Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2018.0110 Firefox ESR 52.8 contains multiple vulnerabilities 10 May 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Mozilla Firefox ESR Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2018-5183 CVE-2018-5178 CVE-2018-5174 CVE-2018-5168 CVE-2018-5159 CVE-2018-5158 CVE-2018-5157 CVE-2018-5155 CVE-2018-5154 CVE-2018-5150 Member content until: Saturday, June 9 2018 Reference: ASB-2018.0109 OVERVIEW Multiple vulnerabilities have been identified in Mozilla Firefox ESR prior to version 52.8. [1] IMPACT Mozilla have provided the following details regarding the vulnerabilities: " #CVE-2018-5183: Backport critical security fixes in Skia Reporter Mozilla Developers Impact critical Description Mozilla developers backported selected changes in the Skia library to the ESR52 branch of Firefox. These changes correct memory corruption issues including invalid buffer reads and writes during graphic operations. References * Bug 1454692 #CVE-2018-5154: Use-after-free with SVG animations and clip paths Reporter Nils Impact high Description A use-after-free vulnerability can occur while enumerating attributes during SVG animations with clip paths. This results in a potentially exploitable crash. References * Bug 1443092 #CVE-2018-5155: Use-after-free with SVG animations and text paths Reporter Nils Impact high Description A use-after-free vulnerability can occur while adjusting layout during SVG animations with text paths. This results in a potentially exploitable crash. References * Bug 1448774 #CVE-2018-5157: Same-origin bypass of PDF Viewer to view protected PDF files Reporter Wladimir Palant Impact high Description Same-origin protections for the PDF viewer can be bypassed, allowing a malicious site to intercept messages meant for the viewer. This could allow the site to retrieve PDF files restricted to viewing by an authenticated user on a third-party website. References * Bug 1449898 #CVE-2018-5158: Malicious PDF can inject JavaScript into PDF Viewer Reporter Wladimir Palant Impact high Description The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF viewer by its worker. References * Bug 1452075 #CVE-2018-5159: Integer overflow and out-of-bounds write in Skia Reporter Ivan Fratric Impact high Description An integer overflow can occur in the Skia library due to 32-bit integer use in an array without integer overflow checks, resulting in possible out-of-bounds writes. This could lead to a potentially exploitable crash triggerable by web content. References * Bug 1441941 #CVE-2018-5168: Lightweight themes can be installed without user interaction Reporter Wladimir Palant Impact moderate Description Sites can bypass security checks on permissions to install lightweight themes by manipulating the baseURI property of the theme element. This could allow a malicious site to install a theme without user interaction which could contain offensive or embarrassing images. References * Bug 1449548 #CVE-2018-5174: Windows Defender SmartScreen UI runs with less secure behavior for downloaded files in Windows 10 April 2018 Update Reporter Jimmy Impact moderate Description In the Windows 10 April 2018 Update, Windows Defender SmartScreen honors the SEE_MASK_FLAG_NO_UI flag associated with downloaded files and will not show any UI. Files that are unknown and potentially dangerous will be allowed to run because SmartScreen will not prompt the user for a decision, and if the user is offline all files will be allowed to be opened because Windows won?t prompt the user to ask what to do. Firefox incorrectly sets this flag when downloading files, leading to less secure behavior from SmartScreen. Note: this issue only affects Windows 10 users running the April 2018 update or later. It does not affect other Windows users or other operating systems. References * Bug 1447080 #CVE-2018-5178: Buffer overflow during UTF-8 to Unicode string conversion through legacy extension Reporter Root Object Impact moderate Description A buffer overflow was found during UTF8 to Unicode string conversion within JavaScript with extremely large amounts of data. This vulnerability requires the use of a malicious or vulnerable legacy extension in order to occur. References * Bug 1443891 #CVE-2018-5150: Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8 Reporter Mozilla developers and community Impact critical Description Mozilla developers and community members Christoph Diehl, Randell Jesup, Tyson Smith, Alex Gaynor, Ronald Crane, Julian Hector, Kannan Vijayan, and Jason Kratzer reported memory safety bugs present in Firefox 59 and Firefox ESR 52.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. " [1] MITIGATION Users are advised to update to Firefox ESR version 52.8 to address these issues. [1] REFERENCES [1] Mozilla Foundation Security Advisory 2018-12 https://www.mozilla.org/en-US/security/advisories/mfsa2018-12/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWvOiL4x+lLeg9Ub1AQgq+w/+MVJ9x+cVbyirHnqm0NXhtwY36JHW4PkX J5MvSrrryu2NqEjcC26D7QoEw3Vg0Ld2cNeCrIw/u7u3aPHVGUjZqUYZHMUQ1AEZ c/gjmjoi0Nx537Jqgy8xYHul9bB3JN78fD3m7reYS91kQlv6NbxTBjh5nMNmxSmK Co06lx8kr6/HeFgIyW49jghne6C0ze5lLZZa2B8diB9gdHQjPKTogLPayK96iDG6 bYyJ7vg6OrNDsy+bbut7q1063UYq+qCXvPMeu0UpEwXYP3WTlnaaz0RXLY8VvTpv GDDaX2LC+zdNQg8zTVQqSV5T6uS7shBcpJ7mr1PzgJAAPdPYUIncYuoaxRzjwDVj S+IvvcjdJ8QbmNgGgBzOaTv3IoA4pqckEU/HHxy1/LWmz76/7LBOFbTxNKLerDYU QvfDlRgToTniYhTwOxfx/TkitD5NbuelhEspugbqU4H/l312Rdv/H3AfdBXGYR1b SHrjVTMhqaTIPpHWIpt0llsXch/0TGUk1tOsbSB9TkwODVHEDVSM2SNpcPE3JFpE ZE7vGvkKQtRqS4Sb1IRZQFHwYitmnp67RYfTCoR2zW3ePpJD/FcLFhsrIZPq7ZM6 vkNj3zptVMgIEfiCLn5RrDBb4aD3BFVE9Afw1TywN1KlxVKjmN0wq8EB364y6go5 MriYmSkJExI= =gPlG -----END PGP SIGNATURE-----