Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.1815
MFSA 2019-13/MFSA 2019-14 Security vulnerabilities fixed in
Firefox 67/ESR 60.7
22 May 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Firefox
Publisher: Mozilla Foundation
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Mobile Device
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2019-11701 CVE-2019-11700 CVE-2019-11699
CVE-2019-11698 CVE-2019-11697 CVE-2019-11696
CVE-2019-11695 CVE-2019-11694 CVE-2019-11693
CVE-2019-11692 CVE-2019-11691 CVE-2019-9821
CVE-2019-9820 CVE-2019-9819 CVE-2019-9818
CVE-2019-9817 CVE-2019-9816 CVE-2019-9815
CVE-2019-9814 CVE-2019-9800 CVE-2019-7317
Reference: ESB-2019.1491
ESB-2019.1454
Original Bulletin:
https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/
https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/
Comment: This bulletin contains two (2) Mozilla Foundation security
advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Mozilla Foundation Security Advisory 2019-13
Security vulnerabilities fixed in Firefox 67
Announced
May 21, 2019
Impact
critical
Products
Firefox
Fixed in
Firefox 67
# CVE-2019-9815: Disable hyperthreading on content JavaScript threads on macOS
Reporter
Multiple independent researchers
Impact
high
Description
If hyperthreading is not disabled, a timing attack vulnerability exists,
similar to previous Spectre attacks. Apple has shipped macOS 10.14.5 with an
option to disable hyperthreading in applications running untrusted code in a
thread through a new sysctl. Firefox now makes use of it on the main thread and
any worker threads.
Note: users need to update to macOS 10.14.5 in order to take advantage of this
change.
References
o Bug 1546544
o RIDL and Fallout: MDS attacks
# CVE-2019-9816: Type confusion with object groups and UnboxedObjects
Reporter
Samuel Gross of Google Project Zero
Impact
high
Description
A possible vulnerability exists where type confusion can occur when
manipulating JavaScript objects in object groups, allowing for the bypassing of
security checks within these groups.
Note: this vulnerability has only been demonstrated with UnboxedObjects , which
are disabled by default on all supported releases.
References
o Bug 1536768
# CVE-2019-9817: Stealing of cross-domain images using canvas
Reporter
Luat Nguyen
Impact
high
Description
Images from a different domain can be read using a canvas object in some
circumstances. This could be used to steal image data from a different site in
violation of same-origin policy.
References
o Bug 1540221
# CVE-2019-9818: Use-after-free in crash generation server
Reporter
Thomas Imbert
Impact
high
Description
A race condition is present in the crash generation server used to generate
data for the crash reporter. This issue can lead to a use-after-free in the
main process, resulting in a potentially exploitable crash and a sandbox
escape.
Note: this vulnerability only affects Windows. Other operating systems are
unaffected.
References
o Bug 1542581
# CVE-2019-9819: Compartment mismatch with fetch API
Reporter
Nils
Impact
high
Description
A vulnerability where a JavaScript compartment mismatch can occur while working
with the fetch API, resulting in a potentially exploitable crash.
References
o Bug 1532553
# CVE-2019-9820: Use-after-free of ChromeEventHandler by DocShell
Reporter
Nils
Impact
high
Description
A use-after-free vulnerability can occur in the chrome event handler when it is
freed while still in use. This results in a potentially exploitable crash.
References
o Bug 1536405
# CVE-2019-9821: Use-after-free in AssertWorkerThread
Reporter
Nils
Impact
high
Description
A use-after-free vulnerability can occur in AssertWorkerThread due to a race
condition with shared workers. This results in a potentially exploitable crash.
References
o Bug 1539125
# CVE-2019-11691: Use-after-free in XMLHttpRequest
Reporter
Nils
Impact
high
Description
A use-after-free vulnerability can occur when working with XMLHttpRequest (XHR)
in an event loop, causing the XHR main thread to be called after it has been
freed. This results in a potentially exploitable crash.
References
o Bug 1542465
# CVE-2019-11692: Use-after-free removing listeners in the event listener
manager
Reporter
Nils
Impact
high
Description
A use-after-free vulnerability can occur when listeners are removed from the
event listener manager while still in use, resulting in a potentially
exploitable crash.
References
o Bug 1544670
# CVE-2019-11693: Buffer overflow in WebGL bufferdata on Linux
Reporter
crixer
Impact
high
Description
The bufferdata function in WebGL is vulnerable to a buffer overflow with
specific graphics drivers on Linux. This could result in malicious content
freezing a tab or triggering a potentially exploitable crash.
