Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2018.0270.2
Multiple vulnerabilities have been identified in Mozilla
Firefox and Firefox ESR
24 October 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Mozilla Firefox
Mozilla Firefox ESR
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Android
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Increased Privileges -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2018-12403 CVE-2018-12402 CVE-2018-12401
CVE-2018-12400 CVE-2018-12399 CVE-2018-12398
CVE-2018-12397 CVE-2018-12396 CVE-2018-12395
CVE-2018-12393 CVE-2018-12392 CVE-2018-12391
CVE-2018-12390 CVE-2018-12389 CVE-2018-12388
Member content until: Friday, November 23 2018
Revision History: October 24 2018: Added OS tag for Android
October 24 2018: Initial Release
OVERVIEW
Multiple vulnerabilities have been identified in Firefox and Firefox
ESR prior to versions 63 and 60.3, respectively. [1,2]
IMPACT
Mozilla have provided the following details regarding the
vulnerabilities:
"#CVE-2018-12391: HTTP Live Stream audio data is accessible
cross-origin
Reporter
Jun Kokatsu
Impact
high
Description
During HTTP Live Stream playback on Firefox for Android, audio data
can be accessed across origins in violation of security policies.
Because the problem is in the underlying Android service, this issue
is addressed by treating all HLS streams as cross-origin and opaque
to access.
Note: this issue only affects Firefox for Android. Desktop versions
of Firefox are unaffected.
References
Bug 1478843" [1,2]
"#CVE-2018-12392: Crash with nested event loops
Reporter
Nils
Impact
high
Description
When manipulating user events in nested loops while opening a
document through script, it is possible to trigger a potentially
exploitable crash due to poor event handling.
References
Bug 1492823" [1,2]
"#CVE-2018-12393: Integer overflow during Unicode conversion while
loading JavaScript
Reporter
r
Impact
high
Description
A potential vulnerability was found in 32-bit builds where an
integer overflow during the conversion of scripts to an internal
UTF-16 representation could result in allocating a buffer too small
for the conversion. This leads to a possible out-of-bounds write.
Note: 64-bit builds are not vulnerable to this issue.
References
Bug 1495011" [1,2]
"#CVE-2018-12395: WebExtension bypass of domain restrictions through
header rewriting
Reporter
Rob Wu, Andrew Swan
Impact
moderate
Description
By rewriting the Host request headers using the webRequest API, a
WebExtension can bypass domain restrictions through domain fronting.
This would allow access to domains that share a host that are
otherwise restricted.
References
Bug 1467523" [1,2]
"#CVE-2018-12396: WebExtension content scripts can execute in
disallowed contexts
Reporter
Rob Wu
Impact
moderate
Description
A vulnerability where a WebExtension can run content scripts in
disallowed contexts following navigation or other events. This
allows for potential privilege escalation by the WebExtension on
sites where content scripts should not be run.
References
Bug 1483602" [1,2]
"#CVE-2018-12397:
Reporter
Rob Wu
Impact
moderate
Description
A WebExtension can request access to local files without the warning
prompt stating that the extension will "Access your data for all
websites" being displayed to the user. This allows extensions to run
content scripts in local pages without permission warnings when a
local file is opened.
References
Bug 1487478" [1,2]
"#CVE-2018-12398: CSP bypass through stylesheet injection in resource
URIs
Reporter
cgvwzq
Impact
moderate
Description
By using the reflected URL in some special resource URIs, such as
chrome:, it is possible to inject stylesheets and bypass Content
Security Policy (CSP).
References
Bug 1460538
Bug 1488061" [1]
"#CVE-2018-12399: Spoofing of protocol registration notification bar
Reporter
Mathias Wu
Impact
low
Description
When a new protocol handler is registered, the API accepts a title
argument which can be used to mislead users about which domain is
registering the new protocol. This may result in the user approving
a protocol handler that they otherwise would not have.
References
Bug 1490276" [1]
"#CVE-2018-12400: Favicons are cached in private browsing mode on
Firefox for Android
Reporter
Konark Modi
Impact
low
Description
In private browsing mode on Firefox for Android, favicons are cached
in the cache/icons folder as they are in non-private mode. This
allows information leakage of sites visited during private browsing
sessions.
Note: this issue only affects Firefox for Android. Desktop versions
of Firefox are unaffected.
References
Bug 1448305" [1]
"#CVE-2018-12401: DOS attack through special resource URI parsing
Reporter
Abdulrahman Alqabandi
Impact
low
Description
Some special resource URIs will cause a non-exploitable crash if
loaded with optional parameters following a '?' in the parsed
string. This could lead to denial of service (DOS) attacks.
