-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2018.0206
               Security vulnerabilities fixed in Firefox 62
                             6 September 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Mozilla Firefox
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
                      BSD variants
                      Mobile Device
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
                      Provide Misleading Information  -- Remote with User Interaction
                      Unauthorised Access             -- Remote with User Interaction
                      Reduced Security                -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2018-12383 CVE-2018-12382 CVE-2018-12381
                      CVE-2018-12379 CVE-2018-12378 CVE-2018-12377
                      CVE-2018-12376 CVE-2018-12375 CVE-2017-16541
Member content until: Saturday, October  6 2018

OVERVIEW

        Multiple vulnerabilities have been identified in Mozilla Firefox
        prior to version 62. One of these vulnerabilities have been classified
        as critical. [1]


IMPACT

        The vendor has provided the following details regarding the 
        vulnerabilities:
        
        #CVE-2018-12377: Use-after-free in refresh driver timers
        
        Reporter: Nils
        Impact: high
        
        Description: A use-after-free vulnerability can occur when refresh 
        driver timers are refreshed in some circumstances during shutdown when 
        the timer is deleted while still in use. This results in a potentially 
        exploitable crash.
        
        References: Bug 1470260
        
        #CVE-2018-12378: Use-after-free in IndexedDB
        
        Reporter: Zhanjia Song
        Impact: high
        
        Description:
        A use-after-free vulnerability can occur when an IndexedDB index is 
        deleted while still in use by JavaScript code that is providing payload 
        values to be stored. This results in a potentially exploitable crash.
        
        References: Bug 1459383
        
        #CVE-2018-12379: Out-of-bounds write with malicious MAR file
        
        Reporter: Holger Fuhrmannek
        Impact: moderate
        
        Description:
        When the Mozilla Updater opens a MAR format file which contains a very 
        long item filename, an out-of-bounds write can be triggered, leading to 
        a potentially exploitable crash. This requires running the Mozilla 
        Updater manually on the local system with the malicious MAR file in 
        order to occur.
        
        References: Bug 1473113
        
        #CVE-2017-16541: Proxy bypass using automount and autofs
        
        Reporter: Filippo Cavallarin
        Impact: moderate
        
        Description:
        Browser proxy settings can be bypassed by using the automount feature 
        with autofs to create a mount point on the local file system. Content 
        can be loaded from this mounted file system directly using a file: URI, 
        bypassing configured proxy settings.
        Note: this issue only affects OS X in default configurations. On Linux 
        systems, autofs must be installed for the vulnerability to occur and 
        Windows is not affected.
        
        References: Bug 1412081
        
        #CVE-2018-12381: Dragging and dropping Outlook email message results 
        in page navigation
        
        Reporter: Jana Squires
        Impact: low
        
        Description:
        Manually dragging and dropping an Outlook email message into the 
        browser will trigger a page navigation when the message's mail 
        columns are incorrectly interpreted as a URL.
        Note: this issue only affects Windows operating systems with Outlook 
        installed. Other operating systems are not affected.
        
        References: Bug 1435319
        
        #CVE-2018-12382: Addressbar spoofing with javascript URI on Firefox 
        for Android
        
        Reporter: Jordi Chancel
        Impact: low
        
        Description:
        The displayed addressbar URL can be spoofed on Firefox for Android 
        using a javascript: URI in concert with JavaScript to insert text 
        before the loaded domain name, scrolling the loaded domain out of 
        view to the right. This can lead to user confusion.
        This vulnerability only affects Firefox for Android.
        
        References: Bug 1479311
        
        #CVE-2018-12383: Setting a master password post-Firefox 58 does not 
        delete unencrypted previously stored passwords
        
        Reporter: Jurgen Gaeremyn
        Impact: low
        
        Description:
        If a user saved passwords before Firefox 58 and then later set a 
        master password, an unencrypted copy of these passwords is still 
        accessible. This is because the older stored password file was not 
        deleted when the data was copied to a new format starting in Firefox 
        58. The new master password is added only on the new file. This could 
        allow the exposure of stored password data outside of user expectations.
        
        References: Bug 1475775
        
        #CVE-2018-12375: Memory safety bugs fixed in Firefox 62
        
        Reporter: Mozilla developers and community
        Impact: high
        
        Description:
        Mozilla developers and community members Christian Holler, Looben 
        Yang, Jesse Ruderman, Sebastian Hengst, Nicolas Grunbaum, and Gary 
        Kwong reported memory safety bugs present in Firefox 61. Some of 
        these bugs showed evidence of memory corruption and we presume that 
        with enough effort that some of these could be exploited to run 
        arbitrary code.
        
        References: Memory safety bugs fixed in Firefox 62
        
        #CVE-2018-12376: Memory safety bugs fixed in Firefox 62 and Firefox 
        ESR 60.2
        
        Reporter: Mozilla developers and community
        Impact: critical
        
        Description:
        Mozilla developers and community members Alex Gaynor, Boris Zbarsky, 
        Christoph Diehl, Christian Holler, Jason Kratzer, Jed Davis, Tyson 
        Smith, Bogdan Tara, Karl Tomlinson, Mats Palmgren, Nika Layzell, Ted 
        Campbell, and Andrei Cristian Petcu reported memory safety bugs present 
        in Firefox 61 and Firefox ESR 60.1. Some of these bugs showed evidence 
        of memory corruption and we presume that with enough effort that some of 
        these could be exploited to run arbitrary code.


MITIGATION

        The vendor recommends upgrading to the latest version of Mozilla 
        Firefox to address these issues. [1]


REFERENCES

        [1] Mozilla Foundation Security Advisory 2018-20
            https://www.mozilla.org/en-US/security/advisories/mfsa2018-20/

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW5DHkGaOgq3Tt24GAQg+5RAAzaa0wXrd2yn2GsMVW87IGKZAesI39C6v
WsqC6ImGqNCsQ5skpsHo2/umqr1BSW/ehTKYKNfvowW9y6I6gF+LRsEXu9hMkThZ
GhTN+9aTEJA1B3NH7vrBPPIg7nuJnhr+CrtEoZ299oQBy7WSGdyLMGFqCX7xUZ38
LldqhySiwx0n1IiicQyrUZybXmSbFoFGCihQHJkp4IInlqal6tdTEmd1yJ8jXlm4
pnC/PJ8o+VXxFA44f6bWCDS+xs+BKFVvQyFShIK3v9KaHdLn2NgPkukhwNinbpIq
f/O2ngbqnyzekBPJPvn5Ca7ZHZL7wNBxRP3Rlz3ULC1qY4/uCC9VAzukSbZdbV3m
XVX25PmG7a2A3WmJ2Kk7uacy3aDggjoqYVZx/zM0UH8u7MDH1Vwqgmmm/gaqsFcM
jnpl2mpi6cyaxdv01OMwUAMoBqhgbiKmvbtatvI5/Alg8iYnrMRCVjcjC46jNeJy
LxGI0JuxwxrGTo+ZQGgXwCHzRd2WrfT/etJ7JuBDODsjgz3vdOs3eq/n4/Y+IWmN
1xlvBlpSfXuW+Ry39BT+vBzLFSZZFMXihhRV8Uht9HQ8t2iRRjUVfSrZS7Xf39eg
F+yVcWhgP0UE2Jt1QETzvLLLpObhHYi60CXtivgI8LyvyBMvbvQDCtV18S2eagkO
SNxXW7BNRC4=
=tTW/
-----END PGP SIGNATURE-----