Note: this issue only occurs on Linux. Other operating systems are unaffected.
References
o Bug 1532525
# CVE-2019-7317: Use-after-free in png_image_free of libpng library
Reporter
Salvatore Bonaccorso
Impact
high
Description
A use-after-free vulnerability was discovered in the png_image_free function in
the libpng library. This could lead to denial of service or a potentially
exploitable crash when a malformed image is processed.
References
o Bug 1542829
# CVE-2019-11694: Uninitialized memory memory leakage in Windows sandbox
Reporter
Jeremy Fetiveau of SSD Secure Disclosure
Impact
moderate
Description
A vulnerability exists in the Windows sandbox where an uninitialized value in
memory can be leaked to a renderer from a broker when making a call to access
an otherwise unavailable file. This results in the potential leaking of
information stored at that memory location.
Note: this issue only occurs on Windows. Other operating systems are
unaffected.
References
o Bug 1534196
# CVE-2019-11695: Custom cursor can render over user interface outside of web
content
Reporter
bignis
Impact
moderate
Description
A custom cursor defined by scripting on a site can position itself over the
addressbar to spoof the actual cursor when it should not be allowed outside of
the primary web content area. This could be used by a malicious site to trick
users into clicking on permission prompts, doorhanger notifications, or other
buttons inadvertently if the location is spoofed over the user interface.
References
o Bug 1445844
# CVE-2019-11696: Java web start .JNLP files are not recognized as executable
files for download prompts
Reporter
Abdulrahman Alqabandi
Impact
moderate
Description
Files with the .JNLP extension used for "Java web start" applications are not
treated as executable content for download prompts even though they can be
executed if Java is installed on the local system. This could allow users to
mistakenly launch an executable binary locally.
References
o Bug 1392955
# CVE-2019-11697: Pressing key combinations can bypass installation prompt
delays and install extensions
Reporter
Abdulrahman Alqabandi
Impact
moderate
Description
If the ALT and "a" keys are pressed when users receive an extension
installation prompt, the extension will be installed without the install prompt
delay that keeps the prompt visible in order for users to accept or decline the
installation. A malicious web page could use this with spoofing on the page to
trick users into installing a malicious extension.
References
o Bug 1440079
# CVE-2019-11698: Theft of user history data through drag and drop of
hyperlinks to and from bookmarks
Reporter
Abdulrahman Alqabandi
Impact
moderate
Description
If a crafted hyperlink is dragged and dropped to the bookmark bar or sidebar
and the resulting bookmark is subsequently dragged and dropped into the web
content area, an arbitrary query of a user's browser history can be run and
transmitted to the content page via drop event data. This allows for the theft
of browser history by a malicious site.
References
o Bug 1543191
# CVE-2019-11700: res: protocol can be used to open known local files
Reporter
James Lee
Impact
moderate
Description
A hyperlink using the res: protocol can be used to open local files at a known
location in Internet Explorer if a user approves execution when prompted.
Note: this issue only occurs on Windows. Other operating systems are
unaffected.
References
o Bug 1549833
# CVE-2019-11699: Incorrect domain name highlighting during page navigation
Reporter
tzachyr
Impact
low
Description
A malicious page can briefly cause the wrong name to be highlighted as the
domain name in the addressbar during page navigations. This could result in
user confusion of which site is currently loaded for spoofing attacks.
References
o Bug 1528939
# CVE-2019-11701: webcal: protocol default handler loads vulnerable web page
Reporter
Peter af Geijerstam
Impact
low
Description
The default webcal: protocol handler will load a web site vulnerable to
cross-site scripting (XSS) attacks. This default was left in place as a legacy
feature and has now been removed.
Note: this issue only affects users with an account on the vulnerable service.
Other users are unaffected.
References
o Bug 1518627
# CVE-2019-9814: Memory safety bugs fixed in Firefox 67
Reporter
Mozilla developers and community
Impact
critical
Description
Mozilla developers and community members Christian Holler, Andrei Ciure, Julien
Cristau, Jan de Mooij, Jan Varga, Marcia Knous, Andre Bargull, and Philipp
reported memory safety bugs present in Firefox 66. Some of these bugs showed
evidence of memory corruption and we presume that with enough effort that some
of these could be exploited to run arbitrary code.
