Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2019.0082 Security vulnerabilities fixed in Firefox 66 and Firefox ESR 60.6 20 March 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Mozilla Firefox Mozilla Firefox ESR Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Access Privileged Data -- Remote with User Interaction Create Arbitrary Files -- Remote with User Interaction Denial of Service -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2019-9809 CVE-2019-9808 CVE-2019-9807 CVE-2019-9806 CVE-2019-9805 CVE-2019-9804 CVE-2019-9803 CVE-2019-9802 CVE-2019-9801 CVE-2019-9799 CVE-2019-9798 CVE-2019-9797 CVE-2019-9796 CVE-2019-9795 CVE-2019-9794 CVE-2019-9793 CVE-2019-9792 CVE-2019-9791 CVE-2019-9790 CVE-2019-9789 CVE-2019-9788 CVE-2018-18506 Member content until: Friday, April 19 2019 OVERVIEW Several vulnerabilities have been identified in Mozilla Firefox prior to version 66.0 [1], and Firefox ESR prior to version 60.6. [2] IMPACT Mozilla has given the following information regarding these vulnerabilities: "# CVE-2019-9790: Use-after-free when removing in-use DOM elements Reporter Brandon Wieser Impact critical Description A use-after-free vulnerability can occur when a raw pointer to a DOM element on a page is obtained using JavaScript and the element is then removed while still in use. This results in a potentially exploitable crash. References o Bug 1525145" [1] [2] "# CVE-2019-9791: Type inference is incorrect for constructors entered through on-stack replacement with IonMonkey Reporter Samuel Gross of Google Project Zero Impact critical Description The type inference system allows the compilation of functions that can cause type confusions between arbitrary objects when compiled through the IonMonkey just-in-time (JIT) compiler and when the constructor function is entered through on-stack replacement (OSR). This allows for possible arbitrary reading and writing of objects during an exploitable crash. References o Bug 1530958" [1] [2] "# CVE-2019-9792: IonMonkey leaks JS_OPTIMIZED_OUT magic value to script Reporter Samuel Gross of Google Project Zero Impact critical Description The IonMonkey just-in-time (JIT) compiler can leak an internal JS_OPTIMIZED_OUT magic value to the running script during a bailout. This magic value can then be used by JavaScript to achieve memory corruption, which results in a potentially exploitable crash. References o Bug 1532599" [1] [2] "# CVE-2019-9793: Improper bounds checks when Spectre mitigations are disabled Reporter Bruno Keith & Niklas Baumstark from the phoenhex team Impact high Description A mechanism was discovered that removes some bounds checking for string, array, or typed array accesses if Spectre mitigations have been disabled. This vulnerability could allow an attacker to create an arbitrary value in compiled JavaScript, for which the range analysis will infer a fully controlled, incorrect range in circumstances where users have explicitly disabled Spectre mitigations. Note: Spectre mitigations are currently enabled for all users by default settings. References o Bug 1528829" [1] [2] "# CVE-2019-9794: Command line arguments not discarded during execution Reporter Joshua Graham Impact high Description A vulnerability was discovered where specific command line arguments are not properly discarded during Firefox invocation as a shell handler for URLs. This could be used to retrieve and execute files whose location is supplied through these command line arguments if Firefox is configured as the default URI handler for a given URI scheme in third party applications and these applications insufficiently sanitize URL data. Note: This issue only affects Windows operating systems. Other operating systems are unaffected. References o Bug 1530103" [1] [2] "# CVE-2019-9795: Type-confusion in IonMonkey JIT compiler Reporter Nils Impact high Description A vulnerability where type-confusion in the IonMonkey just-in-time (JIT) compiler could potentially be used by malicious JavaScript to trigger a potentially exploitable crash. References o Bug 1514682" [1] [2] "# CVE-2019-9796: Use-after-free with SMIL animation controller Reporter Nils Impact high Description A use-after-free vulnerability can occur when the SMIL animation controller incorrectly registers with the refresh driver twice when only a single registration is expected. When a registration is later freed with the removal of the animation controller element, the refresh driver incorrectly leaves a dangling pointer to the driver's observer array. References o Bug 1531277" [1] [2] "# CVE-2019-9797: Cross-origin theft of images with createImageBitmap Reporter AaylaSecura1138 Impact high Description Cross-origin images can be read in violation of the same-origin policy by exporting an image after using createImageBitmap to read the image and then rendering the resulting bitmap image within a canvas element. References o Bug 1528909" [1] "# CVE-2019-9798: Library is loaded from world writable APITRACE_LIB location Reporter Jeff Gilbert Impact high Description On Android systems, Firefox can load a library from APITRACE_LIB , which is writable by all users and applications. This could allow malicious third party applications to execute a man-in-the-middle attack if a malicious code was written to that location and loaded. Note: This issue only affects Android. Other operating systems are unaffected. References o Bug 1527534 # CVE-2019-9799: Information disclosure via IPC channel messages Reporter Paul Theriault Impact high Description Insufficient bounds checking of data during inter-process communication might allow a compromised content process to be able to read memory from the parent process under certain conditions. References o Bug 1505678" [1] "# CVE-2019-9801: Windows programs that are not 'URL Handlers' are exposed to web content Reporter Daniel Veditz Impact moderate Description Firefox will accept any registered Program ID as an external protocol handler and offer to launch this local application when given a matching URL on Windows operating systems. This should only happen if the program has specifically registered itself as a "URL Handler" in the Windows registry. Note: This issue only affects Windows operating systems. Other operating systems are unaffected. References o Bug 1527717" [1] [2] "# CVE-2019-9802: Chrome process information leak Reporter Stephen Fewer Impact moderate Description If a Sandbox content process is compromised, it can initiate an FTP download which will then use a child process to render the downloaded data. The downloaded data can then be passed to the Chrome process with an arbitrary file length supplied by an attacker, bypassing sandbox protections and allow for a potential memory read of adjacent data from the privileged Chrome process, which may include sensitive data. References o Bug 1415508" [1] "# CVE-2019-9803: Upgrade-Insecure-Requests incorrectly enforced for same-origin navigation Reporter Xiaoyin Liu, Vinothkumar Nagasayanan Impact moderate Description The Upgrade-Insecure-Requests (UIR) specification states that if UIR is enabled through Content Security Policy (CSP), navigation to a same-origin URL must be upgraded to HTTPS. Firefox will incorrectly navigate to an HTTP URL rather than perform the security upgrade requested by the CSP in some circumstances, allowing for potential man-in-the-middle attacks on the linked resources. References o Bug 1515863 o Bug 1437009 o 'Upgrade Insecure Requests' specification" [1] "# CVE-2019-9804: Code execution through 'Copy as cURL' in Firefox Developer Tools on macOS Reporter potatoe Impact moderate Description In Firefox Developer Tools it is possible that pasting the result of the 'Copy as cURL' command into a command shell on macOS will cause the execution of unintended additional bash script commands if the URL was maliciously crafted. This is the result of an issue with the native version of Bash on macOS. Note: This issue only affects macOS. Other operating systems are unaffected. References o Bug 1518026" [1] "# CVE-2019-9805: Potential use of uninitialized memory in Prio Reporter mlfbrown Impact moderate Description A latent vulnerability exists in the Prio library where data may be read from uninitialized memory for some functions, leading to potential memory corruption. References o Bug 1521360" [1] "# CVE-2019-9806: Denial of service through successive FTP authorization prompts Reporter Hanno Bock, Anca Soncutean Impact low Description A vulnerability exists during authorization prompting for FTP transaction where successive modal prompts are displayed and cannot be immediately dismissed. This allows for a denial of service (DOS) attack. References o Bug 1525267" [1] "# CVE-2019-9807: Text sent through FTP connection can be incorporated into alert messages Reporter Hanno Bock Impact low Description When arbitrary text is sent over an FTP connection and a page reload is initiated, it is possible to create a modal alert message with this text as the content. This could potentially be used for social engineering attacks. References o Bug 1362050" [1] "# CVE-2019-9809: Denial of service through FTP modal alert error messages Reporter schattendeatroth, Hanno Bock Impact low Description If the source for resources on a page is through an FTP connection, it is possible to trigger a series of modal alert messages for these resources through invalid credentials or locations. These messages cannot be immediately dismissed, allowing for a denial of service (DOS) attack. References o Bug 1282430 o Bug 1523249 # CVE-2019-9808: WebRTC permissions can display incorrect origin with data: and blob: URLs Reporter Jun Kokatsu Impact low Description If WebRTC permission is requested from documents with data: or blob: URLs, the permission notifications do not properly display the originating domain. The notification states "Unknown origin" as the requestee, leading to user confusion about which site is asking for this permission. References o Bug 1434634" [1] "# CVE-2019-9789: Memory safety bugs fixed in Firefox 66 Reporter Mozilla developers and community Impact critical Description Mozilla developers and community members Dragana Damjanovic, Emilio Cobos Alvarez, Henri Sivonen, Narcis Beleuzu, Julian Seward, Marcia Knous, Gary Kwong, Tyson Smith, Yaron Tausky, Ronald Crane, and Andre Bargull reported memory safety bugs present in Firefox 65. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. References o Memory safety bugs fixed in Firefox 66" [1] "# CVE-2019-9788: Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6 Reporter Mozilla developers and community Impact critical Description Mozilla developers and community members Bob Clary, Chun-Min Chang, Aral Yaman, Andreea Pavel, Jonathan Kew, Gary Kwong, Alex Gaynor, Masayuki Nakano, and Anne van Kesteren reported memory safety bugs present in Firefox 65 and Firefox ESR 60.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. References o Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6" [1][2] "# CVE-2018-18506: Proxy Auto-Configuration file can define localhost access to be proxied Reporter Jann Horn Impact moderate Description When proxy auto-detection is enabled, if a web server serves a Proxy Auto-Configuration (PAC) file or if a PAC file is loaded locally, this PAC file can specify that requests to the localhost are to be sent through the proxy to another server. This behavior is disallowed by default when a proxy is manually configured, but when enabled could allow for attacks on services and tools that bind to the localhost for networked behavior if they are accessed through browsing. References o Bug 1503393" [2] MITIGATION Mozilla recommends upgrading Firfox and Firefox ESR to the latest version - Firefox 66.0 [1] Firefox ESR 60.6. [2] REFERENCES [1] MFSA 2019-07 Security vulnerabilities fixed in Firefox 66 https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/ [2] MFSA 2019-08 Security vulnerabilities fixed in Firefox ESR 60.6 https://www.mozilla.org/en-US/security/advisories/mfsa2019-08/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXJHZrGaOgq3Tt24GAQh4pg//UJH6Um8oXTaHW+gw5EBbcZhzCpM7yapA F1sNCH0S6pM8+vJy+TQKyyH/wgahJ2S1nlKqlhbaQiRZl1CIVEep8nzCnidlGVKO RIiQ0EpuW4SQehhBlhX4LZfzvQtE9dLHLmWt5nOSjnd2dNNR+Ps4fSj8Yc65ZYsF CYjPutsA+XUgBaL2OV4kRufbstLWJ6BJd7tA54pGMr2WU6KYLgQacmZ7Kgy8vWeH X/pzB3cSAIpC8gzdxUyaw5+5Nzd+RT/VoBXuS1khLNT2fbeDKrzoxg94MNMIc6YR fA6K8/uV2+0Pa5cjJpgNFKU7bWqmuFlsGZLH2E46HTmWmllEUbpGNIcTvFsVmzWI Tdr27zT3wqy2Pyyuwuu8nJo2cKIV8wUCqhHPRuGh4WxbQf40zOyeTf/Qn1SBlVnt 57z9ls+n8f3/85ii4zsQNmS+iJh6f1sfQRzSmi3+iDCPv+g0Ow/VqxFZvDD4pvtg MW8koEgFyMvn9GgoylQ0lBVVESzsLip8xI6bWDX434m0+R6uK+us7DVkuiB9VmSI XLThp/GQqmZqVzt3G2+6vFCpSHYKikzHoCx2RvivMvc7oM1du8pU/nXYoc+jBPHi p9AVrcsypjN1cLTcZEgVZvXddgIRdnqYHX23qY8bvjkOTxoqUj49MOUDETHYhfX3 ebZWtBAn5oI= =HjnD -----END PGP SIGNATURE-----