use it for online wallets and nothing else - no browsing, no emails, no programs.
Although that is good advice in general, it wouldn't necessarily have protected against this attack. This attack was via the official (and until recently most up-to-date) version of Firefox. It was used in the wild before being patched. The same kind of issue could arise with any other browser (and indeed, it has), or indeed with any OS or any other software which you use, even official and up to date versions. Having a clean install doesn't guarantee safety.
full member
Activity: 924
Merit: 221
Thank you for the quick alarm OP. I am always using firefox browser and I am not aware of this after I have read your thread. I am thankful that there are users here and a forum I can rely on especially in terms of technical aspects. This is why I always visit also this section and the meta section to follow for more updates in the cryptocurrency and in the forum.
legendary
Activity: 3472
Merit: 10611
usually when you report a vulnerability in an application it is best to include the affected version(s) in your title or the opening post. this helps users reading the board in the future to quickly check their app's version and see if it concerns them or not.
in this case versions below 67.0.3 are vulnerable.

P.S. this is just another case of "cold storage not affected" which shows importance of using it.
legendary
Activity: 3024
Merit: 2148
Stuff like this is why crypto users, especially those with serious amounts, should research security on their own. Big wallets should always be cold wallets, and when it's necessary to do some online operations, like trading on exchange, it's better to have a separate device for that purpose only. So, it's a good idea to grab and old PC or Laptop, install the freshest Linux, and use it for online wallets and nothing else - no browsing, no emails, no programs. This way even zero days like this one will be unlikely to hit you, as long as the exchange site is not hacked - but that is something that will always be outside of your control.
legendary
Activity: 3542
Merit: 1352
Cashback 15%
I have always used FF over Chrome and Edge for banking-related services and browsing that I need for the last few years. Never have encountered a single problem with them. I'm just wondering if I'm at risk considering that I did browse my bank and logged in using FF yesterday? I have already updated to the latest version and just wondering whether online-related services are also exploited. Good thing is I don't store wallets on my online machines, not even once.
legendary
Activity: 3234
Merit: 1375
Slava Ukraini!
Thanks for warning. I have enabled auto updates on Firefox. But now I just checked to be sure that I have latest version of browser installed. And I found that I have 67.0.2 version, not sure why 67.0.3 wasn't installed until now. So, I just updated it.
I'm not sure, but in recent months I got impression that various vulnerabilities appears on browsers more often than in past.
hero member
Activity: 1358
Merit: 635
Well, sandbox your FF or any browser  so that you  can go about your  day feeling safe. The essential point in this case is the lack of menace  to your OS on the part of  zero-day exploit (no matter which one is it) therefore  your browser  can be updated at any time.
copper member
Activity: 2142
Merit: 1305
Limited in number. Limitless in potential.
@bL4nkcode I know your Filipino as well, I guess it will be best too to post this onto our local board for some notice, I guess some users are using Firefox browser too in there, the more it is disseminated throughout the forum the better.
Thanks for the heads up, never thought of posting it there earlier. Will do that.
legendary
Activity: 2268
Merit: 18711
I think this attack could work just if you have cryptocurrencies held in web wallets , right?
No. An exploitable crash allows an attacker to execute code outwith the browser. Your entire system is potentially at risk.

So will Firefox install updates automatically with standard installation or is this something you need to check for updates in settings?
Click Help -> About Firefox. The latest version is currently 67.0.3 (assuming you are not using Beta or Nightly builds). If an update is available, a click box will be present prompting you to download it, and it will then install automatically after you restart Firefox. If you have the latest version already, instead of the click box you will see the words "Firefox is up to date".

What they do is to in order to reduce using of RAM, to unload any open page in tabs, so if user is switching between tabs that page will need to reload every time which is pretty irritating.
You should be able to disable this by going to about:config, searching for browser.tabs.unloadOnLowMemory, and changing from "true" to "false".
hero member
Activity: 2030
Merit: 578
No God or Kings, only BITCOIN.
Just updated my Firefox browser to the latest version 67.0.3 but mine is new as it just been installed recently from version 67.0.1 but just to be sure I've updated it to the new one. Seen this across telegram channels and group too about a possible attack, good thing it has been found by the Coinbase Security Team and Samuel Groß, a security researcher with Google.

@bL4nkcode I know your Filipino as well, I guess it will be best too to post this onto our local board for some notice, I guess some users are using Firefox browser too in there, the more it is disseminated throughout the forum the better.
copper member
Activity: 2142
Merit: 1305
Limited in number. Limitless in potential.
I think this kind of post should probably go in Beginner's and Help since it is not directly crypto related, but a lot of people will want to know about it.
Just moved...

Just curious, which browser do you use? I think firefox is the best out there, better privacy than chrome (which is almost a spyware), and have a bigger development team than Brave (which is the natural competitor in privacy terms). Maybe the new Edge may look interesting (as it is chromium based), but it is not stable yet.
I frequently use brave for browsing and accessing favorite sites while only use firefox for my work--developing websites. Never think of using edge as of now.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
Thanks for the warning Wink

Firefox was my favorite browser for years, but about a month ago they add some new feature in browser because of which I had to stop using it. What they do is to in order to reduce using of RAM, to unload any open page in tabs, so if user is switching between tabs that page will need to reload every time which is pretty irritating. I try to disable that option which is called "Suspend Idle Tabs", but without success.

We know that Chrome is had a similar problem a few months ago, too bad that Firefox did not patch this exploit before hackers discovered it. However this will not affect too many users, all statistic show that less then 10% is using Firefox.
legendary
Activity: 2352
Merit: 6089
bitcoindata.science
I think this attack could work just if you have cryptocurrencies held in web wallets , right? if no browser is involved in your cryptocurrencies operations (like electrum / ledger nano) i see no much problem.

I just saw this article, though I'm not a firefox user but to those who are using it

Just curious, which browser do you use? I think firefox is the best out there, better privacy than chrome (which is almost a spyware), and have a bigger development team than Brave (which is the natural competitor in privacy terms). Maybe the new Edge may look interesting (as it is chromium based), but it is not stable yet.


I like this website a lot, and firefox is the top one recommended https://www.privacytools.io/browsers/
legendary
Activity: 2268
Merit: 18711
More information here: https://www.cybersecurity-help.cz/vdb/SB2019061805?affChecked=1

Quote
A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.

An exploitable crash is much worse than it sounds, and they potentially allow an attack to run arbitrary code on your system. This is a serious issue and you should update immediately.

I think this kind of post should probably go in Beginners and Help since it is not directly crypto related, but a lot of people will want to know about it.
copper member
Activity: 2142
Merit: 1305
Limited in number. Limitless in potential.
I just saw this article, though I'm not a firefox user but to those who are using it, UPDATE your firefox browser to the latest patch version now.

According to the article a zero-day flaw was exploited

It’s not clear exactly what hackers are attempting to gain by actively exploiting this flaw, but stealing cryptocurrency is one guess

A zero day flaw is
A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw.

Btw, dunno what board should post this, so I just let this thread here, feel free to report to mod to move the thread. moved.
Jump to: