Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2018.0270.2 Multiple vulnerabilities have been identified in Mozilla Firefox and Firefox ESR 24 October 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Mozilla Firefox Mozilla Firefox ESR Operating System: Windows UNIX variants (UNIX, Linux, OSX) Android Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Increased Privileges -- Remote with User Interaction Denial of Service -- Remote with User Interaction Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-12403 CVE-2018-12402 CVE-2018-12401 CVE-2018-12400 CVE-2018-12399 CVE-2018-12398 CVE-2018-12397 CVE-2018-12396 CVE-2018-12395 CVE-2018-12393 CVE-2018-12392 CVE-2018-12391 CVE-2018-12390 CVE-2018-12389 CVE-2018-12388 Member content until: Friday, November 23 2018 Revision History: October 24 2018: Added OS tag for Android October 24 2018: Initial Release OVERVIEW Multiple vulnerabilities have been identified in Firefox and Firefox ESR prior to versions 63 and 60.3, respectively. [1,2] IMPACT Mozilla have provided the following details regarding the vulnerabilities: "#CVE-2018-12391: HTTP Live Stream audio data is accessible cross-origin Reporter Jun Kokatsu Impact high Description During HTTP Live Stream playback on Firefox for Android, audio data can be accessed across origins in violation of security policies. Because the problem is in the underlying Android service, this issue is addressed by treating all HLS streams as cross-origin and opaque to access. Note: this issue only affects Firefox for Android. Desktop versions of Firefox are unaffected. References Bug 1478843" [1,2] "#CVE-2018-12392: Crash with nested event loops Reporter Nils Impact high Description When manipulating user events in nested loops while opening a document through script, it is possible to trigger a potentially exploitable crash due to poor event handling. References Bug 1492823" [1,2] "#CVE-2018-12393: Integer overflow during Unicode conversion while loading JavaScript Reporter r Impact high Description A potential vulnerability was found in 32-bit builds where an integer overflow during the conversion of scripts to an internal UTF-16 representation could result in allocating a buffer too small for the conversion. This leads to a possible out-of-bounds write. Note: 64-bit builds are not vulnerable to this issue. References Bug 1495011" [1,2] "#CVE-2018-12395: WebExtension bypass of domain restrictions through header rewriting Reporter Rob Wu, Andrew Swan Impact moderate Description By rewriting the Host request headers using the webRequest API, a WebExtension can bypass domain restrictions through domain fronting. This would allow access to domains that share a host that are otherwise restricted. References Bug 1467523" [1,2] "#CVE-2018-12396: WebExtension content scripts can execute in disallowed contexts Reporter Rob Wu Impact moderate Description A vulnerability where a WebExtension can run content scripts in disallowed contexts following navigation or other events. This allows for potential privilege escalation by the WebExtension on sites where content scripts should not be run. References Bug 1483602" [1,2] "#CVE-2018-12397: Reporter Rob Wu Impact moderate Description A WebExtension can request access to local files without the warning prompt stating that the extension will "Access your data for all websites" being displayed to the user. This allows extensions to run content scripts in local pages without permission warnings when a local file is opened. References Bug 1487478" [1,2] "#CVE-2018-12398: CSP bypass through stylesheet injection in resource URIs Reporter cgvwzq Impact moderate Description By using the reflected URL in some special resource URIs, such as chrome:, it is possible to inject stylesheets and bypass Content Security Policy (CSP). References Bug 1460538 Bug 1488061" [1] "#CVE-2018-12399: Spoofing of protocol registration notification bar Reporter Mathias Wu Impact low Description When a new protocol handler