-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2018.0036
   Multiple vulnerabilities have been identified in Mozilla Firefox ESR
                              24 January 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Mozilla Firefox ESR
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Access Privileged Data          -- Remote with User Interaction
                      Create Arbitrary Files          -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
                      Provide Misleading Information  -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2018-5117 CVE-2018-5104 CVE-2018-5103
                      CVE-2018-5102 CVE-2018-5099 CVE-2018-5098
                      CVE-2018-5097 CVE-2018-5095 CVE-2018-5091
                      CVE-2018-5089  
Member content until: Friday, February 23 2018

OVERVIEW

        Multiple critical vulnerabilities have been identified in Mozilla 
        Firefox ESR prior to version 52.6 and Mozilla Firefox prior to 
        version 58. [1,2]


IMPACT

        Mozilla have provided the following details regarding the 
        vulnerabilities:
        
        Vulnerabilities common to Firefox and Firefox ESR:
        
        "CVE-2018-5091: Use-after-free with DTMF timers
        
        REPORTER Looben Yang
        
        IMPACT CRITICAL
        
        Description
        
        A use-after-free vulnerability can occur during WebRTC connections 
        when interacting with the DTMF timers. This results in a potentially
        exploitable crash." [1,2]
        
        "CVE-2018-5092: Use-after-free in Web Workers
        
        REPORTER Looben Yang
        
        IMPACT HIGH
        
        Description
        
        A use-after-free vulnerability can occur when the thread for a Web 
        Worker is freed from memory prematurely instead of from memory in 
        the main thread while cancelling fetch operations." [2]
        
        "CVE-2018-5093: Buffer overflow in WebAssembly during Memory/Table 
        resizing
        
        REPORTER OSS-Fuzz
        
        IMPACT HIGH
        
        Description
        
        A heap buffer overflow vulnerability may occur in WebAssembly during
        Memory/Table resizing, resulting in a potentially exploitable 
        crash." [2]
        
        "CVE-2018-5094: Buffer overflow in WebAssembly with garbage 
        collection on uninitialized memory
        
        REPORTER OSS-Fuzz
        
        IMPACT HIGH
        
        Description
        
        A heap buffer overflow vulnerability may occur in WebAssembly when 
        shrinkElements is called followed by garbage collection on memory 
        that is now uninitialized. This results in a potentially exploitable
        crash." [2]
        
        "CVE-2018-5095: Integer overflow in Skia library during edge builder
        allocation
        
        REPORTER Anonymous
        
        IMPACT HIGH
        
        Description
        
        An integer overflow vulnerability in the Skia library when 
        allocating memory for edge builders on some systems with at least 8
        GB of RAM. This results in the use of uninitialized memory, 
        resulting in a potentially exploitable crash." [1,2]
        
        "CVE-2018-5096: Use-after-free while editing form elements
        
        REPORTER Nils
        
        IMPACT HIGH
        
        Description
        
        A use-after-free vulnerability can occur while editing events in 
        form elements on a page, resulting in a potentially exploitable 
        crash." [1]
        
        "CVE-2018-5097: Use-after-free when source document is manipulated 
        during XSLT
        
        REPORTER Nils
        
        IMPACT HIGH
        
        Description
        
        A use-after-free vulnerability can occur during XSL transformations
        when the source document for the transformation is manipulated by 
        script content during the transformation. This results in a 
        potentially exploitable crash." [1,2]
        
        "CVE-2018-5098: Use-after-free while manipulating form input 
        elements
        
        REPORTER Nils
        
        IMPACT HIGH
        
        Description
        
        A use-after-free vulnerability can occur when form input elements, 
        focus, and selections are manipulated by script content. This 
        results in a potentially exploitable crash." [1,2]
        
        "CVE-2018-5099: Use-after-free with widget listener
        
        REPORTER Nils
        
        IMPACT HIGH
        
        Description
        
        A use-after-free vulnerability can occur when the widget listener is
        holding strong references to browser objects that have previously 
        been freed, resulting in a potentially exploitable crash when these
        references are used." [1,2]
        
        "CVE-2018-5100: Use-after-free when IsPotentiallyScrollable 
        arguments are freed from memory
        
