Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2019.0247
Firefox: Stored passwords in 'Saved Logins' can be copied
without master password entry
16 August 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Firefox
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2019-11733
Member content until: Sunday, September 15 2019
OVERVIEW
Mozilla has published a security advisory for Firefox before versions
68.0.2 and ESR 68.0.2. [1]
IMPACT
Mozilla advises:
"# CVE-2019-11733: Stored passwords in 'Saved Logins' can be copied without
master password entry
Reporter
None
Impact
moderate
Description
When a master password is set, it is required to be entered before stored
passwords can be accessed in the 'Saved Logins' dialog. It was found that
locally stored passwords can be copied to the clipboard thorough the 'copy
password' context menu item without first entering the master password,
allowing for potential theft of stored passwords." [1]
MITIGATION
Mozilla advises updating to version 68.0.2 or ESR 68.0.2 or later
to address this vulnerability. [1]
REFERENCES
[1] MFSA 2019-24
https://www.mozilla.org/en-US/security/advisories/mfsa2019-24/
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXVYONWaOgq3Tt24GAQh5ZhAAikk2SWAGWRRNBiSvmEXoB6ISBTzCwh4Y
MoxO7Ok3Z0Z6nmEIfLefxzZ5JAiq3Yt8aZg5qiztCEa+dHkHUTmbJk+e79Jbf2Bj
YJXdQcNVLTIp/c0ZVVEil4CuhRJakrooNrJuHhF4Lj/KuhIS+giA/qwGHVBG2Z57
QckSEdXqP5vZmoleRHken7vRpSfX8IWbZGF+GRKdoBOgJqeI2yBUDdF/onLXZAJ4
PQdirQ3beJyekLPI6YH1vA1tglEhfTUJRCocGKR28eUsHjuVZaY060P65+4MKBxN
VfGwe3uPU0ie6ftRxW6HQmdd+eF9mFPICAmFKpcjX0hUKv/i1jr8Pe+7JeGBh50F
9Mf2BOS2BVA95TPtdyuN2d1F0PMtKXbXJW+dQjuXQ/CA1pOjb2B/Mo70eKIpXMon
WjEOmEnNs4s7MzfQimz0s/d/y3AZYFtIBKZ1kU7jJgSV6qSAVzOiKxSsmdR9p0RJ
kixN5fZwbLPb2/Up6VKbFtCDNW0gJ+HDdQoDfQhhZmQ2+MMPd4Z4mWT9oDSl//8g
V9MgTHn288BA2xNjYta/2nKbSzoJx5f1586f6KbBwvPK1NC/wOHc2FSr+AG5rN7z
5ujIMkPOmmbxe0pV0P5leeBPXrSIZY3/LRmxD+MGgieTqpFZijmjeQ6UEiEHsHFv
H099q8XIem8=
=wUmu
-----END PGP SIGNATURE-----