Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2018.0146
Mozilla Thunderbird version 52.9
4 July 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Mozilla Thunderbird
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Cross-site Request Forgery -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Read-only Data Access -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2018-12374 CVE-2018-12373 CVE-2018-12372
CVE-2018-12368 CVE-2018-12366 CVE-2018-12365
CVE-2018-12364 CVE-2018-12363 CVE-2018-12362
CVE-2018-12360 CVE-2018-12359 CVE-2018-5188
Member content until: Friday, August 3 2018
Reference: ASB-2018.0140
ASB-2018.0139
ESB-2018.1904
OVERVIEW
Multiple security vulnerabilities have been identified in Mozilla
Thunderbird prior to version 52.9. [1]
IMPACT
The vendor has provided the following details regarding the
vulnerabilities:
"
In general, these flaws cannot be exploited through email in the Thunderbird
product because scripting is disabled when reading mail, but are potentially
risks in browser or browser-like contexts.
CVE-2018-12359: Buffer overflow using computed size of canvas element
Reporter
Nils
Impact
critical
Description
A buffer overflow can occur when rendering canvas content while adjusting the
height and width of the <canvas> element dynamically, causing data to be
written outside of the currently computed boundaries. This results in a
potentially exploitable crash.
References
* Bug 1459162
CVE-2018-12360: Use-after-free when using focus()
Reporter
Nils
Impact
critical
Description
A use-after-free vulnerability can occur when deleting an input element during
a mutation event handler triggered by focusing that element. This results in a
potentially exploitable crash.
References
* Bug 1459693
CVE-2018-12372: S/MIME and PGP decryption oracles can be built with HTML
emails
Reporter
Damian Poddebniak, Christian Dresen, Jens Muller, Fabian Ising, Sebastian
Schinzel, Simon Friedberger, Juraj Somorovsky, Jorg Schwenk
Impact
high
Description
Decrypted S/MIME parts, when included in HTML crafted for an attack, can leak
plaintext when included in a a HTML reply/forward.
References
* Bug 1419417
CVE-2018-12373: S/MIME plaintext can be leaked through HTML reply/forward
Reporter
Damian Poddebniak, Christian Dresen, Jens Muller, Fabian Ising, Sebastian
Schinzel, Simon Friedberger, Juraj Somorovsky, Jorg Schwenk
Impact
high
Description
dDecrypted S/MIME parts hidden with CSS or <plaintext> can leak plaintext when
included in a HTML reply/forward.
References
* CVE-2018-12373
* Suppress <plaintext> in email messages
CVE-2018-12362: Integer overflow in SSSE3 scaler
Reporter
F. Alonso (revskills)
Impact
high
Description
An integer overflow can occur during graphics operations done by the
Supplemental Streaming SIMD Extensions 3 (SSSE3) scaler, resulting in a
potentially exploitable crash.
References
* Bug 1452375
CVE-2018-12363: Use-after-free when appending DOM nodes
Reporter
Nils
Impact
high
Description
A use-after-free vulnerability can occur when script uses mutation events to
move DOM nodes between documents, resulting in the old document that held the
node being freed but the node still having a pointer referencing it. This
results in a potentially exploitable crash.
References
* Bug 1464784
CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI plugins
Reporter
David Black
Impact
high
Description
NPAPI plugins, such as Adobe Flash, can send non-simple cross-origin requests,
bypassing CORS by making a same-origin POST that does a 307 redirect to the
target site. This allows for a malicious site to engage in cross-site request
forgery (CSRF) attacks.
References
* Bug 1436241
CVE-2018-12365: Compromised IPC child process can list local filenames
Reporter
Alex Gaynor
Impact
moderate
Description
A compromised IPC child process can escape the content sandbox and list the
names of arbitrary files on the file system without user consent or
interaction. This could result in exposure of private local files.