        REPORTER Nils
        
        IMPACT HIGH
        
        Description
        
        A use-after-free vulnerability can occur when arguments passed to 
        the IsPotentiallyScrollable function are freed while still in use by
        scripts. This results in a potentially exploitable crash." [2]
        
        "CVE-2018-5101: Use-after-free with floating first-letter style 
        elements
        
        REPORTER Nils
        
        IMPACT HIGH
        
        Description
        
        A use-after-free vulnerability can occur when manipulating floating
        first-letter style elements, resulting in a potentially exploitable
        crash." [2]
        
        
        "CVE-2018-5102: Use-after-free in HTML media elements
        
        REPORTER Nils
        
        IMPACT HIGH
        
        Description
        
        A use-after-free vulnerability can occur when manipulating HTML 
        media elements with media streams, resulting in a potentially 
        exploitable crash." [1,2]
        
        "CVE-2018-5103: Use-after-free during mouse event handling
        
        REPORTER Nils
        
        IMPACT HIGH
        
        Description
        
        A use-after-free vulnerability can occur during mouse event handling
        due to issues with multiprocess support. This results in a 
        potentially exploitable crash." [1,2]
        
        "CVE-2018-5104: Use-after-free during font face manipulation
        
        REPORTER Nils
        
        IMPACT HIGH
        
        Description
        
        A use-after-free vulnerability can occur during font face 
        manipulation when a font face is freed while still in use, resulting
        in a potentially exploitable crash." [1,2]
        
        "CVE-2018-5105: WebExtensions can save and execute files on local 
        file system without user prompts
        
        REPORTER Rob Wu
        
        IMPACT HIGH
        
        Description
        
        WebExtensions can bypass user prompts to first save and then open an
        arbitrarily downloaded file. This can result in an executable file 
        running with local user privileges without explicit user consent." 
        [2]
        
        "CVE-2018-5106: Developer Tools can expose style editor information
        cross-origin through service worker
        
        REPORTER Jun Kokatsu
        
        IMPACT MODERATE
        
        Description
        
        Style editor traffic in the Developer Tools can be routed through a
        service worker hosted on a third party website if a user selects 
        error links when these tools are open. This can allow style editor 
        information used within Developer Tools to leak cross-origin." [2]
        
        "CVE-2018-5107: Printing process will follow symlinks for local file
        access
        
        REPORTER Alex Gaynor
        
        IMPACT MODERATE
        
        Description
        
        The printing process can bypass local access protections to read 
        files available through symlinks, bypassing local file restrictions.
        The printing process requires files in a specific format so 
        arbitrary data cannot be read but it is possible that some local 
        file information could be exposed." [2]
        
        "CVE-2018-5108: Manually entered blob URL can be accessed by 
        subsequent private browsing tabs
        
        REPORTER Andrea Marchesini
        
        IMPACT MODERATE
        
        Description
        
        A Blob URL can violate origin attribute segregation, allowing it to
        be accessed from a private browsing tab and for data to be passed 
        between the private browsing tab and a normal tab. This could allow
        for the leaking of private information specific to the private 
        browsing context. This issue is mitigated by the requirement that 
        the user enter the Blob URL manually in order for the access 
        violation to occur." [2]
        
        "CVE-2018-5109: Audio capture prompts and starts with incorrect 
        origin attribution
        
        REPORTER Andreas Pehrson
        
        IMPACT MODERATE
        
        Description
        
        An audio capture session can started under an incorrect origin from
        the site making the capture request. Users are still prompted to 
        allow the request but the prompt can display the wrong origin, 
        leading to user confusion about which site is making the request to
        capture an audio stream." [2]
        
        "CVE-2018-5110: Cursor can be made invisible on OS X REPORTER Ron 
        Warholic IMPACT MODERATE
        
        Description
        
        If cursor visibility is toggled by script using from 'none' to an 
        image and back through script, the cursor will be rendered 
        temporarily invisible within Firefox.
        
