Operating System:

[WIN][UNIX/Linux]

Published:

24 September 2018

Protect yourself against future threats.

//Service

AusCERT Education

Enhance your knowledge with our exceptional one day training offerings for individuals and organisations

Read more
Resources > Security Bulletins > ASB-2018.0224 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2018.0224
         Multiple vulnerabilities have been identified in Mozilla
                          Firefox and Firefox ESR
                             24 September 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Mozilla Firefox
                      Mozilla Firefox ESR
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact/Access:        Denial of Service -- Existing Account
                      Reduced Security  -- Existing Account
Resolution:           Patch/Upgrade
CVE Names:            CVE-2018-12385 CVE-2018-12383 
Member content until: Wednesday, October 24 2018

OVERVIEW

        Multiple vulnerabilities have been identified in Mozilla Firefox 
        prior to version 62.0.2 and Mozilla Firefox ESR prior to version 
        60.2.1. [1-2]


IMPACT

        Mozilla has provided the following information about the 
        vulnerabilities:
        
        "#CVE-2018-12385: Crash in TransportSecurityInfo due to cached data
        
        Reporter
            Philipp
        Impact
            moderate
        
        Description
        
        A potentially exploitable crash in TransportSecurityInfo used for SSL 
        can be triggered by data stored in the local cache in the user profile
        directory. This issue is only exploitable in combination with another
        vulnerability allowing an attacker to write data into the local cache
        or from locally installed malware. This issue also triggers a
        non-exploitable startup crash for users switching between the Nightly
        and Release versions of Firefox if the same profile is used.
        
        References
        
            Bug 1490585
        
        #CVE-2018-12383: Setting a master password post-Firefox 58 does not
        delete unencrypted previously stored passwords
        
        Reporter
            Jurgen Gaeremyn
        Impact
            low
        
        Description
        
        If a user saved passwords before Firefox 58 and then later set a master
        password, an unencrypted copy of these passwords is still accessible.
        This is because the older stored password file was not deleted when the
        data was copied to a new format starting in Firefox 58. The new master
        password is added only on the new file. This could allow the exposure
        of stored password data outside of user expectations." [1-2]
        
        CVE-2018-12383 is only applicable to Firefox ESR.


MITIGATION

        Users are advised to update to Firefox version 62.0.2 or Firefox ESR
         60.2.1 to address these issues. [1-2]


REFERENCES

        [1] Mozilla Foundation Security Advisory 2018-22
            https://www.mozilla.org/en-US/security/advisories/mfsa2018-22/

        [2] Mozilla Foundation Security Advisory 2018-23
            https://www.mozilla.org/en-US/security/advisories/mfsa2018-23/

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW6ghqmaOgq3Tt24GAQjHdw/8CuXj2v5wmnRQhySompB2e3VQbXcVdnQD
ftJvoyEv82+pOGXjM+fIV92ZRmrp+l5ybHqARqEa6QQ7rZZ3oKSn2smnqeaDMiLt
lo/hwZ7gt9QjXjPDKtkCN46gVLvULnB5woiGGsY2iDPlKp8I3NRwLmEmifbd/NJ5
Fm38wvD4Nn4AEyeeKVU87JKaB2HLGW240hmW9fywuAhnbdkSO8KdCPpsF5EJ+3Aj
HqO0kRwlW+oU4XNPE4YHEM1g66EB1EqvBZy8WP1ipWEM8JigKumHY7Y5uQHSju70
jcfnn8cL0CnJxIFMnSfcJa1tjQuA79iUiXiiym8UkVLkSnjL1PDgVVXxWJy6J9MP
TWlzOfxF54bmBNlunAlUQcFc+cb7JnNnkZTWJvqT0PthKlK440mUJBZDM2weRn8h
PbZIyH1/TH1Nui2zZCdVgqmedx5g258rKWHRKQrkLVZuYn5ajxuMgv9IVEoOXWd2
MaX8mxq5X69nArQ40NGw0H3YsYZVjiWWERIHpAp8gmyOekvnqCw4uDfPZIgAOZld
wJjTiL1PwqqLrL8NM5M7pbWXHChLWEhLd/PSx8+JFbw/FaLkHbjMtAF1grXC5Ykh
s43jBBINymbJz+ReuRzr06kKc4iWVfF3xC8uzbwD7RMErKtuDOJ0JQmUEzxLIh0D
pLcafdHERmU=
=gRuD
-----END PGP SIGNATURE-----