References
o Memory safety bugs fixed in Firefox 67
# CVE-2019-9800: Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7
Reporter
Mozilla developers and community
Impact
critical
Description
Mozilla developers and community members Olli Pettay, Bogdan Tara, Jan de
Mooij, Jason Kratzer, Jan Varga, Gary Kwong, Tim Guan-tin Chien, Tyson Smith,
Ronald Crane, and Ted Campbell reported memory safety bugs present in Firefox
66 and Firefox ESR 60.6. Some of these bugs showed evidence of memory
corruption and we presume that with enough effort that some of these could be
exploited to run arbitrary code.
References
o Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7
- ---------------------------------------------------------------------------------
Mozilla Foundation Security Advisory 2019-14
Security vulnerabilities fixed in Firefox ESR 60.7
Announced
May 21, 2019
Impact
critical
Products
Firefox ESR
Fixed in
Firefox ESR 60.7
# CVE-2019-9815: Disable hyperthreading on content JavaScript threads on macOS
Reporter
Multiple independent researchers
Impact
high
Description
If hyperthreading is not disabled, a timing attack vulnerability exists,
similar to previous Spectre attacks. Apple has shipped macOS 10.14.5 with an
option to disable hyperthreading in applications running untrusted code in a
thread through a new sysctl. Firefox now makes use of it on the main thread and
any worker threads.
Note: users need to update to macOS 10.14.5 in order to take advantage of this
change.
References
o Bug 1546544
o RIDL and Fallout: MDS attacks
# CVE-2019-9816: Type confusion with object groups and UnboxedObjects
Reporter
Samuel Gross of Google Project Zero
Impact
high
Description
A possible vulnerability exists where type confusion can occur when
manipulating JavaScript objects in object groups, allowing for the bypassing of
security checks within these groups.
Note: this vulnerability has only been demonstrated with UnboxedObjects , which
are disabled by default on all supported releases.
References
o Bug 1536768
# CVE-2019-9817: Stealing of cross-domain images using canvas
Reporter
Luat Nguyen
Impact
high
Description
Images from a different domain can be read using a canvas object in some
circumstances. This could be used to steal image data from a different site in
violation of same-origin policy.
References
o Bug 1540221
# CVE-2019-9818: Use-after-free in crash generation server
Reporter
Thomas Imbert
Impact
high
Description
A race condition is present in the crash generation server used to generate
data for the crash reporter. This issue can lead to a use-after-free in the
main process, resulting in a potentially exploitable crash and a sandbox
escape.
Note: this vulnerability only affects Windows. Other operating systems are
unaffected.
References
o Bug 1542581
# CVE-2019-9819: Compartment mismatch with fetch API
Reporter
Nils
Impact
high
Description
A vulnerability where a JavaScript compartment mismatch can occur while working
with the fetch API, resulting in a potentially exploitable crash.
References
o Bug 1532553
# CVE-2019-9820: Use-after-free of ChromeEventHandler by DocShell
Reporter
Nils
Impact
high
Description
A use-after-free vulnerability can occur in the chrome event handler when it is
freed while still in use. This results in a potentially exploitable crash.
References
o Bug 1536405
# CVE-2019-11691: Use-after-free in XMLHttpRequest
Reporter
Nils
Impact
high
Description
A use-after-free vulnerability can occur when working with XMLHttpRequest (XHR)
in an event loop, causing the XHR main thread to be called after it has been
freed. This results in a potentially exploitable crash.
References
o Bug 1542465
# CVE-2019-11692: Use-after-free removing listeners in the event listener
manager
Reporter
Nils
Impact
high
Description
A use-after-free vulnerability can occur when listeners are removed from the
event listener manager while still in use, resulting in a potentially
exploitable crash.
References
o Bug 1544670
# CVE-2019-11693: Buffer overflow in WebGL bufferdata on Linux
Reporter
crixer
Impact
high
Description
The bufferdata function in WebGL is vulnerable to a buffer overflow with
specific graphics drivers on Linux. This could result in malicious content
freezing a tab or triggering a potentially exploitable crash.
Note: this issue only occurs on Linux. Other operating systems are unaffected.
References
o Bug 1532525
# CVE-2019-7317: Use-after-free in png_image_free of libpng library
Reporter
Salvatore Bonaccorso
Impact
high
Description
A use-after-free vulnerability was discovered in the png_image_free function in
the libpng library. This could lead to denial of service or a potentially
exploitable crash when a malformed image is processed.