        Note: This vulnerability only affects OS X. Other operating systems
        are not affected." [2]
        
        "CVE-2018-5111: URL spoofing in addressbar through drag and drop 
        REPORTER Mario Gomes IMPACT MODERATE
        
        Description
        
        When the text of a specially formatted URL is dragged to the 
        addressbar from page content, the displayed URL can be spoofed to 
        show a different site than the one loaded. This allows for phishing
        attacks where a malicious page can spoof the identify of another 
        site." [2]
        
        "CVE-2018-5112: Extension development tools panel can open a 
        non-relative URL in the panel
        
        REPORTER Abdulrahman Alqabandi
        
        IMPACT MODERATE
        
        Description
        
        Development Tools panels of an extension are required to load URLs 
        for the panels as relative URLs from the extension manifest file but
        this requirement was not enforced in all instances. This could allow
        the development tools panel for the extension to load a URL that it
        should not be able to access, including potentially privileged 
        pages." [2]
        
        "CVE-2018-5113: WebExtensions can load non-HTTPS pages with 
        browser.identity.launchWebAuthFlow
        
        REPORTER Abdulrahman Alqabandi
        
        IMPACT MODERATE
        
        Description
        
        The browser.identity.launchWebAuthFlow function of WebExtensions is
        only allowed to load content over https: but this requirement was 
        not properly enforced. This can potentially allow privileged pages 
        to be loaded by the extension." [2]
        
        "CVE-2018-5114: The old value of a cookie changed to HttpOnly 
        remains accessible to scripts
        
        REPORTER Inkognito
        
        IMPACT MODERATE
        
        Description
        
        If an existing cookie is changed to be HttpOnly while a document is
        open, the original value remains accessible through script until 
        that document is closed. Network requests correctly use the changed
        HttpOnly cookie." [2]
        
        "CVE-2018-5115: Background network requests can open HTTP 
        authentication in unrelated foreground tabs
        
        REPORTER Jerry Decime
        
        IMPACT MODERATE
        
        Description
        
        If an HTTP authentication prompt is triggered by a background 
        network request from a page or extension, it is displayed over the 
        currently loaded foreground page. Although the prompt contains the 
        real domain making the request, this can result in user confusion 
        about the originating site of the authentication request and may 
        cause users to mistakenly send private credential information to a 
        third party site." [2]
        
        "CVE-2018-5116: WebExtension ActiveTab permission allows 
        cross-origin frame content access
        
        REPORTER Ronen Zilberman
        
        IMPACT MODERATE
        
        Description
        
        WebExtensions with the ActiveTab permission are able to access 
        frames hosted within the active tab even if the frames are 
        cross-origin. Malicious extensions can inject frames from arbitrary
        origins into the loaded page and then interact with them, bypassing
        same-origin user expectations with this permission." [2]
        
        "CVE-2018-5117: URL spoofing with right-to-left text aligned 
        left-to-right
        
        REPORTER Xisigr
        
        IMPACT MODERATE
        
        Description
        
        If right-to-left text is used in the addressbar with left-to-right 
        alignment, it is possible in some circumstances to scroll this text
        to spoof the displayed URL. This issue could result in the wrong URL
        being displayed as a location, which can mislead users to believe 
        they are on a different site than the one loaded." [1,2]
        
        "CVE-2018-5118: Activity Stream images can attempt to load local 
        content through file:
        
        REPORTER Paul Theriault
        
        IMPACT MODERATE
        
        Description
        
        The screenshot images displayed in the Activity Stream page 
        displayed when a new tab is opened is created from the meta tags of
        websites. An issue was discovered where the page could attempt to 
        create these images through file: URLs from the local file system. 
        This loading is blocked by the sandbox but could expose local data 
        if combined with another attack that escapes sandbox protections." 
        [2]
        
        "CVE-2018-5119: Reader view will load cross-origin content in 
        violation of CORS headers
        
        REPORTER Jun Kokatsu
        
        IMPACT LOW
        
        Description
        
        The reader view will display cross-origin content when CORS headers
        are set to prohibit the loading of cross-origin content by a site. 
        This could allow access to content that should be restricted in 
        reader view." [2]
        
        "CVE-2018-5121: OS X Tibetan characters render incompletely in the 
        addressbar
        
        REPORTER Khalil Zhani
        
        IMPACT LOW
        
        Description
        
        Low descenders on some Tibetan characters in several fonts on OS X 
        are clipped when rendered in the addressbar. When used as part of an
        Internationalized Domain Name (IDN) this can be used for domain name
        spoofing attacks.
        
