Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2018.0275
Multiple vulnerabilities have been identified in Mozilla Thunderbird ESR
1 November 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Mozilla Thunderbird
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
BSD variants
Android
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Unauthorised Access -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2018-12393 CVE-2018-12392 CVE-2018-12391
CVE-2018-12390 CVE-2018-12389
Member content until: Saturday, December 1 2018
Reference: ESB-2018.3275
ESB-2018.3262
ASB-2018.0270.2
OVERVIEW
Multiple vulnerabilities have been identified in Mozilla Thunderbird
ESR prior to version 60.3. [1]
IMPACT
Mozilla have provided the following details regarding the
vulnerabilities:
"#CVE-2018-12391: HTTP Live Stream audio data is accessible
cross-origin
Reporter
Jun Kokatsu
Impact
high
Description
During HTTP Live Stream playback on Firefox for Android, audio data
can be accessed across origins in violation of security policies.
Because the problem is in the underlying Android service, this issue
is addressed by treating all HLS streams as cross-origin and opaque
to access.
Note: this issue only affects Firefox for Android. Desktop versions
of Firefox are unaffected.
References
Bug 1478843
#CVE-2018-12392: Crash with nested event loops
Reporter
Nils
Impact
high
Description
When manipulating user events in nested loops while opening a
document through script, it is possible to trigger a potentially
exploitable crash due to poor event handling.
References
Bug 1492823
#CVE-2018-12393: Integer overflow during Unicode conversion while
loading JavaScript
Reporter
r
Impact
high
Description
A potential vulnerability was found in 32-bit builds where an
integer overflow during the conversion of scripts to an internal
UTF-16 representation could result in allocating a buffer too small
for the conversion. This leads to a possible out-of-bounds write.
Note: 64-bit builds are not vulnerable to this issue.
References
Bug 1495011
#CVE-2018-12389: Memory safety bugs fixed in Firefox ESR 60.3 and
Thunderbird 60.3
Reporter
Mozilla developers and community
Impact
low
Description
Mozilla developers and community members Daniel Veditz and Philipp
reported memory safety bugs present in Firefox ESR 60.2. Some of
these bugs showed evidence of memory corruption and we presume that
with enough effort that some of these could be exploited to run
arbitrary code.
References
Memory safety bugs fixed in Firefox ESR 60.3 and Thunderbird 60.3
#CVE-2018-12390: Memory safety bugs fixed in Firefox 63, Firefox ESR
60.3, and Thunderbird 60.3
Reporter
Mozilla developers and community
Impact
critical
Description
Mozilla developers and community members Christian Holler, Bob Owen,
Boris Zbarsky, Calixte Denizet, Jason Kratzer, Jed Davis, Taegeon
Lee, Philipp, Ronald Crane, Raul Gurzau, Gary Kwong, Tyson Smith,
Raymond Forbes, and Bogdan Tara reported memory safety bugs present
in Firefox 62 and Firefox ESR 60.2. Some of these bugs showed
evidence of memory corruption and we presume that with enough effort
that some of these could be exploited to run arbitrary code.
References
Memory safety bugs fixed in Firefox 63, Firefox ESR 60.3, and
Thunderbird 60.3" [1]
MITIGATION
Mozilla recommends user upgrade to the latest version to address
these issues. [1]
REFERENCES
[1] Mozilla Foundation Security Advisory 2018-28
https://www.mozilla.org/en-US/security/advisories/mfsa2018-28/
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBW9pdCWaOgq3Tt24GAQjW3g//e5rMyzLIm7DcTq6Slo1PgBCMfJ9uNgl+
RqbuuLwriyKte2RylPXUm9s8E1iWYVEvsOxXSWrNLv6DhJM52LLVc+9hj4knCRKi
Dmx8ns+HRGS/6VgYN9yDjTbHGaQfj2YtYmQpvf/gVsByg1dgX46EA3s+guVPthBM
YsGJ4egr5DGyxmjNQura9hXx6o8x9V/WAXub70GxLKl/cNU7L46vknt3wpQbmVjV
7imJj+x+dqeawkZ1rIR9VBUq+yaDV81N1HjAlxlBQu94ApKhRFPLYgCyW3zommqm
pO9SAqMzztkKvXtZAHHCguQJbiU7z/dfsCV7c67JU4x6i+CtYs14KFxXg/Akfj5m
iW0Z0q5+2YA/G/H+tbWLWz/g4ItjmhclKdA8eoQ9S4h1r3JivmptrU2/r6BkCKk3
muC3CsaUXroKmDYZ9rdEAyPDtptRhWxGaZOHzTsVI4R42W+UZTulF2bXhHKBfACV
ER1olwB36s6DEESHfki0bOdUY1+bTUSaHNrmh848ogBf6JtSV91qiiMCTZ8jQwSQ
VlOvAhLG9yjRkWOi5TCb0ms8wagyMqKaOeeB1dLpvPaQSNEFN/O6uPhfF90WkUdM
HSxXQ647ERO8bjfS7fzyd058YYwQaffsGRL5y6Dma1ez/nv+eEQNtoX93wpeBIpt
a7ZpGoHPLrs=
=0uvf
-----END PGP SIGNATURE-----