Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2019.0307 MFSA 2019-33/34 Security vulnerabilities fixed in - Firefox 70 23 October 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Mozilla Firefox Mozilla Firefox ESR Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Access Privileged Data -- Remote with User Interaction Denial of Service -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2019-15903 CVE-2019-11764 CVE-2019-11763 CVE-2019-11762 CVE-2019-11761 CVE-2019-11760 CVE-2019-11759 CVE-2019-11758 CVE-2019-11757 Member content until: Friday, November 22 2019 OVERVIEW Multiple vulnerabilities have been identified in Mozilla Firefox versions prior to 70, Firefox ESR versions prior to 68.2 and 60.9. [1][2] IMPACT The vendor has provided the following details regarding the vulnerabilities: " #CVE-2019-15903: Heap overflow in expat library in XML_GetCurrentLineNumber Reporter Sebastian Pipping Impact high Description In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early. A subsequent call to XML_GetCurrentLineNumber or XML_GetCurrentColumnNumber then resulted in a heap-based buffer over-read. References o Bug 1584907 #CVE-2019-11757: Use-after-free when creating index updates in IndexedDB Reporter Zhanjia Song Impact high Description When following the value's prototype chain, it was possible to retain a reference to a locale, delete it, and subsequently reference it. This resulted in a use-after-free and a potentially exploitable crash. References o Bug 1577107 #CVE-2019-11758: Potentially exploitable crash due to 360 Total Security Reporter Mozilla developers and community Impact high Description Mozilla community member Philipp reported a memory safety bug present in Firefox 68 when 360 Total Security was installed. This bug showed evidence of memory corruption in the accessibility engine and we presume that with enough effort that it could be exploited to run arbitrary code. References o Bug 1536227 #CVE-2019-11759: Stack buffer overflow in HKDF output Reporter Guido Vranken Impact moderate Description An attacker could have caused 4 bytes of HMAC output to be written past the end of a buffer stored on the stack. This could be used by an attacker to execute arbitrary code or more likely lead to a crash. References o Bug 1577953 #CVE-2019-11760: Stack buffer overflow in WebRTC networking Reporter Nils Impact moderate Description A fixed-size stack buffer could overflow in nrappkit when doing WebRTC signaling. This resulted in a potentially exploitable crash in some instances. References o Bug 1577719 #CVE-2019-11761: Unintended access to a privileged JSONView object Reporter Cody Crews Impact moderate Description By using a form with a data URI it was possible to gain access to the privileged JSONView object that had been cloned into content. Impact from exposing this object appears to be minimal, however it was a bypass of existing defense in depth mechanisms. References o Bug 1561502 #CVE-2019-11762: document.domain-based origin isolation has same-origin-property violation Reporter Kris Maglione Impact moderate Description If two same-origin documents set document.domain differently to become cross-origin, it was possible for them to call arbitrary DOM methods/getters/ setters on the now-cross-origin window. References o Bug 1582857 #CVE-2019-11763: Incorrect HTML parsing results in XSS bypass technique Reporter Gareth Heyes Impact moderate Description Failure to correctly handle null bytes when processing HTML entities resulted in Firefox incorrectly parsing these entities. This could have led to HTML comment text being treated as HTML which could have led to XSS in a web application under certain conditions. It could have also led to HTML entities being masked from filters - enabling the use of entities to mask the actual characters of interest from filters. References o Bug 1584216 #CVE-2019-11764: Memory safety bugs fixed in Firefox 70 and Firefox ESR 68.2 Reporter Mozilla developers and community Impact critical Description Mozilla developers and community members Bob Clary, Jason Kratzer, Aaron Klotz, Iain Ireland, Tyson Smith, Christian Holler, Steve Fink, Honza Bambas, Byron Campen, and Cristian Brindusan reported memory safety bugs present in Firefox 69 and Firefox ESR 68.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could be exploited to run arbitrary code. References o Memory safety bugs fixed in Firefox 70 and Firefox ESR 68.2 " [1][2] MITIGATION The vendor recommends upgrading to the latest versions to address these issues. [1][2] REFERENCES [1] MFSA 2019-34 Security vulnerabilities fixed in - Firefox 70 https://www.mozilla.org/en-US/security/advisories/mfsa2019-34/ [2] MFSA 2019-33 Security vulnerabilities fixed in - Firefox ESR 68.2 https://www.mozilla.org/en-US/security/advisories/mfsa2019-33/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXa/rAmaOgq3Tt24GAQiwFA//XxFl8Rwg8QwHtg5uQNyePbiuO9XGlk0W YRan5DU8tkMEhlZh/IApgLk0vPdwJUUAMOwTpgmGOEjJBhZk3kEGuuABzz8rJINd Pg7z4mNcxuF9gn6gue/6shUzUyNxUuXAXBJyhH1QluY1Kd9AGm5CWKZANshu+GFv DAKvrOTGexE8SqW3qOnI5SjE4gxexX8AV8e8C4AXEJwMOi7vshYA6Nok6/mh6MIJ HiKKpj+DXpbTaXd1H2tGh4bYf80KbCwk9TkegN0v7+UgdXvNPbkeHMk/wU931sGq fc0EBAxfWsjKE5qgcWRkkbYFauTEMUF/u0pXU37lWnrD/Fk+5iRxGe+0DQmxYD0y rxm4xFck4Yz72J4FTeryWOW2XpcqIyrmdmSmEDsnstg2d2K92O9b4vg23yY523+C O9Ausf19fiUlF14PcLjT+pj2/PSwiUtyeFnNiMrJ15KlwMFpNZGjwyLBVoMa5iEx BlBnH4PTT0PAuyTva2BTbLlc0jiqJA2l/npig665fRMQFr5EQyQqwRSZZdZH9hPA rj0lCzFMymmOb/VMwXFLc7sGjtOhsrAoz5VoN/kDIv1+HL3WeDsEn9v+lgjDxDoD 3sz+aluW7/OhLJRXVPV2RPHOk9VB/KWljkPMija8O42oAfgVaMJCPS2AK6fJobT0 lJV/gYAPgQE= =yTl8 -----END PGP SIGNATURE-----