Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2019.0055 Multiple vulnerabilities have been identified in Mozilla Firefox and Firefox ESR 13 February 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Mozilla Firefox Mozilla Firefox ESR Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2019-5785 CVE-2018-18511 CVE-2018-18356 Member content until: Friday, March 15 2019 OVERVIEW Multiple vulnerabilities have been identified in Mozilla Firefox prior to version 65.0.1 [1], and Firefox ESR prior to version 60.5.1. [2] IMPACT Mozilla has given the following information regarding these vulnerabilities: "# CVE-2018-18356: Use-after-free in Skia Reporter Tran Tien Hung of Viettel Cyber Security Impact high Description A use-after-free vulnerability in the Skia library can occur when creating a path, leading to a potentially exploitable crash. References o Bug 1525817 # CVE-2019-5785: Integer overflow in Skia Reporter Ivan Fratric of Google Project Zero Impact high Description An integer overflow vulnerability in the Skia library can occur after specific transform operations, leading to a potentially exploitable crash. References o Bug 1525433 o The Curious Case of Convexity Confusion # CVE-2018-18511: Cross-origin theft of images with ImageBitmapRenderingContext Reporter AaylaSecura1138 Impact high Description Cross-origin images can be read from a canvas element in violation of the same-origin policy using the transferFromImageBitmap method. Note: This only affects Firefox 65. Previous versions are unaffected. References o Bug 1526218" [1] MITIGATION Mozilla recommends upgrading Firefox and Firefox ESR to the latest versions. REFERENCES [1] Mozilla Foundation Security Advisory 2019-04 https://www.mozilla.org/en-US/security/advisories/mfsa2019-04/ [2] Mozilla Foundation Security Advisory 2019-05 https://www.mozilla.org/en-US/security/advisories/mfsa2019-05/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXGSkaGaOgq3Tt24GAQhuEBAAmwsuI2EWMCukCyvZq5hij3KHl1aKwiSf zSDix6tj0OnPLq6KJL3gOZ5fp4IG5XmT1gBZeJtp567Ah9crMgTnoCxQvlmtBh1U A3sTLWoSiJisPNHu3qu1flYW57QMv6W4axvNjn7EVGp+256phOxn9zIN/v9nU46O lKX+T5HdFPqIwwK8Y5NOhcDeGpoAu/kPEdUxicaiK9VuzlH7o11Y41KYAolynbCj 7eMrlm3jgeouhWo8yMR8nqYEYwJ2RwIHm1QMx6MEu7YMqpWOSKK2oW292VGeF7Mr Df5Zw5FVkbekkDxMKKmpnOJgavkfjMPHZVtTkNMJtcND42KQ1AEK/hhezESBtvE+ fcndxli3UOwUmfGnrzmxQg63IU5gujZukZNesoTiG3MfYOKij/vPhmBZsznWoKvR cv8D70lBj4W4ccbV7FP/Rsc21VbBqiN2KW3//OxIpW825r4NyDfr/T3R09pRp99x 28jtTF5YtBQph7qWyBXvHX5JQ/zRxj4SJh45Ub6WjqXwqog6xyxH9qp6DCNKRto8 UvFcoyxzsp+q/U3S6Yfaxq+BrFxAA4sKJNpX4R+EvrYeRcTlKauJVsUy7vLffBG0 rp31DVAFiXKS5Sa3Bw43ovfnorzOGCx6W+PAWRiVYi1qUy+Q7u6Gb89+NO9n9/wh RyrEF8nVxVM= =eVbt -----END PGP SIGNATURE-----