Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.1848
MFSA 2019-15 Security vulnerabilities fixed in Thunderbird 60.7
23 May 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Thunderbird
Publisher: Mozilla
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2019-11698 CVE-2019-11694 CVE-2019-11693
CVE-2019-11692 CVE-2019-11691 CVE-2019-9820
CVE-2019-9819 CVE-2019-9818 CVE-2019-9817
CVE-2019-9816 CVE-2019-9815 CVE-2019-9800
CVE-2019-9797 CVE-2019-7317 CVE-2019-5798
CVE-2018-18511
Reference: ASB-2019.0082
ASB-2019.0055
ESB-2019.1821
ESB-2019.1815
Original Bulletin:
https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/
- --------------------------BEGIN INCLUDED TEXT--------------------
Mozilla Foundation Security Advisory 2019-15
Security vulnerabilities fixed in Thunderbird 60.7
Announced
May 21, 2019
Impact
high
Products
Thunderbird
Fixed in
Thunderbird 60.7
In general, these flaws cannot be exploited through email in the Thunderbird
product because scripting is disabled when reading mail, but are potentially
risks in browser or browser-like contexts.
# CVE-2019-9815: Disable hyperthreading on content JavaScript threads on macOS
Reporter
Multiple independent researchers
Impact
high
Description
If hyperthreading is not disabled, a timing attack vulnerability exists,
similar to previous Spectre attacks. Apple has shipped macOS 10.14.5 with an
option to disable hyperthreading in applications running untrusted code in a
thread through a new sysctl. Firefox now makes use of it on the main thread and
any worker threads.
Note: users need to update to macOS 10.14.5 in order to take advantage of this
change.
References
o Bug 1546544
o RIDL and Fallout: MDS attacks
# CVE-2019-9816: Type confusion with object groups and UnboxedObjects
Reporter
Samuel Gross of Google Project Zero
Impact
high
Description
A possible vulnerability exists where type confusion can occur when
manipulating JavaScript objects in object groups, allowing for the bypassing of
security checks within these groups.
Note: this vulnerability has only been demonstrated with UnboxedObjects , which
are disabled by default on all supported releases.
References
o Bug 1536768
# CVE-2019-9817: Stealing of cross-domain images using canvas
Reporter
Luat Nguyen
Impact
high
Description
Images from a different domain can be read using a canvas object in some
circumstances. This could be used to steal image data from a different site in
violation of same-origin policy.
References
o Bug 1540221
# CVE-2019-9818: Use-after-free in crash generation server
Reporter
Thomas Imbert
Impact
high
Description
A race condition is present in the crash generation server used to generate
data for the crash reporter. This issue can lead to a use-after-free in the
main process, resulting in a potentially exploitable crash and a sandbox
escape.
Note: this vulnerability only affects Windows. Other operating systems are
unaffected.
References
o Bug 1542581
# CVE-2019-9819: Compartment mismatch with fetch API
Reporter
Nils
Impact
high
Description
A vulnerability where a JavaScript compartment mismatch can occur while working
with the fetch API, resulting in a potentially exploitable crash.
References
o Bug 1532553
# CVE-2019-9820: Use-after-free of ChromeEventHandler by DocShell
Reporter
Nils
Impact
high
Description
A use-after-free vulnerability can occur in the chrome event handler when it is
freed while still in use. This results in a potentially exploitable crash.
References
o Bug 1536405
# CVE-2019-11691: Use-after-free in XMLHttpRequest
Reporter
Nils
Impact
high
Description
A use-after-free vulnerability can occur when working with XMLHttpRequest (XHR)
in an event loop, causing the XHR main thread to be called after it has been
freed. This results in a potentially exploitable crash.
References
o Bug 1542465
# CVE-2019-11692: Use-after-free removing listeners in the event listener
manager
Reporter
Nils
Impact
high
Description
A use-after-free vulnerability can occur when listeners are removed from the
event listener manager while still in use, resulting in a potentially
exploitable crash.
References
o Bug 1544670
# CVE-2019-11693: Buffer overflow in WebGL bufferdata on Linux
Reporter
crixer
Impact
high
Description
The bufferdata function in WebGL is vulnerable to a buffer overflow with
specific graphics drivers on Linux. This could result in malicious content
freezing a tab or triggering a potentially exploitable crash.