References
* Bug 1459206
CVE-2018-12366: Invalid data handling during QCMS transformations
Reporter
OSS-Fuzz
Impact
moderate
Description
An invalid grid size during QCMS (color profile) transformations can result in
the out-of-bounds read interpreted as a float value. This could leak private
data into the output.
References
* Bug 1464039
CVE-2018-12368: No warning when opening executable SettingContent-ms files
Reporter
Abdulrahman Alqabandi
Impact
moderate
Description
Windows 10 does not warn users before opening executable files with the
SettingContent-ms extension even when they have been downloaded from the
internet and have the "Mark of the Web." Without the warning, unsuspecting
users unfamiliar with this new file type might run an unwanted executable. This
also allows a WebExtension with the limited downloads.open permission to
execute arbitrary code without user interaction on Windows 10 systems
Note: this issue only affects Windows operating systems. Other operating
systems are unaffected.
References
* Bug 1468217
* The Tale of SettingContent-ms Files
CVE-2018-12374: Using form to exfiltrate encrypted mail part by pressing enter
in form field
Reporter
Hanno Boeck
Impact
low
Description
Plaintext of decrypted emails can leak through by user submitting an embedded
form by pressing enter key within a text input field.
References
* Bug 1462910
CVE-2018-5188: Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1,
Firefox ESR 52.9, and Thunderbird 52.9
Reporter
Mozilla developers and community
Impact
critical
Description
Mozilla developers and community members Alex Gaynor, Christoph Diehl,
Christian Holler, Jason Kratzer, David Major, Jon Coppeard, Nicolas B. Pierron,
Jason Kratzer, Marcia Knous, and Ronald Crane reported memory safety bugs
present in Firefox 60, Firefox ESR 60, Firefox ESR 52.8, and Thunderbird 52.8.
Some of these bugs showed evidence of memory corruption and we presume that
with enough effort that some of these could be exploited to run arbitrary code.
" [1]
MITIGATION
Mozilla advises updating Thunderbird to version 52.9. [1]
REFERENCES
[1] Mozilla Foundation Security Advisory 2018-18
https://www.mozilla.org/en-US/security/advisories/mfsa2018-18/
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWzwyrGaOgq3Tt24GAQgqJA//RRg6OepgsEbJ5p1KHf/IrAEMG2/s3zWl
b8SD7XABVhKWMp1fCOQBhp7cuTe/Fx2QBCH+OuZcmW1oyjox9jGOm11+17T93eJW
Z0t43Sqzwu14tz8dmIMI4ahovtz8sWzPm/FUDPgEHgn3sZF4j+OZtvPWG/ebolZn
s9PgXJufwnMkINTHtwfj5NBgwzaoR57B5RTZ98ujQwNTL46/0M6kubDssPEWdmLS
8BduIvyTtMqWh4rPIhf44G/2oKGN80CZEA4I0XDabD91KZ4ronXBcfxteF6F95FN
CCPaeC8P5J8bIVeL5NrsUyZc7eAaLOwIMQz90r7/7olVnKSKsE7xV+NP80AhEI0z
C+DGrmX5aUDiEvCijqw34zLA9BG/RDkV8g97Q1i3bts7mGe46SHFEllvh3hvjb2g
Ufpljy+lfp3Nsh/XUSDlEzIAAELVwNFzvddnEvjLzYgJpEb6jdGuwzt6C9ojVJY8
F7ibrb1Djg+rWDkkOF9HXIUCHYLGzwRzgj3FsESU09BXtUkcwyWv+tjkRLLqYG4i
TC9nX1YlLzv4CvHCeh5UQnGelB4DJ82D8Hb+mB9AUR8hFJn8K6rH7lGcsI74AkKV
gafzKNDoywjZy6usjZCCZ6k+21Qnks01o+zguhkV5PIito0bZAsMfCrbo/Pnj1k+
a1A/G/DItUM=
=9C4+
-----END PGP SIGNATURE-----