References
Bug 1422456" [1]
"#CVE-2018-12402: SameSite cookies leak when pages are explicitly
saved
Reporter
1lastBr3ath
Impact
low
Description
SameSite cookies are sent on cross-origin requests when the "Save
Page As..." menu item is selected to save a page, violating cookie
policy. This can result in saving the wrong version of resources
based on those cookies.
References
Bug 1469916" [1]
"#CVE-2018-12403: Mixed content warning is not displayed when HTTPS
page loads a favicon over HTTP
Reporter
Yigit Can Yilmaz
Impact
low
Description
If a site is loaded over a HTTPS connection but loads a favicon
resource over HTTP, the mixed content warning is not displayed to
users.
References
Bug 1484753" [1]
"#CVE-2018-12388: Memory safety bugs fixed in Firefox 63
Reporter
Mozilla developers and community
Impact
critical
Description
Mozilla developers and community members Christian Holler, Dana
Keeler, Ronald Crane, Marcia Knous, Tyson Smith, Daniel Veditz, and
Steve Fink reported memory safety bugs present in Firefox 62. Some
of these bugs showed evidence of memory corruption and we presume
that with enough effort that some of these could be exploited to run
arbitrary code.
References
Memory safety bugs fixed in Firefox 63" [1]
"#CVE-2018-12390: Memory safety bugs fixed in Firefox 63 and Firefox
ESR 60.3
Reporter
Mozilla developers and community
Impact
critical
Description
Mozilla developers and community members Christian Holler, Bob Owen,
Boris Zbarsky, Calixte Denizet, Jason Kratzer, Jed Davis, Taegeon
Lee, Philipp, Ronald Crane, Raul Gurzau, Gary Kwong, Tyson Smith,
Raymond Forbes, and Bogdan Tara reported memory safety bugs present
in Firefox 62 and Firefox ESR 60.2. Some of these bugs showed
evidence of memory corruption and we presume that with enough effort
that some of these could be exploited to run arbitrary code.
References
Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3" [1,2]
MITIGATION
Mozilla recommends users upgrade to the latest versions of Firefox
and Firefox ESR to address these issues. [1]
REFERENCES
[1] Mozilla Foundation Security Advisory 2018-26: Security
vulnerabilities fixed in Firefox 63
https://www.mozilla.org/en-US/security/advisories/mfsa2018-26/
[2] Mozilla Foundation Security Advisory 2018-27: Security
vulnerabilities fixed in Firefox ESR 60.3
https://www.mozilla.org/en-US/security/advisories/mfsa2018-27/
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBW8/FnWaOgq3Tt24GAQicQBAAhR07gddW5+LdbESlsavxHMh+oAP5Gxij
wLFtXHAIyfuJtBGYNMLfWHt9prQ/1vS5bQ7d/YMXWxmNO0hI2w2HQilxw49QmJ7p
gihZQ+UbHzW0vVDnNopFvkgcZMoGhnQNLcYoGtwS7AiHwBnhnhXJGMC8y+QRvIqU
sY6LV/ibxHlboyaZEWtKlZfnwD5L+DXWgu+XfhvluBZG78OFJrLAXg5SXCbgG96h
E1KOhrr3Hu7OtXGQPwpLiIqQXM3q8uAC3maNu2dci9BPKelUEHNVejUUDBMDc0KS
1ee6+XKceiZuwGkkli9DO+Kh5riZ4Nd/70NH/i5OTcQeGWJb0d8qeIDAP9GzeJ96
KHMen6PmzWQ4PKUb0Iy5AFOsdiz/8njZrrvJkpwUZfl/a+5Ac5zCAiKLw1izAx1h
Ef3+wRQzh0P4j8eC5eQqZMyOmEFfWfkG5il31s5b+bZb9NgIRBLpECNjWN++TmFj
4agy4Q6hn0/T/nLoEjrEphjZ+MM+Vy2L9duWw3zg3K2Vaw5biEtzYOxUhWnha+Lq
4uihWzl9pCrpVAwQtWS1eWdZD6qP20002X3gSXBc12lN2azp9CYzyFVSUGYVSE5U
sbRHinidAE36BMMulYOBxuGf47pCjL13WHYa3Gecuz0tlxS5/J9kwlXsWBun77zh
1u+H06P5+WU=
=gF2G
-----END PGP SIGNATURE-----