The first one was described as a "remote code execution" vulnerability that allowed remote attackers to run malicious code inside Firefox's native process.
The bug (CVE-2019-11707) was discovered on April 15 by a Google Project Zero researcher and reported to Mozilla, who only patched it this week after the Coinbase security team reported attacks exploiting the vulnerability, together with a second zero-day (CVE-2019-11708).
This second zero-day, which Mozilla described as a "sandbox escape" allowed malicious threat actors to escape from the Firefox protected process and execute code on the underlying operating system.
When combined, the two bugs provide a quick avenue for running malicious code from within a website on a visiting user's computer.
Coinbase employees would receive spear-phishing emails that would contain links to malicious sites. If they clicked the links and visited the sites -- if they used Firefox -- the page would download and run an info-stealer on their systems that would collect and exfiltrate browser passwords, and other data.
The attacks were tailored for both Mac and Windows users, with different malware strains delivered for each OS. The attacks have been going on for weeks before being detected, and Coinbase said they also targeted other cryptocurrency organizations, and not just their employees.
The Firefox bugfix for the second zero-day is expected to land in the Tor Browser in the coming days. Today, the Tor Browser team updated to version 8.5.2, which includes the fix for the first zero-day.