Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2018.0275 Multiple vulnerabilities have been identified in Mozilla Thunderbird ESR 1 November 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Mozilla Thunderbird Operating System: Windows UNIX variants (UNIX, Linux, OSX) BSD variants Android Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Unauthorised Access -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2018-12393 CVE-2018-12392 CVE-2018-12391 CVE-2018-12390 CVE-2018-12389 Member content until: Saturday, December 1 2018 Reference: ESB-2018.3275 ESB-2018.3262 ASB-2018.0270.2 OVERVIEW Multiple vulnerabilities have been identified in Mozilla Thunderbird ESR prior to version 60.3. [1] IMPACT Mozilla have provided the following details regarding the vulnerabilities: "#CVE-2018-12391: HTTP Live Stream audio data is accessible cross-origin Reporter Jun Kokatsu Impact high Description During HTTP Live Stream playback on Firefox for Android, audio data can be accessed across origins in violation of security policies. Because the problem is in the underlying Android service, this issue is addressed by treating all HLS streams as cross-origin and opaque to access. Note: this issue only affects Firefox for Android. Desktop versions of Firefox are unaffected. References Bug 1478843 #CVE-2018-12392: Crash with nested event loops Reporter Nils Impact high Description When manipulating user events in nested loops while opening a document through script, it is possible to trigger a potentially exploitable crash due to poor event handling. References Bug 1492823 #CVE-2018-12393: Integer overflow during Unicode conversion while loading JavaScript Reporter r Impact high Description A potential vulnerability was found in 32-bit builds where an integer overflow during the conversion of scripts to an internal UTF-16 representation could result in allocating a buffer too small for the conversion. This leads to a possible out-of-bounds write. Note: 64-bit builds are not vulnerable to this issue. References Bug 1495011 #CVE-2018-12389: Memory safety bugs fixed in Firefox ESR 60.3 and Thunderbird 60.3 Reporter Mozilla developers and community Impact low Description Mozilla developers and community members Daniel Veditz and Philipp reported memory safety bugs present in Firefox ESR 60.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. References Memory safety bugs fixed in Firefox ESR 60.3 and Thunderbird 60.3 #CVE-2018-12390: Memory safety bugs fixed in Firefox 63, Firefox ESR 60.3, and Thunderbird 60.3 Reporter Mozilla developers and community Impact critical Description Mozilla developers and community members Christian Holler, Bob Owen, Boris Zbarsky, Calixte Denizet, Jason Kratzer, Jed Davis, Taegeon Lee, Philipp, Ronald Crane, Raul Gurzau, Gary Kwong, Tyson Smith, Raymond Forbes, and Bogdan Tara reported memory safety bugs present in Firefox 62 and Firefox ESR 60.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. References Memory safety bugs fixed in Firefox 63, Firefox ESR 60.3, and Thunderbird 60.3" [1] MITIGATION Mozilla recommends user upgrade to the latest version to address these issues. [1] REFERENCES [1] Mozilla Foundation Security Advisory 2018-28 https://www.mozilla.org/en-US/security/advisories/mfsa2018-28/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW9pdCWaOgq3Tt24GAQjW3g//e5rMyzLIm7DcTq6Slo1PgBCMfJ9uNgl+ RqbuuLwriyKte2RylPXUm9s8E1iWYVEvsOxXSWrNLv6DhJM52LLVc+9hj4knCRKi Dmx8ns+HRGS/6VgYN9yDjTbHGaQfj2YtYmQpvf/gVsByg1dgX46EA3s+guVPthBM YsGJ4egr5DGyxmjNQura9hXx6o8x9V/WAXub70GxLKl/cNU7L46vknt3wpQbmVjV 7imJj+x+dqeawkZ1rIR9VBUq+yaDV81N1HjAlxlBQu94ApKhRFPLYgCyW3zommqm pO9SAqMzztkKvXtZAHHCguQJbiU7z/dfsCV7c67JU4x6i+CtYs14KFxXg/Akfj5m iW0Z0q5+2YA/G/H+tbWLWz/g4ItjmhclKdA8eoQ9S4h1r3JivmptrU2/r6BkCKk3 muC3CsaUXroKmDYZ9rdEAyPDtptRhWxGaZOHzTsVI4R42W+UZTulF2bXhHKBfACV ER1olwB36s6DEESHfki0bOdUY1+bTUSaHNrmh848ogBf6JtSV91qiiMCTZ8jQwSQ VlOvAhLG9yjRkWOi5TCb0ms8wagyMqKaOeeB1dLpvPaQSNEFN/O6uPhfF90WkUdM HSxXQ647ERO8bjfS7fzyd058YYwQaffsGRL5y6Dma1ez/nv+eEQNtoX93wpeBIpt a7ZpGoHPLrs= =0uvf -----END PGP SIGNATURE-----