Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2017.0199
Security Updates for Mozilla Firefox and Firefox ESR
15 November 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Firefox
Firefox ESR
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Increased Privileges -- Existing Account
Cross-site Scripting -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2017-7842 CVE-2017-7840 CVE-2017-7839
CVE-2017-7838 CVE-2017-7837 CVE-2017-7836
CVE-2017-7835 CVE-2017-7834 CVE-2017-7833
CVE-2017-7832 CVE-2017-7831 CVE-2017-7830
CVE-2017-7828 CVE-2017-7827 CVE-2017-7826
Member content until: Friday, December 15 2017
OVERVIEW
Multiple vulnerabilities have been identified in Mozilla Firefox
prior to version 57 and Firefox ESR prior to version 52.5 [1,2]
IMPACT
Vulnerabilities affecting Firefox and Firefox ESR:
"#CVE-2017-7828: Use-after-free of PressShell while restyling layout
A use-after-free vulnerability can occur when flushing and resizing layout
because the PressShell object has been freed while still in use. This results in
a potentially exploitable crash during these operations.
References
Bug 1406750
Bug 1412252
#CVE-2017-7830: Cross-origin URL information leak through Resource Timing API
REPORTER
Jun Kokatsu
IMPACT
HIGH
Description
The Resource Timing API incorrectly revealed navigations in cross-origin
iframes. This is a same-origin policy violation and could allow for data theft
of URLs loaded by users.
References
Memory safety bugs fixed in Firefox 57
#CVE-2017-7826: Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5
REPORTER
Mozilla developers and community
IMPACT
CRITICAL
Description
Mozilla developers and community members Christian Holler, David Keeler, Jon
Coppeard, Julien Cristau, Jan de Mooij, Jason Kratzer, Philipp, Nicholas
Nethercote, Oriol Brufau, André Bargull, Bob Clary, Jet Villegas, Randell Jesup,
Tyson Smith, Gary Kwong, and Ryan VanderMeulen reported memory safety bugs
present in Firefox 56 and Firefox ESR 52.4. Some of these bugs showed evidence
of memory corruption and we presume that with enough effort that some of these
could be exploited to run arbitrary code." [1,2]
Vulnerabilities particular to Firefox:
"#CVE-2017-7831: Information disclosure of exposed properties on JavaScript proxy objects
REPORTER
Oriol Brufau
IMPACT
MODERATE
Description
A vulnerability where the security wrapper does not deny access to some exposed
properties using the deprecated exposedProps mechanism on proxy objects. These
properties should be explicitly unavailable to proxy objects.
References
Bug 1392026
#CVE-2017-7832: Domain spoofing through use of dotless 'i' character followed by accent markers
REPORTER
Jonathan Kew
IMPACT
MODERATE
Description
The combined, single character, version of the letter 'i' with any of the
potential accents in unicode, such as acute or grave, can be spoofed in the
addressbar by the dotless version of 'i' followed by the same accent as a second
character with most font sets. This allows for domain spoofing attacks because
these combined domain names do not display as punycode.
References
Bug 1408782
#CVE-2017-7833: Domain spoofing with Arabic and Indic vowel marker characters
REPORTER
Rayyan Bijoora
IMPACT
MODERATE
Description
Some Arabic and Indic vowel marker characters can be combined with Latin
characters in a domain name to eclipse the non-Latin character with some font
sets on the addressbar. The non-Latin character will not be visible to most
viewers. This allows for domain spoofing attacks because these combined domain
names do not display as punycode.
References
Bug 1370497
#CVE-2017-7834: data: URLs opened in new tabs bypass CSP protections
REPORTER
Jordi Chancel
IMPACT
MODERATE
Description
A data: URL loaded in a new tab did not inherit the Content Security Policy
(CSP) of the original page, allowing for bypasses of the policy including the
execution of JavaScript. In prior versions when data: documents also inherited
the context of the original page this would allow for potential cross-site
scripting (XSS) attacks.
References
Bug 1358009
#CVE-2017-7835: Mixed content blocking incorrectly applies with redirects
REPORTER
Ben Kelly
IMPACT
MODERATE
Description
Mixed content blocking of insecure (HTTP) sub-resources in a secure (HTTPS)
document was not correctly applied for resources that redirect from HTTPS to
HTTP, allowing content that should be blocked, such as scripts, to be loaded on
a page.
References
Bug 1402363
#CVE-2017-7836: Pingsender dynamically loads libcurl on Linux and OS X
REPORTER
Ezra Caltum
IMPACT
MODERATE
Description
The "pingsender" executable used by the Firefox Health Report dynamically
loads a system copy of libcurl, which an attacker could replace. This allows
for privilege escalation as the replaced libcurl code will run with Firefox's
privileges.
Note: This attack requires an attacker have local system access and only affects
OS X and Linux. Windows systems are not affected.
