Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2017.0199 Security Updates for Mozilla Firefox and Firefox ESR 15 November 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Firefox Firefox ESR Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Increased Privileges -- Existing Account Cross-site Scripting -- Remote with User Interaction Denial of Service -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2017-7842 CVE-2017-7840 CVE-2017-7839 CVE-2017-7838 CVE-2017-7837 CVE-2017-7836 CVE-2017-7835 CVE-2017-7834 CVE-2017-7833 CVE-2017-7832 CVE-2017-7831 CVE-2017-7830 CVE-2017-7828 CVE-2017-7827 CVE-2017-7826 Member content until: Friday, December 15 2017 OVERVIEW Multiple vulnerabilities have been identified in Mozilla Firefox prior to version 57 and Firefox ESR prior to version 52.5 [1,2] IMPACT Vulnerabilities affecting Firefox and Firefox ESR: "#CVE-2017-7828: Use-after-free of PressShell while restyling layout A use-after-free vulnerability can occur when flushing and resizing layout because the PressShell object has been freed while still in use. This results in a potentially exploitable crash during these operations. References Bug 1406750 Bug 1412252 #CVE-2017-7830: Cross-origin URL information leak through Resource Timing API REPORTER Jun Kokatsu IMPACT HIGH Description The Resource Timing API incorrectly revealed navigations in cross-origin iframes. This is a same-origin policy violation and could allow for data theft of URLs loaded by users. References Memory safety bugs fixed in Firefox 57 #CVE-2017-7826: Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5 REPORTER Mozilla developers and community IMPACT CRITICAL Description Mozilla developers and community members Christian Holler, David Keeler, Jon Coppeard, Julien Cristau, Jan de Mooij, Jason Kratzer, Philipp, Nicholas Nethercote, Oriol Brufau, André Bargull, Bob Clary, Jet Villegas, Randell Jesup, Tyson Smith, Gary Kwong, and Ryan VanderMeulen reported memory safety bugs present in Firefox 56 and Firefox ESR 52.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code." [1,2] Vulnerabilities particular to Firefox: "#CVE-2017-7831: Information disclosure of exposed properties on JavaScript proxy objects REPORTER Oriol Brufau IMPACT MODERATE Description A vulnerability where the security wrapper does not deny access to some exposed properties using the deprecated exposedProps mechanism on proxy objects. These properties should be explicitly unavailable to proxy objects. References Bug 1392026 #CVE-2017-7832: Domain spoofing through use of dotless 'i' character followed by accent markers REPORTER Jonathan Kew IMPACT MODERATE Description The combined, single character, version of the letter 'i' with any of the potential accents in unicode, such as acute or grave, can be spoofed in the addressbar by the dotless version of 'i' followed by the same accent as a second character with most font sets. This allows for domain spoofing attacks because these combined domain names do not display as punycode. References Bug 1408782 #CVE-2017-7833: Domain spoofing with Arabic and Indic vowel marker characters REPORTER Rayyan Bijoora IMPACT MODERATE Description Some Arabic and Indic vowel marker characters can be combined with Latin characters in a domain name to eclipse the non-Latin character with some font sets on the addressbar. The non-Latin character will not be visible to most viewers. This allows for domain spoofing attacks because these combined domain names do not display as punycode. References Bug 1370497 #CVE-2017-7834: data: URLs opened in new tabs bypass CSP protections REPORTER Jordi Chancel IMPACT MODERATE Description A data: URL loaded in a new tab did not inherit the Content Security Policy (CSP) of the original page, allowing for bypasses of the policy including the execution of JavaScript. In prior versions when data: documents also inherited the context of the original page this would allow for potential cross-site scripting (XSS) attacks. References Bug 1358009 #CVE-2017-7835: Mixed content blocking incorrectly applies with redirects REPORTER Ben Kelly IMPACT MODERATE Description Mixed content blocking of insecure (HTTP) sub-resources in a secure (HTTPS) document was not correctly applied for resources that redirect from HTTPS to HTTP, allowing content that should be blocked, such as scripts, to be loaded on a page. References Bug 1402363 #CVE-2017-7836: Pingsender dynamically loads libcurl on Linux and OS X REPORTER Ezra Caltum IMPACT MODERATE Description The "pingsender" executable used by the Firefox Health Report dynamically loads a system copy of libcurl, which an attacker could replace. This allows for privilege escalation as the replaced libcurl code will run with Firefox's privileges. Note: This attack requires an attacker have local system access and only affects OS X and Linux. Windows systems are not affected. References Bug 1401339 #CVE-2017-7837: SVG loaded as <img> can use meta tags to set cookies REPORTER Jun Kokatsu IMPACT MODERATE Description SVG loaded through <img> tags can use <meta> tags within the SVG data to set cookies for that page. References Bug 1325923 #CVE-2017-7838: Failure of individual decoding of labels in international domain names triggers punycode display of entire IDN REPORTER Corey Bonnell IMPACT LOW Description Punycode format text will be displayed for entire qualified international domain names in some instances when a sub-domain triggers the punycode display instead of the primary domain being displayed in native script and the sub-domain only displaying as punycode. This could be used for limited spoofing attacks due to user confusion. References Bug 1399540 #CVE-2017-7839: Control characters before javascript: URLs defeats self-XSS prevention mechanism REPORTER Eric Lawrence IMPACT LOW Description Control characters prepended before javascript: URLs pasted in the addressbar can cause the leading characters to be ignored and the pasted JavaScript to be executed instead of being blocked. This could be used in social engineering and self-cross-site-scripting (self-XSS) attacks where users are convinced to copy and paste text into the addressbar. References Bug 1402896 #CVE-2017-7840: Exported bookmarks do not strip script elements from user-supplied tags REPORTER Hanno Böck IMPACT LOW Description JavaScript can be injected into an exported bookmarks file by placing JavaScript code into user-supplied tags in saved bookmarks. If the resulting exported HTML file is later opened in a browser this JavaScript will be executed. This could be used in social engineering and self-cross-site-scripting (self-XSS) attacks if users were convinced to add malicious tags to bookmarks, export them, and then open the resulting file. References Bug 1366420 #CVE-2017-7842: Referrer Policy is not always respected for <link> elements REPORTER Jun Kokatsu IMPACT LOW Description If a document’s Referrer Policy attribute is set to "no-referrer" sometimes two network requests are made for <link> elements instead of one. One of these requests includes the referrer instead of respecting the set policy to not include a referrer on requests. References Bug 1397064 #CVE-2017-7827: Memory safety bugs fixed in Firefox 57 REPORTER Mozilla developers and community IMPACT CRITICAL Description Mozilla developers and community members Boris Zbarsky, Carsten Book, Christian Holler, Byron Campen, Jan de Mooij, Jason Kratzer, Jesse Schwartzentruber, Marcia Knous, Randell Jesup, Tyson Smith, and Ting-Yu Chou reported memory safety bugs present in Firefox 56. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. References Memory safety bugs fixed in Firefox 57" [1] MITIGATION Users are advised to the upgrade to the latest versions to address these issues. [1,2] REFERENCES [1] Mozilla Foundation Security Advisory 2017-24 https://www.mozilla.org/en-US/security/advisories/mfsa2017-24 [2] Mozilla Foundation Security Advisory 2017-25 https://www.mozilla.org/en-US/security/advisories/mfsa2017-25 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWgvd9Yx+lLeg9Ub1AQjFVQ/+IWEwoGWVkVm+DuK1D7vlprjPzZrHR2oz gMwcdaU0xZxFR1VE2ERhhHzHmlexKtIW6r/iMU9ZFbbrx8FP0EBumeCFYGyxl1ig oX1wZuFvofv2MSw/7jqhLxx14zAZr8Czo+2q9GoCVt4fw3jy0wjeFNAmGWHD3BwO 0GQ0UMmLWe2JBA3sfzPBiTX6tQAFeY6pdIqN3paDAshSlq19WXB5BN4ORwi25QzN brTZQ+LbqQekiRXwE5UKEqmA0STQkADBUrNlJanD2T7dr6BrdXhRrUkQEdPiCaFq vDWcRCLS1bV5Bk+1w7qVuYoHkVV6s46/3pnjmNykYSmLySdGdLVWr3kN8iby+Nd5 jUbwZS9lUr+8XCAIcMY5XOQ+StSDniU+3LV0Eo0XjaakJFaLuzTaRYj9ofn7E0Am G56T0zaLX5Y8uwfnVJA02hdqcnddhM33awiAujiUVtxF8EIKywy+eoAb63kAAGF9 rOcWiQqtCkkofAmorDLnE1/tvR2ru9TJvOFN5uvovkiEZtpWxRo6i+OsdqfLdgaU 5t/ewA9TeaS13ct+M1cUzSuubrdO36KHo0m6ZHgbDtwR6ykbHiUi3DFJwbQqOgjp Z/T7mstHyipNBLO04ols9PFxx7sjNNszH9JcA/Zo9DOeTkrQdCQzBEEegxsNGodI oP2BL5p0lHI= =XPuq -----END PGP SIGNATURE-----