        Note: This attack only affects OS X operating systems. Other 
        operating systems are unaffected." [2]
        
        "CVE-2018-5122: Potential integer overflow in DoCrypt
        
        REPORTER Casper of Tencent's Xuanwu Lab
        
        IMPACT LOW
        
        Description
        
        A potential integer overflow in the DoCrypt function of WebCrypto 
        was identified. If a means was found of exploiting it, it could 
        result in an out-of-bounds write." [2]
        
        "CVE-2018-5089: Memory safety bugs fixed in Firefox 58 and Firefox 
        ESR 52.6
        
        REPORTER Mozilla developers and community
        
        IMPACT CRITICAL
        
        Description
        
        Mozilla developers and community members Christian Holler, Jason 
        Kratzer, Marcia Knous, Nathan Froyd, Oriol Brufau, Ronald Crane, 
        Randell Jesup, Tyson Smith, Emilio Cobos Alvarez, Ryan VanderMeulen,
        Sebastian Hengst, Karl Tomlinson, Xidorn Quan, Ludovic Hirlimann, 
        and Jason Orendorff reported memory safety bugs present in Firefox 
        57 and Firefox ESR 52.5. Some of these bugs showed evidence of 
        memory corruption and we presume that with enough effort that some 
        of these could be exploited to run arbitrary code." [1,2]
        
        "CVE-2018-5090: Memory safety bugs fixed in Firefox 58
        
        REPORTER Mozilla developers and community
        
        IMPACT CRITICAL
        
        Description
        
        Mozilla developers and community members Calixte Denizet, Christian
        Holler, Alex Gaynor, Yoshi Huang, Bob Clary, Nils Ohlmeier, Jason 
        Kratzer, Jesse Ruderman, Philipp, Mike Taylor, Marcia Knous, Paul 
        Adenot, Randell Jesup, JW Wang, Tyson Smith, Emilio Cobos Alvarez, 
        Ted Campbell, Stephen Fewer, and Tristan Bourvon reported memory 
        safety bugs present in Firefox 57. Some of these bugs showed 
        evidence of memory corruption and we presume that with enough effort
        that some of these could be exploited to run arbitrary code." [2]


MITIGATION

        User are advised to update to the latest versions to address these 
        issues. [1,2]


REFERENCES

        [1] Mozilla Foundation Security Advisory 2018-03
            https://www.mozilla.org/en-US/security/advisories/mfsa2018-03/

        [2] Mozilla Foundation Security Advisory 2018-02
            https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWmf1kox+lLeg9Ub1AQhRBQ//cbekKmfRaVmi82goz76WFI5lMsFvEOMN
V87DEZYpa2O7aQLIyk4O5L1R4D4DE4wAizRfgOr+D3wVDBPjFOmGS6vFWXJNizFp
py2g5z7QUX7aloIUIjVirAkP282I0gB2HdgjPQvNHVeUHXOTc3LHc72nsROrUux5
lZzCW3lb00667LWGlPpqpPO1Qmjr0yvCPMKTyISmnkMAjTlyq6mYAADO/xfr/lle
ftEaoYgqVEJytSgdBr6T8hy3wr37FIh1DjXprFEPj+1cthmDskyTwDlcI01oqyH3
fLA33NB+TjaJg5dmzuCYONqm2giVusXkvUIAR39MqN8qrr1DT00OH8mpnYqH0Q0P
MEgG1ZFpZ5DuRiT2B+oKCSZuOJ6jm5yGJITTffTRhLSNJ2wSEo3M8ozXt/L0V9Jv
Aq2Guyqb5n31aXYzfMcLQ5lveXhimRDK8fl0jl+ME89aYyYo00eXTlUKjkQhXfDG
zjTx1QnoO9drr6fgaSO5a01m2zadTBOP0/NZi7Jiy6GPUvYKfCpRgVd5bpcpFOIY
t89k1mnaU54uv4yBWxzcEhV3wM06QjJNB7yOV1T6BOajHBeY30Vy0gedsiyjV6G9
LEpQuh40SIpRSp6ZBQtQtCfyzLEppCCqRU1gfXJArwvWyjKPsuXW0F/WH9TIZEmo
O2oWzQndNw4=
=+KNM
-----END PGP SIGNATURE-----