Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2019.0166
Firefox patches critical type confusion vulnerability
19 June 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Firefox
Firefox Extended Support Release
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Denial of Service -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2019-11707
Member content until: Friday, July 19 2019
Reference: ESB-2019.2158
OVERVIEW
Mozilla have published new versions of Firefox and
Firefox Extended Support Release to address a critical vulnerability
which is being exploited in the wild. [1]
IMPACT
Mozilla has provided the following information:
"# CVE-2019-11707: Type confusion in Array.pop
Reporter: Samuel Gross of Google Project Zero, Coinbase Security
Impact: critical
Description
A type confusion vulnerability can occur when manipulating JavaScript objects
due to issues in Array.pop . This can allow for an exploitable crash. We are
aware of targeted attacks in the wild abusing this flaw." [1]
MITIGATION
Mozilla advises upgrading to Firefox 67.0.3 or Firefox ESR 60.7.1 to address
this vulnerability. [1]
REFERENCES
[1] Mozilla Foundation Security Advisory 2019-18
https://www.mozilla.org/en-US/security/advisories/mfsa2019-18/
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXQmKkmaOgq3Tt24GAQiyaQ/9HjVtT3++eGtMyUbdlPBjHK56mV+oy9Iy
/qSqn2ylQsqAaHKVqelMlJKbc2CKQ5P2MalQF/hDf6kdQgwftLX8LGV70YEBDfYj
7Q6kcdhP4StFhv/EaEgv1YMfT4XIMK8aK88+Unv3+Fs0ygPgmTB3DiOsqQeiI1Uj
v7iKojCRagyBbaB6OSCbPOnA33DabyCRNFN1mKmb+0OdHR7B9M/HpdyIz7Xi1Bcw
oY+osBAy4TGCfMebBEDd+hhg+ouUhthCPzyJapOYNqbLFyGKGR+CZDaw5cStyoBa
QgpQAobl3D71P7N8MFfnizSPK4D6eQBuaz/ZDAJM53Tzp2c+39ks4ZkRFJpjjgX4
e5Quza5JFk51r+EVcRXEOuhVM8QZucbp0MYFqbOCBGujka/typnmLr2GxGe5t0CK
wo03roJj028N3bF8EG852UtKwqjguaiITBBU9RlexDbFmSywGyflELSeQtVN+x/p
UBM32t3wCISEFtlFNMRwJSFp04jN36/0TnpSM9dBJpuAJBuJLJcfdTO/eeuWuIHA
p7WSrD7YO+v/FecadsLJ6XcVgtdMFc2INlZk15f8WCmF3jA9+T731AmbCHIUIHYb
NYRpCTRKSi1H/oZsXVCdVy1Ihw19CSUS5gAVMVKUa8U9B9EmVlXFKbwcxIFkCcG+
wB0xLnnAyUU=
=8Eez
-----END PGP SIGNATURE-----