Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2019.0247 Firefox: Stored passwords in 'Saved Logins' can be copied without master password entry 16 August 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Firefox Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2019-11733 Member content until: Sunday, September 15 2019 OVERVIEW Mozilla has published a security advisory for Firefox before versions 68.0.2 and ESR 68.0.2. [1] IMPACT Mozilla advises: "# CVE-2019-11733: Stored passwords in 'Saved Logins' can be copied without master password entry Reporter None Impact moderate Description When a master password is set, it is required to be entered before stored passwords can be accessed in the 'Saved Logins' dialog. It was found that locally stored passwords can be copied to the clipboard thorough the 'copy password' context menu item without first entering the master password, allowing for potential theft of stored passwords." [1] MITIGATION Mozilla advises updating to version 68.0.2 or ESR 68.0.2 or later to address this vulnerability. [1] REFERENCES [1] MFSA 2019-24 https://www.mozilla.org/en-US/security/advisories/mfsa2019-24/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXVYONWaOgq3Tt24GAQh5ZhAAikk2SWAGWRRNBiSvmEXoB6ISBTzCwh4Y MoxO7Ok3Z0Z6nmEIfLefxzZ5JAiq3Yt8aZg5qiztCEa+dHkHUTmbJk+e79Jbf2Bj YJXdQcNVLTIp/c0ZVVEil4CuhRJakrooNrJuHhF4Lj/KuhIS+giA/qwGHVBG2Z57 QckSEdXqP5vZmoleRHken7vRpSfX8IWbZGF+GRKdoBOgJqeI2yBUDdF/onLXZAJ4 PQdirQ3beJyekLPI6YH1vA1tglEhfTUJRCocGKR28eUsHjuVZaY060P65+4MKBxN VfGwe3uPU0ie6ftRxW6HQmdd+eF9mFPICAmFKpcjX0hUKv/i1jr8Pe+7JeGBh50F 9Mf2BOS2BVA95TPtdyuN2d1F0PMtKXbXJW+dQjuXQ/CA1pOjb2B/Mo70eKIpXMon WjEOmEnNs4s7MzfQimz0s/d/y3AZYFtIBKZ1kU7jJgSV6qSAVzOiKxSsmdR9p0RJ kixN5fZwbLPb2/Up6VKbFtCDNW0gJ+HDdQoDfQhhZmQ2+MMPd4Z4mWT9oDSl//8g V9MgTHn288BA2xNjYta/2nKbSzoJx5f1586f6KbBwvPK1NC/wOHc2FSr+AG5rN7z 5ujIMkPOmmbxe0pV0P5leeBPXrSIZY3/LRmxD+MGgieTqpFZijmjeQ6UEiEHsHFv H099q8XIem8= =wUmu -----END PGP SIGNATURE-----