Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2018.0138 Mozilla Foundation Security Advisory 2018-15 27 June 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Mozilla Firefox Operating System: UNIX variants (UNIX, Linux, OSX) Windows Mobile Device Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Cross-site Request Forgery -- Remote with User Interaction Denial of Service -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2018-12371 CVE-2018-12370 CVE-2018-12369 CVE-2018-12368 CVE-2018-12367 CVE-2018-12366 CVE-2018-12365 CVE-2018-12364 CVE-2018-12363 CVE-2018-12362 CVE-2018-12361 CVE-2018-12360 CVE-2018-12359 CVE-2018-12358 CVE-2018-5188 CVE-2018-5187 CVE-2018-5186 CVE-2018-5156 Member content until: Friday, July 27 2018 OVERVIEW Multiple vulnerabilities have been identified in Mozilla Firefox prior to version 61. [1] IMPACT The vendor has provided the following information about the vulnerabilities: "#CVE-2018-12359: Buffer overflow using computed size of canvas element Reporter Nils Impact critical Description A buffer overflow can occur when rendering canvas content while adjusting the height and width of the <canvas> element dynamically, causing data to be written outside of the currently computed boundaries. This results in a potentially exploitable crash. References Bug 1459162 #CVE-2018-12360: Use-after-free when using focus() Reporter Nils Impact critical Description A use-after-free vulnerability can occur when deleting an input element during a mutation event handler triggered by focusing that element. This results in a potentially exploitable crash. References Bug 1459693 #CVE-2018-12361: Integer overflow in SwizzleData Reporter R Impact critical Description An integer overflow can occur in the SwizzleData code while calculating buffer sizes. The overflowed value is used for subsequent graphics computations when their inputs are not sanitized which results in a potentially exploitable crash. References Bug 1463244 #CVE-2018-12358: Same-origin bypass using service worker and redirection Reporter Ben Kelly Impact high Description Service workers can use redirection to avoid the tainting of cross-origin resources in some instances, allowing a malicious site to read responses which are supposed to be opaque. References Bug 1467852 #CVE-2018-12362: Integer overflow in SSSE3 scaler Reporter F. Alonso (revskills) Impact high Description An integer overflow can occur during graphics operations done by the Supplemental Streaming SIMD Extensions 3 (SSSE3) scaler, resulting in a potentially exploitable crash. References Bug 1452375 #CVE-2018-5156: Media recorder segmentation fault when track type is changed during capture Reporter Nils Impact high Description A vulnerability can occur when capturing a media stream when the media source type is changed as the capture is occuring. This can result in stream data being cast to the wrong type causing a potentially exploitable crash. References Bug 1453127 #CVE-2018-12363: Use-after-free when appending DOM nodes Reporter Nils Impact high Description A use-after-free vulnerability can occur when script uses mutation events to move DOM nodes between documents, resulting in the old document that held the node being freed but the node still having a pointer referencing it. This results in a potentially exploitable crash. References Bug 1464784 #CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI plugins Reporter David Black Impact high Description NPAPI plugins, such as Adobe Flash, can send non-simple cross-origin requests, bypassing CORS by making a same-origin POST that does a 307 redirect to the target site. This allows for a malicious site to engage in cross-site request forgery (CSRF) attacks. References Bug 1436241 #CVE-2018-12365: Compromised IPC child process can list local filenames Reporter Alex Gaynor Impact moderate Description A compromised IPC child process can escape the content sandbox and list the names of arbitrary files on the file system without user consent or interaction. This could result in exposure of private local files. References Bug 1459206 #CVE-2018-12371: Integer overflow in Skia library during edge builder allocation Reporter anonymous Impact moderate Description An integer overflow vulnerability in the Skia library when allocating memory for edge builders on some systems with at least 16 GB of RAM. This results in the use of uninitialized memory, resulting in a potentially exploitable crash. References Bug 1465686 #CVE-2018-12366: Invalid data handling during QCMS transformations Reporter OSS-Fuzz Impact moderate Description An