Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2018.0063 Use-after-free in compositor 27 March 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Mozilla Firefox Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2018-5148 Member content until: Thursday, April 26 2018 OVERVIEW A critical vulnerability has been identified in compositor in: o Mozilla Firefox prior to version 59.0.2, and o Mozilla Firefox ESR prior to version 52.7.3 [1] IMPACT Mozilla have provided the following details regarding the vulnerability: " Use-after-free in compositor Announced March 26, 2018 Fixed in Firefox 59.0.2, Firefox ESR 52.7.3 #CVE-2018-5148: Use-after-free in compositor Reporter Jesse Schwartzentruber Impact high Description A use-after-free vulnerability can occur in the compositor during certain graphics operations when a raw pointer is used instead of a reference counted one. This results in a potentially exploitable crash." [1] MITIGATION Users are advised to update to the latest versions to address these issues. [1] REFERENCES [1] Mozilla Foundation Security Advisory 2018-10 https://www.mozilla.org/en-US/security/advisories/mfsa2018-10/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWrnPzYx+lLeg9Ub1AQgALQ/+IQ0iAv98Q/xI4Wj7tBOlPe4Tq6USn63T XG9A8aVxL3t+QT40CqKF9YNWcXMM53kuTHOH/7rLSYcYec0ZruZs6tot2/4iNkoZ /o2k8h3HfPwkStCtPuW2fdoBckV2sZj7CJVA5GW2nQCq/82sIuClaWNZOwgsmwDy tKIlBTAybIZkWROMDLOHAMP/GQrRDARJrnypLizcD1SrcuB/wP5RPJvS/BMZDPVQ zk5S0SKu0b6inHZMSlBj8aaSsZy4cl/4Mf8YoAjAWJjtC0QMDzfVXkWLn0jdkLtw OvakEri+nuxVbOBGKQGZxs6F5PIbzPJ/wF2xw8ngRKpJZdpgRBacFKbohpzMhLzf sj3m52+X1ZiVH3e4dlOzSjBAtyVjqjE+/Yo/CMTt5Uw2AxAsIxNumBquUqy9p4Kg 3MkBMlYDzybWn1XWu6KFfgs6TIAPOutOU/ChsZZFV1vwJneOXu8uLAygQKAecOaO Ykw1zSY2zTOA+MPcihnNHQ5l4ArZWadRvYuoo7lfRSbZCQ80n6fls2HK6CignWfN JWt7x74nphlIRiDQRn4DVmxiaFfjVACLGpah6HBdaooD9lU0ipNWRb9dMfTqytJK jOkZlSx3n8U3RI83wtIOfDwFlLyP4nswHCaDyKNlajWom7vWVCyywlx8GAVXalrr vjxFhBA7T4Y= =7MIn -----END PGP SIGNATURE-----