Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2018.0140
Mozilla Foundation Security Advisory 2018-17
27 June 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Mozilla Firefox ESR
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Mobile Device
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Cross-site Request Forgery -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2018-12368 CVE-2018-12366 CVE-2018-12365
CVE-2018-12364 CVE-2018-12363 CVE-2018-12362
CVE-2018-12360 CVE-2018-12359 CVE-2018-5188
CVE-2018-5156
Member content until: Friday, July 27 2018
Reference: ASB-2018.0138
ASB-2018.0139
OVERVIEW
Multiple vulnerabilities have been identified in Mozilla Firefox ESR
prior to version 52.9. [1]
IMPACT
The vendor has provided the following information about the
vulnerabilities:
"CVE-2018-12359: Buffer overflow using computed size of canvas element
Reporter
Nils
Impact
critical
Description
A buffer overflow can occur when rendering canvas content while
adjusting the height and width of the <canvas> element dynamically,
causing data to be written outside of the currently computed
boundaries. This results in a potentially exploitable crash.
References
Bug 1459162
#CVE-2018-12360: Use-after-free when using focus()
Reporter
Nils
Impact
critical
Description
A use-after-free vulnerability can occur when deleting an input
element during a mutation event handler triggered by focusing that
element. This results in a potentially exploitable crash.
References
Bug 1459693
#CVE-2018-12362: Integer overflow in SSSE3 scaler
Reporter
F. Alonso (revskills)
Impact
high
Description
An integer overflow can occur during graphics operations done by the
Supplemental Streaming SIMD Extensions 3 (SSSE3) scaler, resulting in
a potentially exploitable crash.
References
Bug 1452375
#CVE-2018-5156: Media recorder segmentation fault when track type is
changed during capture
Reporter
Nils
Impact
high
Description
A vulnerability can occur when capturing a media stream when the media
source type is changed as the capture is occuring. This can result in
stream data being cast to the wrong type causing a potentially
exploitable crash.
References
Bug 1453127
#CVE-2018-12363: Use-after-free when appending DOM nodes
Reporter
Nils
Impact
high
Description
A use-after-free vulnerability can occur when script uses mutation
events to move DOM nodes between documents, resulting in the old node
that held the node being freed but the node still having a pointer
referencing it. This results in a potentially exploitable crash.
References
Bug 1464784
#CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI plugins
Reporter
David Black
Impact
high
Description
NPAPI plugins, such as Adobe Flash, can send non-simple cross-origin
requests, bypassing CORS by making a same-origin POST that does a 307
redirect to the target site. This allows for a malicious site to
engage in cross-site request forgery (CSRF) attacks.
References
Bug 1436241
#CVE-2018-12365: Compromised IPC child process can list local
filenames
Reporter
Alex Gaynor
Impact
moderate
Description
A compromised IPC child process can escape the content sandbox and
list the names of arbitrary files on the file system without user
consent or interaction. This could result in exposure of private local
files.
References
Bug 1459206
#CVE-2018-12366: Invalid data handling during QCMS transformations
Reporter
OSS-Fuzz
Impact
moderate
Description
An invalid grid size during QCMS (color profile) transformations can
result in the out-of-bounds read interpreted as a float value. This
could leak private data into the output.
References
Bug 1464039
#CVE-2018-12368: No warning when opening executable SettingContent-ms
files
Reporter
Abdulrahman Alqabandi
Impact
moderate
Description
Windows 10 does not warn users before opening executable files with
the SettingContent-ms extension even when they have been downloaded
from the internet and have the "Mark of the Web." Without the warning,
unsuspecting users unfamiliar with this new file type might run an
unwanted executable. This also allows a WebExtension with the limited
downloads.open permission to execute arbitrary code without user
interaction on Windows 10 systems
Note: this issue only affects Windows operating systems. Other
operating systems are unaffected.
References
Bug 1468217
The Tale of SettingContent-ms Files
#CVE-2018-5188: Memory safety bugs fixed in Firefox 60, Firefox ESR
60.1, and Firefox ESR 52.9
Reporter
Mozilla developers and community
Impact
critical
Description
Mozilla developers and community members Alex Gaynor, Christoph Diehl,
Christian Holler, Jason Kratzer, David Major, Jon Coppeard, Nicolas B.
Pierron, Jason Kratzer, Marcia Knous, and Ronald Crane reported memory
safety bugs present in Firefox 60, Firefox ESR 60, and Firefox ESR
52.8. Some of these bugs showed evidence of memory corruption and we
presume that with enough effort that some of these could be exploited
to run arbitrary code.
References
Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and Firefox
ESR 52.9" [1]
MITIGATION
Users are advised to update to Firefox ESR version 52.9 to address these
issues. [1]
REFERENCES
[1] Mozilla Foundation Security Advisory 2018-17
https://www.mozilla.org/en-US/security/advisories/mfsa2018-17
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWzLSqmaOgq3Tt24GAQgnpBAAh9PinLgJSp/vKaJwtcxAw1tHmM+6X3wN
4+UY8ZEpB1dsgX03okuJJtfVQEJNB7/PnNWAcz41pDSDK2LJoQLZzxW/IY4H2Z4D
p8AtTk/lxAZs/wEHNufK+N/eikMQL6XgTatnyFLi48Sno49saLt2Na3h1sb6SiHr
TJ1UtxvECJ6UNSPPJC0Swtuy78eWH+9USTtZvIgSbWFGGRm+8xXJbJhQ0fCn2vXD
0Efj1pPM0LhCf0VFLq1mMHCiXQGuIpxN8I2wxl3xzDOAcjsTgUKz9RrW96jJ5IiC
WY2SloWHezFzA22Q9BwkROvaI4LHg9x9tsAwLsUG7uCnmK5EZiMg9fNC4qsskueD
6GeGDBn9nWBAfpPIe8+p7ZlXpYSNFOEmnyVAD8C1xk0ZRXok8NuUBCe+kHdcQ+vn
oOjRMc93wzN3aSZy3VF7BY3OuCdXA+Y1NOo4YVrROQQ0ECCsm7o0YOTWNNHtDCfF
rN62R9s4xn9Xe/w8xS+EsDSKEeSmOkk9akw6FqS71/Zkxd3goNZtb4w6FcxgV5CF
0geQ5VYzTDK5uLSDuCt7TGbEkdOcXrF52/1kWYKaqQOyqb+RsvY0c8UOPrB5ox+3
46PbY8Lh3uCSAqZFv92QIn+/ZitbjSAsgKQWBiqdrB0mLdNYwXRk5p4jGVSvQkAm
Q+sZ2xoJLuM=
=b6CZ
-----END PGP SIGNATURE-----