is registered, the API accepts a title argument which can be used to mislead users about which domain is registering the new protocol. This may result in the user approving a protocol handler that they otherwise would not have. References Bug 1490276" [1] "#CVE-2018-12400: Favicons are cached in private browsing mode on Firefox for Android Reporter Konark Modi Impact low Description In private browsing mode on Firefox for Android, favicons are cached in the cache/icons folder as they are in non-private mode. This allows information leakage of sites visited during private browsing sessions. Note: this issue only affects Firefox for Android. Desktop versions of Firefox are unaffected. References Bug 1448305" [1] "#CVE-2018-12401: DOS attack through special resource URI parsing Reporter Abdulrahman Alqabandi Impact low Description Some special resource URIs will cause a non-exploitable crash if loaded with optional parameters following a '?' in the parsed string. This could lead to denial of service (DOS) attacks. References Bug 1422456" [1] "#CVE-2018-12402: SameSite cookies leak when pages are explicitly saved Reporter 1lastBr3ath Impact low Description SameSite cookies are sent on cross-origin requests when the "Save Page As..." menu item is selected to save a page, violating cookie policy. This can result in saving the wrong version of resources based on those cookies. References Bug 1469916" [1] "#CVE-2018-12403: Mixed content warning is not displayed when HTTPS page loads a favicon over HTTP Reporter Yigit Can Yilmaz Impact low Description If a site is loaded over a HTTPS connection but loads a favicon resource over HTTP, the mixed content warning is not displayed to users. References Bug 1484753" [1] "#CVE-2018-12388: Memory safety bugs fixed in Firefox 63 Reporter Mozilla developers and community Impact critical Description Mozilla developers and community members Christian Holler, Dana Keeler, Ronald Crane, Marcia Knous, Tyson Smith, Daniel Veditz, and Steve Fink reported memory safety bugs present in Firefox 62. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. References Memory safety bugs fixed in Firefox 63" [1] "#CVE-2018-12390: Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3 Reporter Mozilla developers and community Impact critical Description Mozilla developers and community members Christian Holler, Bob Owen, Boris Zbarsky, Calixte Denizet, Jason Kratzer, Jed Davis, Taegeon Lee, Philipp, Ronald Crane, Raul Gurzau, Gary Kwong, Tyson Smith, Raymond Forbes, and Bogdan Tara reported memory safety bugs present in Firefox 62 and Firefox ESR 60.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. References Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3" [1,2] MITIGATION Mozilla recommends users upgrade to the latest versions of Firefox and Firefox ESR to address these issues. [1] REFERENCES [1] Mozilla Foundation Security Advisory 2018-26: Security vulnerabilities fixed in Firefox 63 https://www.mozilla.org/en-US/security/advisories/mfsa2018-26/ [2] Mozilla Foundation Security Advisory 2018-27: Security vulnerabilities fixed in Firefox ESR 60.3 https://www.mozilla.org/en-US/security/advisories/mfsa2018-27/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW8/FnWaOgq3Tt24GAQicQBAAhR07gddW5+LdbESlsavxHMh+oAP5Gxij wLFtXHAIyfuJtBGYNMLfWHt9prQ/1vS5bQ7d/YMXWxmNO0hI2w2HQilxw49QmJ7p gihZQ+UbHzW0vVDnNopFvkgcZMoGhnQNLcYoGtwS7AiHwBnhnhXJGMC8y+QRvIqU sY6LV/ibxHlboyaZEWtKlZfnwD5L+DXWgu+XfhvluBZG78OFJrLAXg5SXCbgG96h E1KOhrr3Hu7OtXGQPwpLiIqQXM3q8uAC3maNu2dci9BPKelUEHNVejUUDBMDc0KS 1ee6+XKceiZuwGkkli9DO+Kh5riZ4Nd/70NH/i5OTcQeGWJb0d8qeIDAP9GzeJ96 KHMen6PmzWQ4PKUb0Iy5AFOsdiz/8njZrrvJkpwUZfl/a+5Ac5zCAiKLw1izAx1h Ef3+wRQzh0P4j8eC5eQqZMyOmEFfWfkG5il31s5b+bZb9NgIRBLpECNjWN++TmFj 4agy4Q6hn0/T/nLoEjrEphjZ+MM+Vy2L9duWw3zg3K2Vaw5biEtzYOxUhWnha+Lq 4uihWzl9pCrpVAwQtWS1eWdZD6qP20002X3gSXBc12lN2azp9CYzyFVSUGYVSE5U sbRHinidAE36BMMulYOBxuGf47pCjL13WHYa3Gecuz0tlxS5/J9kwlXsWBun77zh 1u+H06P5+WU= =gF2G -----END PGP SIGNATURE-----