References
o Bug 1542829
# CVE-2019-9797: Cross-origin theft of images with createImageBitmap
Reporter
AaylaSecura1138
Impact
high
Description
Cross-origin images can be read in violation of the same-origin policy by
exporting an image after using createImageBitmap to read the image and then
rendering the resulting bitmap image within a canvas element.
References
o Bug 1528909
# CVE-2018-18511: Cross-origin theft of images with ImageBitmapRenderingContext
Reporter
AaylaSecura1138
Impact
high
Description
Cross-origin images can be read from a canvas element in violation of the
same-origin policy using the transferFromImageBitmap method.
Note: This only affects Firefox 65. Previous versions are unaffected.
References
o Bug 1526218
# CVE-2019-11694: Uninitialized memory memory leakage in Windows sandbox
Reporter
Jeremy Fetiveau of SSD Secure Disclosure
Impact
moderate
Description
A vulnerability exists in the Windows sandbox where an uninitialized value in
memory can be leaked to a renderer from a broker when making a call to access
an otherwise unavailable file. This results in the potential leaking of
information stored at that memory location.
Note: this issue only occurs on Windows. Other operating systems are
unaffected.
References
o Bug 1534196
# CVE-2019-11698: Theft of user history data through drag and drop of
hyperlinks to and from bookmarks
Reporter
Abdulrahman Alqabandi
Impact
moderate
Description
If a crafted hyperlink is dragged and dropped to the bookmark bar or sidebar
and the resulting bookmark is subsequently dragged and dropped into the web
content area, an arbitrary query of a user's browser history can be run and
transmitted to the content page via drop event data. This allows for the theft
of browser history by a malicious site.
References
o Bug 1543191
# CVE-2019-5798: Out-of-bounds read in Skia
Reporter
Tran Tien Hung of Viettel Cyber Security
Impact
moderate
Description
An out-of-bounds read can occur in the Skia library during path
transformations. This could result in the exposure of data stored in memory.
References
o Bug 1535518
# CVE-2019-9800: Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7
Reporter
Mozilla developers and community
Impact
critical
Description
Mozilla developers and community members Olli Pettay, Bogdan Tara, Jan de
Mooij, Jason Kratzer, Jan Varga, Gary Kwong, Tim Guan-tin Chien, Tyson Smith,
Ronald Crane, and Ted Campbell reported memory safety bugs present in Firefox
66 and Firefox ESR 60.6. Some of these bugs showed evidence of memory
corruption and we presume that with enough effort that some of these could be
exploited to run arbitrary code.
References
o Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXOSY92aOgq3Tt24GAQgzdg//UM46ASbVoz1NvMLTXfuRjHdTRuyT//1w
CeiylJuDIh0h5nvd8xUmzj1qpycEfq9sbn7Ylls+/Z/KVecHb0HYOdNChDewgrpT
Zf048LXh/5XUC0GmsayZAc+2+edMdkFIGrfwTKzBt80UR2UumNmGVM+gN9+5c4GU
4ok0kXoA2no0XHa11oNq66VG0Yq6OtW7oytkXCAp711+gFydlLd9iIgPyJJMVvWt
L04aDSllrS4ayR6qtwVI1t0ijjkGq/RPpFFCGsSURvNSKD1FL0vDeCsGR3L4WrvJ
t8hdkbL3qCDc4ecODJtJgRchBurkFR9MuJxoVY2a3FgKv0727Z6D2XtHtKvZUUcl
nWkEb3qKHRwsIkZ9PrPppeNTBlVtQBCDuQ1ZpxYnmRVX6ZZsrr0qSwiEewfbZk7g
bsoba0wahdrjWSjN8X+GNJZfcIjzRfAmUqTyiChSg40ArWjM6H/mpVGcck21hxDb
D39KaoL/Wn53ktQbueIoohuGhLdIvPlPeAwRKTCkqQLH675Yc2Ylo5tsh6upMR7D
ZUhK09myU+bJ0EIezpgnayfqbUQmdoIy2jppvc/3BpnCW63wA4m298zpd9fsG9ys
eOb2Pw2y0es+2h4mqkB6Mlqsg7ohMNr1nhZzZr6RBJr6MdAfSsZygW8zzynWy6Yd
JA02nXROOis=
=lczU
-----END PGP SIGNATURE-----