Warning: New Firefox 0-Day exploit

Security researcher Patrick Wardle has info on the creation of a persistent backdoor via Firefox exploit. He says, “Interestingly Apple created a signature for this malware in 2016, though none of the major AV engines detect it”

And he reports that two of his free Mac security apps can protect against it.

1 Like

Follow-up: Firefox released two patches to close this exploit, but it had already been used in the wild to target employees at CoinBase.

I was wondering if there was a way to find out if your system has been infected or not and was pointed to KnockKnock, which seems legit. I am a little skeptical of installing it as I don’t want an anti-virus app to slow down my Mac. Do you guys think it is a good idea to install it, check and then uninstall it or do you think it may persist and slow the system down?

I use a few apps from this developer and I have never had any problems with them. KnockKnock doesn’t slow anything down, and isn’t an antivirus app per se (though it integrates data from the separate VirusTotal, which is owned by Google). From the FAQ:

Q: KnockKnock found many applications, should I be worried? **
A: No. KnockKnock simply enumerates items that are automatically started; either during startup, during login, or during another application’s launch (e.g. browser extensions). Although signed-Apple items are filtered out by default, many legitimate 3rd-party items will likely be shown. Of course, the goal is that KnockKnock will also display any persistently installed malware.

Q: Ok, so how do I determine if something is malware?
A: By design KnockKnock itself doesn’t try to determine if something is malware or not. However, since VirusTotal is fully integrated into KnockKnock, known malware will be detected (and highlighted in red). The remaining items that are not flagged can be manually examined. Perhaps google the hash of the file, run strings on it, or if you are really concerned about a specific item, email me at patrick@objective-see.com and attach the file :slight_smile: