-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2019.0082
     Security vulnerabilities fixed in Firefox 66 and Firefox ESR 60.6
                               20 March 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Mozilla Firefox
                      Mozilla Firefox ESR
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Access Privileged Data          -- Remote with User Interaction
                      Create Arbitrary Files          -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
                      Provide Misleading Information  -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2019-9809 CVE-2019-9808 CVE-2019-9807
                      CVE-2019-9806 CVE-2019-9805 CVE-2019-9804
                      CVE-2019-9803 CVE-2019-9802 CVE-2019-9801
                      CVE-2019-9799 CVE-2019-9798 CVE-2019-9797
                      CVE-2019-9796 CVE-2019-9795 CVE-2019-9794
                      CVE-2019-9793 CVE-2019-9792 CVE-2019-9791
                      CVE-2019-9790 CVE-2019-9789 CVE-2019-9788
                      CVE-2018-18506  
Member content until: Friday, April 19 2019

OVERVIEW

        Several vulnerabilities have been identified in Mozilla Firefox prior 
        to version 66.0 [1], and Firefox ESR prior to version 60.6. [2]


IMPACT

        Mozilla has given the following information regarding these 
        vulnerabilities:
        
        "# CVE-2019-9790: Use-after-free when removing in-use DOM elements
        
        Reporter
            Brandon Wieser
        Impact
            critical
        
        Description
        
        A use-after-free vulnerability can occur when a raw pointer to a DOM element on
        a page is obtained using JavaScript and the element is then removed while still
        in use. This results in a potentially exploitable crash.
        
        References
        
          o Bug 1525145" [1] [2]
        
        
        "# CVE-2019-9791: Type inference is incorrect for constructors entered through
        on-stack replacement with IonMonkey
        
        Reporter
            Samuel Gross of Google Project Zero
        Impact
            critical
        
        Description
        
        The type inference system allows the compilation of functions that can cause
        type confusions between arbitrary objects when compiled through the IonMonkey
        just-in-time (JIT) compiler and when the constructor function is entered
        through on-stack replacement (OSR). This allows for possible arbitrary reading
        and writing of objects during an exploitable crash.
        
        References
        
          o Bug 1530958" [1] [2]
        
        
        "# CVE-2019-9792: IonMonkey leaks JS_OPTIMIZED_OUT magic value to script
        
        Reporter
            Samuel Gross of Google Project Zero
        Impact
            critical
        
        Description
        
        The IonMonkey just-in-time (JIT) compiler can leak an internal JS_OPTIMIZED_OUT
        magic value to the running script during a bailout. This magic value can then
        be used by JavaScript to achieve memory corruption, which results in a
        potentially exploitable crash.
        
        References
        
          o Bug 1532599" [1] [2]
        
        
        "# CVE-2019-9793: Improper bounds checks when Spectre mitigations are disabled
        
        Reporter
            Bruno Keith & Niklas Baumstark from the phoenhex team
        Impact
            high
        
        Description
        
        A mechanism was discovered that removes some bounds checking for string, array,
        or typed array accesses if Spectre mitigations have been disabled. This
        vulnerability could allow an attacker to create an arbitrary value in compiled
        JavaScript, for which the range analysis will infer a fully controlled,
        incorrect range in circumstances where users have explicitly disabled Spectre
        mitigations.
        Note: Spectre mitigations are currently enabled for all users by default
        settings.
        
        References
        
          o Bug 1528829" [1] [2]
        
        
        "# CVE-2019-9794: Command line arguments not discarded during execution
        
        Reporter
            Joshua Graham
        Impact
            high
        
        Description
        
        A vulnerability was discovered where specific command line arguments are not
        properly discarded during Firefox invocation as a shell handler for URLs. This
        could be used to retrieve and execute files whose location is supplied through
        these command line arguments if Firefox is configured as the default URI
        handler for a given URI scheme in third party applications and these
        applications insufficiently sanitize URL data.
        Note: This issue only affects Windows operating systems. Other operating
        systems are unaffected.
        
        References
        
          o Bug 1530103" [1] [2]
        
        
        "# CVE-2019-9795: Type-confusion in IonMonkey JIT compiler
        
        Reporter
            Nils
        Impact
            high
        
        Description
        
        A vulnerability where type-confusion in the IonMonkey just-in-time (JIT)
        compiler could potentially be used by malicious JavaScript to trigger a
        potentially exploitable crash.
        
        References
        
          o Bug 1514682" [1] [2]
        
        
        "# CVE-2019-9796: Use-after-free with SMIL animation controller
        
        Reporter
            Nils
        Impact
            high
        
        Description
        
        A use-after-free vulnerability can occur when the SMIL animation controller
        incorrectly registers with the refresh driver twice when only a single
        registration is expected. When a registration is later freed with the removal
        of the animation controller element, the refresh driver incorrectly leaves a
        dangling pointer to the driver's observer array.
        
        References
        
          o Bug 1531277" [1] [2]
        
        
        "# CVE-2019-9797: Cross-origin theft of images with createImageBitmap
        
        Reporter
            AaylaSecura1138
        Impact
            high
        
        Description
        
        Cross-origin images can be read in violation of the same-origin policy by
        exporting an image after using createImageBitmap to read the image and then
        rendering the resulting bitmap image within a canvas element.
        
        References
        
          o Bug 1528909" [1]
        
        
        "# CVE-2019-9798: Library is loaded from world writable APITRACE_LIB location
        
        Reporter
            Jeff Gilbert
        Impact
            high
        
        Description
        
        On Android systems, Firefox can load a library from APITRACE_LIB , which is
        writable by all users and applications. This could allow malicious third party
        applications to execute a man-in-the-middle attack if a malicious code was
        written to that location and loaded.
        Note: This issue only affects Android. Other operating systems are unaffected.
        
        References
        
          o Bug 1527534
        
        # CVE-2019-9799: Information disclosure via IPC channel messages
        
        Reporter
            Paul Theriault
        Impact
            high
        
        Description
        
        Insufficient bounds checking of data during inter-process communication might
        allow a compromised content process to be able to read memory from the parent
        process under certain conditions.
        
        References
        
          o Bug 1505678" [1]
        
        
        "# CVE-2019-9801: Windows programs that are not 'URL Handlers' are exposed to
        web content
        
        Reporter
            Daniel Veditz
        Impact
            moderate
        
        Description
        
        Firefox will accept any registered Program ID as an external protocol handler
        and offer to launch this local application when given a matching URL on Windows
        operating systems. This should only happen if the program has specifically
        registered itself as a "URL Handler" in the Windows registry.
        Note: This issue only affects Windows operating systems. Other operating
        systems are unaffected.
        
        References
        
          o Bug 1527717" [1] [2]
        
        
        "# CVE-2019-9802: Chrome process information leak
        
        Reporter
            Stephen Fewer
        Impact
            moderate
        
        Description
        
        If a Sandbox content process is compromised, it can initiate an FTP download
        which will then use a child process to render the downloaded data. The
        downloaded data can then be passed to the Chrome process with an arbitrary file
        length supplied by an attacker, bypassing sandbox protections and allow for a
        potential memory read of adjacent data from the privileged Chrome process,
        which may include sensitive data.
        
        References
        
          o Bug 1415508" [1]
        
        
        "# CVE-2019-9803: Upgrade-Insecure-Requests incorrectly enforced for same-origin
        navigation
        
        Reporter
            Xiaoyin Liu, Vinothkumar Nagasayanan
        Impact
            moderate
        
        Description
        
        The Upgrade-Insecure-Requests (UIR) specification states that if UIR is enabled
        through Content Security Policy (CSP), navigation to a same-origin URL must be
        upgraded to HTTPS. Firefox will incorrectly navigate to an HTTP URL rather than
        perform the security upgrade requested by the CSP in some circumstances,
        allowing for potential man-in-the-middle attacks on the linked resources.
        
        References
        
          o Bug 1515863
          o Bug 1437009
          o 'Upgrade Insecure Requests' specification" [1]
        
        
        "# CVE-2019-9804: Code execution through 'Copy as cURL' in Firefox Developer
        Tools on macOS
        
        Reporter
            potatoe
        Impact
            moderate
        
        Description
        
        In Firefox Developer Tools it is possible that pasting the result of the 'Copy
        as cURL' command into a command shell on macOS will cause the execution of
        unintended additional bash script commands if the URL was maliciously crafted.
        This is the result of an issue with the native version of Bash on macOS.
        Note: This issue only affects macOS. Other operating systems are unaffected.
        
        References
        
          o Bug 1518026" [1]
        
        
        "# CVE-2019-9805: Potential use of uninitialized memory in Prio
        
        Reporter
            mlfbrown
        Impact
            moderate
        
        Description
        
        A latent vulnerability exists in the Prio library where data may be read from
        uninitialized memory for some functions, leading to potential memory
        corruption.
        
        References
        
          o Bug 1521360" [1]
        
        
        "# CVE-2019-9806: Denial of service through successive FTP authorization prompts
        
        Reporter
            Hanno Bock, Anca Soncutean
        Impact
            low
        
        Description
        
        A vulnerability exists during authorization prompting for FTP transaction where
        successive modal prompts are displayed and cannot be immediately dismissed.
        This allows for a denial of service (DOS) attack.
        
        References
        
          o Bug 1525267" [1]
        
        
        "# CVE-2019-9807: Text sent through FTP connection can be incorporated into
        alert messages
        
        Reporter
            Hanno Bock
        Impact
            low
        
        Description
        
        When arbitrary text is sent over an FTP connection and a page reload is
        initiated, it is possible to create a modal alert message with this text as the
        content. This could potentially be used for social engineering attacks.
        
        References
        
          o Bug 1362050" [1]
        
        
        "# CVE-2019-9809: Denial of service through FTP modal alert error messages
        
        Reporter
            schattendeatroth, Hanno Bock
        Impact
            low
        
        Description
        
        If the source for resources on a page is through an FTP connection, it is
        possible to trigger a series of modal alert messages for these resources
        through invalid credentials or locations. These messages cannot be immediately
        dismissed, allowing for a denial of service (DOS) attack.
        
        References
        
          o Bug 1282430
          o Bug 1523249
        
        # CVE-2019-9808: WebRTC permissions can display incorrect origin with data: and
        blob: URLs
        
        Reporter
            Jun Kokatsu
        Impact
            low
        
        Description
        
        If WebRTC permission is requested from documents with data: or blob: URLs, the
        permission notifications do not properly display the originating domain. The
        notification states "Unknown origin" as the requestee, leading to user
        confusion about which site is asking for this permission.
        
        References
        
          o Bug 1434634" [1]
        
        
        "# CVE-2019-9789: Memory safety bugs fixed in Firefox 66
        
        Reporter
            Mozilla developers and community
        Impact
            critical
        
        Description
        
        Mozilla developers and community members Dragana Damjanovic, Emilio Cobos
        Alvarez, Henri Sivonen, Narcis Beleuzu, Julian Seward, Marcia Knous, Gary
        Kwong, Tyson Smith, Yaron Tausky, Ronald Crane, and Andre Bargull reported
        memory safety bugs present in Firefox 65. Some of these bugs showed evidence of
        memory corruption and we presume that with enough effort that some of these
        could be exploited to run arbitrary code.
        
        References
        
          o Memory safety bugs fixed in Firefox 66" [1]
        
        
        "# CVE-2019-9788: Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6
        
        Reporter
            Mozilla developers and community
        Impact
            critical
        
        Description
        
        Mozilla developers and community members Bob Clary, Chun-Min Chang, Aral Yaman,
        Andreea Pavel, Jonathan Kew, Gary Kwong, Alex Gaynor, Masayuki Nakano, and Anne
        van Kesteren reported memory safety bugs present in Firefox 65 and Firefox ESR
        60.5. Some of these bugs showed evidence of memory corruption and we presume
        that with enough effort that some of these could be exploited to run arbitrary
        code.
        
        References
        
          o Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6" [1][2]
        
        
        "# CVE-2018-18506: Proxy Auto-Configuration file can define localhost access to
        be proxied
        
        Reporter
            Jann Horn
        Impact
            moderate
        
        Description
        
        When proxy auto-detection is enabled, if a web server serves a Proxy
        Auto-Configuration (PAC) file or if a PAC file is loaded locally, this PAC file
        can specify that requests to the localhost are to be sent through the proxy to
        another server. This behavior is disallowed by default when a proxy is manually
        configured, but when enabled could allow for attacks on services and tools that
        bind to the localhost for networked behavior if they are accessed through
        browsing.
        
        References
        
          o Bug 1503393" [2]


MITIGATION

        Mozilla recommends upgrading Firfox and Firefox ESR to the latest
        version - Firefox 66.0 [1] Firefox ESR 60.6. [2]


REFERENCES

        [1] MFSA 2019-07 Security vulnerabilities fixed in Firefox 66
            https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/

        [2] MFSA 2019-08 Security vulnerabilities fixed in Firefox ESR 60.6
            https://www.mozilla.org/en-US/security/advisories/mfsa2019-08/

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXJHZrGaOgq3Tt24GAQh4pg//UJH6Um8oXTaHW+gw5EBbcZhzCpM7yapA
F1sNCH0S6pM8+vJy+TQKyyH/wgahJ2S1nlKqlhbaQiRZl1CIVEep8nzCnidlGVKO
RIiQ0EpuW4SQehhBlhX4LZfzvQtE9dLHLmWt5nOSjnd2dNNR+Ps4fSj8Yc65ZYsF
CYjPutsA+XUgBaL2OV4kRufbstLWJ6BJd7tA54pGMr2WU6KYLgQacmZ7Kgy8vWeH
X/pzB3cSAIpC8gzdxUyaw5+5Nzd+RT/VoBXuS1khLNT2fbeDKrzoxg94MNMIc6YR
fA6K8/uV2+0Pa5cjJpgNFKU7bWqmuFlsGZLH2E46HTmWmllEUbpGNIcTvFsVmzWI
Tdr27zT3wqy2Pyyuwuu8nJo2cKIV8wUCqhHPRuGh4WxbQf40zOyeTf/Qn1SBlVnt
57z9ls+n8f3/85ii4zsQNmS+iJh6f1sfQRzSmi3+iDCPv+g0Ow/VqxFZvDD4pvtg
MW8koEgFyMvn9GgoylQ0lBVVESzsLip8xI6bWDX434m0+R6uK+us7DVkuiB9VmSI
XLThp/GQqmZqVzt3G2+6vFCpSHYKikzHoCx2RvivMvc7oM1du8pU/nXYoc+jBPHi
p9AVrcsypjN1cLTcZEgVZvXddgIRdnqYHX23qY8bvjkOTxoqUj49MOUDETHYhfX3
ebZWtBAn5oI=
=HjnD
-----END PGP SIGNATURE-----