invalid grid size during QCMS (color profile) transformations can result in the out-of-bounds read interpreted as a float value. This could leak private data into the output. References Bug 1464039 #CVE-2018-12367: Timing attack mitigation of PerformanceNavigationTiming Reporter Andrea Marchesini Impact moderate Description In the previous mitigations for Spectre, the resolution or precision of various methods was reduced to counteract the ability to measure precise time intervals. In that work, PerformanceNavigationTiming was not adjusted but it was found that it could be used as a precision timer. References Bug 1462891 #CVE-2018-12368: No warning when opening executable SettingContent-ms files Reporter Abdulrahman Alqabandi Impact moderate Description Windows 10 does not warn users before opening executable files with the SettingContent-ms extension even when they have been downloaded from the internet and have the "Mark of the Web." Without the warning, unsuspecting users unfamiliar with this new file type might run an unwanted executable. This also allows a WebExtension with the limited downloads.open permission to execute arbitrary code without user interaction on Windows 10 systems Note: this issue only affects Windows operating systems. Other operating systems are unaffected. References Bug 1468217 The Tale of SettingContent-ms Files #CVE-2018-12369: WebExtension security permission checks bypassed by embedded experiments Reporter Jonathan Kingston Impact moderate Description WebExtensions bundled with embedded experiments were not correctly checked for proper authorization. This allowed a malicious WebExtension to gain full browser permissions. References Bug 1454909 #CVE-2018-12370: SameSite cookie protections bypassed when exiting Reader View Reporter Jun Kokatsu Impact low Description In Reader View SameSite cookie protections are not checked on exiting. This allows for a payload to be triggered when Reader View is exited if loaded by a malicious site while Reader mode is active, bypassing CSRF protections. References Bug 1456652 #CVE-2018-5186: Memory safety bugs fixed in Firefox 61 Reporter Mozilla developers and community Impact critical Description Mozilla developers and community members Christian Holler, Jason Kratzer, Jon Coppeard, Randell Jesup, Ronald Crane, and Boris Zbarsky reported memory safety bugs present in Firefox 60. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. References Memory safety bugs fixed in Firefox 61 #CVE-2018-5187: Memory safety bugs fixed in Firefox 60 and Firefox ESR 60.1 Reporter Mozilla developers and community Impact critical Description Mozilla developers and community members Christian Holler, Sebastian Hengst, Nils Ohlmeier, Jon Coppeard, Randell Jesup, Ted Campbell, Gary Kwong, and Jean-Yves Avenard reported memory safety bugs present in Firefox 60 and Firefox ESR 60. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. References Memory safety bugs fixed in Firefox 61 and Firefox ESR 60.1 #CVE-2018-5188: Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1, and Firefox ESR 52.9 Reporter Mozilla developers and community Impact critical Description Mozilla developers and community members Alex Gaynor, Christoph Diehl, Christian Holler, Jason Kratzer, David Major, Jon Coppeard, Nicolas B. Pierron, Jason Kratzer, Marcia Knous, and Ronald Crane reported memory safety bugs present in Firefox 60, Firefox ESR 60, and Firefox ESR 52.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. References Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and Firefox ESR 52.9" [1] MITIGATION Users are advised to update to Firefox version 61 to address these issues. [1] REFERENCES [1] Mozilla Foundation Security Advisory 2018-15 https://www.mozilla.org/en-US/security/advisories/mfsa2018-15/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWzLSdWaOgq3Tt24GAQi+BA/+LyjS0RZzhb399/8Ik/22J5/cD9LoQVMF DaCp1xbefdZ01ypfFnSGt95SH4Ezb/DZ9stO4kKFXOjWZGr7ofz1/OwQFJ2zzfbV UsrDiFgLm92CpN/zPGHLoAvHzY+SPrnJVsPs8i3ZTgQOyUVNPRDOf00sDHFWtsS4 x9ZLIOkVB2+Oe/eDt5iEm9P3MOTP3KI/cCrPjO8AO7YRyQ3xR1uVcKFXa4O7H4v7 tYGsyGw6xyk2EYawXH7RZMpRM1O7jGqHKl2jziln4yvMi8rbAdqXxewKaddpT3IJ Sl8Wg7o6+NcAdv0XQQpfdNOO8rJ/ZsjBp277zdFOMNY1zsLAit3t8mfvz1G1tgpS ChgLtcY7x/wPi+d5WkKj4Xy3/0tpVLkH61Ct2aAPbcDR65wbOzhXY1qW1QVF9xrC 0EtCIf0sgz3k1x1DG+J18JWW7iXboOHojEydqnsJYKjXaUOhvP4hZjKullxM2jxo ndt4ID2qOSQgp3wZT9/cLTAwVLvnMqZthor5Jo2uh8CDlhdTHatt1lvwDu3fYGzU 3HNfcbZVQp+2hNxIquqdfTReXT6TuXoQFG4VqESzGP8+vmrzgP7Rqm1mMmRJKbYv qDI6Gzo9dItT7zZcpMviGGfcmNaDngOSOJ5p01YrtHJNb+9RIWG26ki1hN0prYkO SRMftf2lsT4= =WKyy -----END PGP SIGNATURE-----