Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2018.0146 Mozilla Thunderbird version 52.9 4 July 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Mozilla Thunderbird Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Cross-site Request Forgery -- Remote with User Interaction Denial of Service -- Remote with User Interaction Read-only Data Access -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2018-12374 CVE-2018-12373 CVE-2018-12372 CVE-2018-12368 CVE-2018-12366 CVE-2018-12365 CVE-2018-12364 CVE-2018-12363 CVE-2018-12362 CVE-2018-12360 CVE-2018-12359 CVE-2018-5188 Member content until: Friday, August 3 2018 Reference: ASB-2018.0140 ASB-2018.0139 ESB-2018.1904 OVERVIEW Multiple security vulnerabilities have been identified in Mozilla Thunderbird prior to version 52.9. [1] IMPACT The vendor has provided the following details regarding the vulnerabilities: " In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts. CVE-2018-12359: Buffer overflow using computed size of canvas element Reporter Nils Impact critical Description A buffer overflow can occur when rendering canvas content while adjusting the height and width of the <canvas> element dynamically, causing data to be written outside of the currently computed boundaries. This results in a potentially exploitable crash. References * Bug 1459162 CVE-2018-12360: Use-after-free when using focus() Reporter Nils Impact critical Description A use-after-free vulnerability can occur when deleting an input element during a mutation event handler triggered by focusing that element. This results in a potentially exploitable crash. References * Bug 1459693 CVE-2018-12372: S/MIME and PGP decryption oracles can be built with HTML emails Reporter Damian Poddebniak, Christian Dresen, Jens Muller, Fabian Ising, Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jorg Schwenk Impact high Description Decrypted S/MIME parts, when included in HTML crafted for an attack, can leak plaintext when included in a a HTML reply/forward. References * Bug 1419417 CVE-2018-12373: S/MIME plaintext can be leaked through HTML reply/forward Reporter Damian Poddebniak, Christian Dresen, Jens Muller, Fabian Ising, Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jorg Schwenk Impact high Description dDecrypted S/MIME parts hidden with CSS or <plaintext> can leak plaintext when included in a HTML reply/forward. References * CVE-2018-12373 * Suppress <plaintext> in email messages CVE-2018-12362: Integer overflow in SSSE3 scaler Reporter F. Alonso (revskills) Impact high Description An integer overflow can occur during graphics operations done by the Supplemental Streaming SIMD Extensions 3 (SSSE3) scaler, resulting in a potentially exploitable crash. References * Bug 1452375 CVE-2018-12363: Use-after-free when appending DOM nodes Reporter Nils Impact high Description A use-after-free vulnerability can occur when script uses mutation events to move DOM nodes between documents, resulting in the old document that held the node being freed but the node still having a pointer referencing it. This results in a potentially exploitable crash. References * Bug 1464784 CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI plugins Reporter David Black Impact high Description NPAPI plugins, such as Adobe Flash, can send non-simple cross-origin requests, bypassing CORS by making a same-origin POST that does a 307 redirect to the target site. This allows for a malicious site to engage in cross-site request forgery (CSRF) attacks. References * Bug 1436241 CVE-2018-12365: Compromised IPC child process can list local filenames Reporter Alex Gaynor Impact moderate Description A compromised IPC child process can escape the content sandbox and list the names of arbitrary files on the file system without user consent or interaction. This could result in exposure of private local files. References * Bug 1459206 CVE-2018-12366: Invalid data handling during QCMS transformations Reporter OSS-Fuzz Impact moderate Description An invalid grid size during QCMS (color profile) transformations can result in the out-of-bounds read interpreted as a float value. This could leak private data into the output. References * Bug 1464039 CVE-2018-12368: No warning when opening executable SettingContent-ms files Reporter Abdulrahman Alqabandi Impact moderate Description Windows 10 does not warn users before opening executable files with the SettingContent-ms extension even when they have been downloaded from the internet and have the "Mark of the Web." Without the warning, unsuspecting users unfamiliar with this new file type might run an unwanted executable. This also allows a WebExtension with the limited downloads.open permission to execute arbitrary code without user interaction on Windows 10 systems Note: this issue only affects Windows operating systems. Other operating systems are unaffected. References * Bug 1468217 * The Tale of SettingContent-ms Files CVE-2018-12374: Using form to exfiltrate encrypted mail part by pressing enter in form field Reporter Hanno Boeck Impact low Description Plaintext of decrypted emails can leak through by user submitting an embedded form by pressing enter key within a text input field. References * Bug 1462910 CVE-2018-5188: Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1, Firefox ESR 52.9, and Thunderbird 52.9 Reporter Mozilla developers and community Impact critical Description Mozilla developers and community members Alex Gaynor, Christoph Diehl, Christian Holler, Jason Kratzer, David Major, Jon Coppeard, Nicolas B. Pierron, Jason Kratzer, Marcia Knous, and Ronald Crane reported memory safety bugs present in Firefox 60, Firefox ESR 60, Firefox ESR 52.8, and Thunderbird 52.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. " [1] MITIGATION Mozilla advises updating Thunderbird to version 52.9. [1] REFERENCES [1] Mozilla Foundation Security Advisory 2018-18 https://www.mozilla.org/en-US/security/advisories/mfsa2018-18/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWzwyrGaOgq3Tt24GAQgqJA//RRg6OepgsEbJ5p1KHf/IrAEMG2/s3zWl b8SD7XABVhKWMp1fCOQBhp7cuTe/Fx2QBCH+OuZcmW1oyjox9jGOm11+17T93eJW Z0t43Sqzwu14tz8dmIMI4ahovtz8sWzPm/FUDPgEHgn3sZF4j+OZtvPWG/ebolZn s9PgXJufwnMkINTHtwfj5NBgwzaoR57B5RTZ98ujQwNTL46/0M6kubDssPEWdmLS 8BduIvyTtMqWh4rPIhf44G/2oKGN80CZEA4I0XDabD91KZ4ronXBcfxteF6F95FN CCPaeC8P5J8bIVeL5NrsUyZc7eAaLOwIMQz90r7/7olVnKSKsE7xV+NP80AhEI0z C+DGrmX5aUDiEvCijqw34zLA9BG/RDkV8g97Q1i3bts7mGe46SHFEllvh3hvjb2g Ufpljy+lfp3Nsh/XUSDlEzIAAELVwNFzvddnEvjLzYgJpEb6jdGuwzt6C9ojVJY8 F7ibrb1Djg+rWDkkOF9HXIUCHYLGzwRzgj3FsESU09BXtUkcwyWv+tjkRLLqYG4i TC9nX1YlLzv4CvHCeh5UQnGelB4DJ82D8Hb+mB9AUR8hFJn8K6rH7lGcsI74AkKV gafzKNDoywjZy6usjZCCZ6k+21Qnks01o+zguhkV5PIito0bZAsMfCrbo/Pnj1k+ a1A/G/DItUM= =9C4+ -----END PGP SIGNATURE-----