Scammers have found a roundabout to the previous evil cursor patch of Firefox to allow new attacks.
In an update from last week, Firefox patched a vulnerability that tech support scammers exploited in the wild to build artificial mouse cursors, in this way preventing users from quickly closing down malicious websites.
The flaw was discovered to be publicly exploited by UK-based security firm Sophos which reported their findings to Mozilla earlier this year. A fix of the bug was released last week with a version 79.0 of Firefox.
Named “evil cursor”, this vulnerability is a classic bug that exploits the code that allows website owners to modify the look of the cursor on their websites.
The change in the cursor’s look may seem pointless, but this is a feature that is often used for web-based games, web-enhanced reality, or virtual reality experiences in a browser. Nevertheless, for the regular web, cursor customization has opened room for malicious exploitation.
Malicious websites use “evil cursor” attacks to exploit the cursor’s settings in order to change its position and click area on the page. An evil cursor attack occurs when a normal mouse cursor is displayed in the top-left corner, for example, but its click area is actually somewhere else – it could be at the bottom-right corner, in the center or wherever the malicious actors set it. This creates a visual illusion for the user of where he sees the cursor and where it actually clicks.
Commonly, operators of different scam sites use evil cursor attack techniques in order to keep users stuck on their pages since the cursor difference between the location and the actual click area does not let them close tabs and pop-ups.
Chrome has been receiving fixes for evil cursor attacks by Google Since 2010, with the latest patch dating from March 2019. Mozilla is also a target for this kind of attacks and a scam group has found a way to abuse its previous evil cursor patch, dated from 2018, in order to allow new attacks.
According to information presented by researchers from Sophos, the abusers have created a deliberate infinite loop in the code of their site to prevent Firefox’s 2018 patch from operating, in this way efficiently rejecting Mozilla ‘s earlier fix and opening the door for new evil cursor attacks. Fortunately, Mozilla has already addressed that issue with a new fix, named CVE-2020-15654, which is available in the security section of their website.