References
Bug 1401339
#CVE-2017-7837: SVG loaded as <img> can use meta tags to set cookies
REPORTER
Jun Kokatsu
IMPACT
MODERATE
Description
SVG loaded through <img> tags can use <meta> tags within the SVG data to set cookies for that page.
References
Bug 1325923
#CVE-2017-7838: Failure of individual decoding of labels in international domain
names triggers punycode display of entire IDN
REPORTER
Corey Bonnell
IMPACT
LOW
Description
Punycode format text will be displayed for entire qualified international domain
names in some instances when a sub-domain triggers the punycode display instead
of the primary domain being displayed in native script and the sub-domain only
displaying as punycode. This could be used for limited spoofing attacks due to
user confusion.
References
Bug 1399540
#CVE-2017-7839: Control characters before javascript: URLs defeats self-XSS prevention mechanism
REPORTER
Eric Lawrence
IMPACT
LOW
Description
Control characters prepended before javascript: URLs pasted in the addressbar
can cause the leading characters to be ignored and the pasted JavaScript to be
executed instead of being blocked. This could be used in social engineering and
self-cross-site-scripting (self-XSS) attacks where users are convinced to copy
and paste text into the addressbar.
References
Bug 1402896
#CVE-2017-7840: Exported bookmarks do not strip script elements from user-supplied tags
REPORTER
Hanno Böck
IMPACT
LOW
Description
JavaScript can be injected into an exported bookmarks file by placing JavaScript
code into user-supplied tags in saved bookmarks. If the resulting exported HTML
file is later opened in a browser this JavaScript will be executed. This could
be used in social engineering and self-cross-site-scripting (self-XSS) attacks
if users were convinced to add malicious tags to bookmarks, export them, and
then open the resulting file.
References
Bug 1366420
#CVE-2017-7842: Referrer Policy is not always respected for <link> elements
REPORTER
Jun Kokatsu
IMPACT
LOW
Description
If a document’s Referrer Policy attribute is set to "no-referrer" sometimes
two network requests are made for <link> elements instead of one. One of these
requests includes the referrer instead of respecting the set policy to not
include a referrer on requests.
References
Bug 1397064
#CVE-2017-7827: Memory safety bugs fixed in Firefox 57
REPORTER
Mozilla developers and community
IMPACT
CRITICAL
Description
Mozilla developers and community members Boris Zbarsky, Carsten Book, Christian
Holler, Byron Campen, Jan de Mooij, Jason Kratzer, Jesse Schwartzentruber,
Marcia Knous, Randell Jesup, Tyson Smith, and Ting-Yu Chou reported memory
safety bugs present in Firefox 56. Some of these bugs showed evidence of memory
corruption and we presume that with enough effort that some of these could be
exploited to run arbitrary code.
References
Memory safety bugs fixed in Firefox 57" [1]
MITIGATION
Users are advised to the upgrade to the latest versions to address
these issues. [1,2]
REFERENCES
[1] Mozilla Foundation Security Advisory 2017-24
https://www.mozilla.org/en-US/security/advisories/mfsa2017-24
[2] Mozilla Foundation Security Advisory 2017-25
https://www.mozilla.org/en-US/security/advisories/mfsa2017-25
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWgvd9Yx+lLeg9Ub1AQjFVQ/+IWEwoGWVkVm+DuK1D7vlprjPzZrHR2oz
gMwcdaU0xZxFR1VE2ERhhHzHmlexKtIW6r/iMU9ZFbbrx8FP0EBumeCFYGyxl1ig
oX1wZuFvofv2MSw/7jqhLxx14zAZr8Czo+2q9GoCVt4fw3jy0wjeFNAmGWHD3BwO
0GQ0UMmLWe2JBA3sfzPBiTX6tQAFeY6pdIqN3paDAshSlq19WXB5BN4ORwi25QzN
brTZQ+LbqQekiRXwE5UKEqmA0STQkADBUrNlJanD2T7dr6BrdXhRrUkQEdPiCaFq
vDWcRCLS1bV5Bk+1w7qVuYoHkVV6s46/3pnjmNykYSmLySdGdLVWr3kN8iby+Nd5
jUbwZS9lUr+8XCAIcMY5XOQ+StSDniU+3LV0Eo0XjaakJFaLuzTaRYj9ofn7E0Am
G56T0zaLX5Y8uwfnVJA02hdqcnddhM33awiAujiUVtxF8EIKywy+eoAb63kAAGF9
rOcWiQqtCkkofAmorDLnE1/tvR2ru9TJvOFN5uvovkiEZtpWxRo6i+OsdqfLdgaU
5t/ewA9TeaS13ct+M1cUzSuubrdO36KHo0m6ZHgbDtwR6ykbHiUi3DFJwbQqOgjp
Z/T7mstHyipNBLO04ols9PFxx7sjNNszH9JcA/Zo9DOeTkrQdCQzBEEegxsNGodI
oP2BL5p0lHI=
=XPuq
-----END PGP SIGNATURE-----