Note: this issue only occurs on Linux. Other operating systems are unaffected.
References
o Bug 1532525
# CVE-2019-7317: Use-after-free in png_image_free of libpng library
Reporter
Salvatore Bonaccorso
Impact
high
Description
A use-after-free vulnerability was discovered in the png_image_free function in
the libpng library. This could lead to denial of service or a potentially
exploitable crash when a malformed image is processed.
References
o Bug 1542829
# CVE-2019-9797: Cross-origin theft of images with createImageBitmap
Reporter
AaylaSecura1138
Impact
high
Description
Cross-origin images can be read in violation of the same-origin policy by
exporting an image after using createImageBitmap to read the image and then
rendering the resulting bitmap image within a canvas element.
References
o Bug 1528909
# CVE-2018-18511: Cross-origin theft of images with ImageBitmapRenderingContext
Reporter
AaylaSecura1138
Impact
high
Description
Cross-origin images can be read from a canvas element in violation of the
same-origin policy using the transferFromImageBitmap method.
References
o Bug 1526218
# CVE-2019-11694: Uninitialized memory memory leakage in Windows sandbox
Reporter
Jeremy Fetiveau of SSD Secure Disclosure
Impact
moderate
Description
A vulnerability exists in the Windows sandbox where an uninitialized value in
memory can be leaked to a renderer from a broker when making a call to access
an otherwise unavailable file. This results in the potential leaking of
information stored at that memory location.
Note: this issue only occurs on Windows. Other operating systems are
unaffected.
References
o Bug 1534196
# CVE-2019-11698: Theft of user history data through drag and drop of
hyperlinks to and from bookmarks
Reporter
Abdulrahman Alqabandi
Impact
moderate
Description
If a crafted hyperlink is dragged and dropped to the bookmark bar or sidebar
and the resulting bookmark is subsequently dragged and dropped into the web
content area, an arbitrary query of a user's browser history can be run and
transmitted to the content page via drop event data. This allows for the theft
of browser history by a malicious site.
References
o Bug 1543191
# CVE-2019-5798: Out-of-bounds read in Skia
Reporter
Tran Tien Hung of Viettel Cyber Security
Impact
moderate
Description
An out-of-bounds read can occur in the Skia library during path
transformations. This could result in the exposure of data stored in memory.
References
o Bug 1535518
# CVE-2019-9800: Memory safety bugs fixed in Firefox 67, Firefox ESR 60.7, and
Thunderbird 60.7
Reporter
Mozilla developers and community
Impact
critical
Description
Mozilla developers and community members Olli Pettay, Bogdan Tara, Jan de
Mooij, Jason Kratzer, Jan Varga, Gary Kwong, Tim Guan-tin Chien, Tyson Smith,
Ronald Crane, and Ted Campbell reported memory safety bugs present in Firefox
66, Firefox ESR 60.6, and Thunderbird 60.6. Some of these bugs showed evidence
of memory corruption and we presume that with enough effort that some of these
could be exploited to run arbitrary code.
References
o Memory safety bugs fixed in Firefox 67, Firefox ESR 60.7, and Thunderbird
60.7
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXOYzmWaOgq3Tt24GAQijfRAAi8CzZFVYzK0tRm8owcjMcWvpaCBOEbfg
vj+80ch7ZDHN66MyP0WCmTAN8LgYNQU3Vh6WAfWFibAcKzjeRvQT3mibcil2OWm3
1tdJ62pnGSIAHXDvcmpuNwEru/kshd+ArML+TmFYLgo+Vc4YdIhjUCmFEcA9q7Sl
EF6aIbRKQLw7bip8LfpfLbigy8Jn6eEkgMWKOGzSL6RgIhIaKSlQd+O8Q+TAc20q
5BehzrR/beaExCeSppVERMbnxbYy1UQnRU0j4WmB+IptSIB0TEg7JghDQv+1F9pK
1KjZwcr4Nct3STNXI+B1rICqPsYT+33SAIQnq0d55rgShpgMzsdGSplHqQHz8PpS
ksEv59FJgXJ8UU9nV/tOw1Hd2jgaFSkz2DYLd8SLKCaj8TaL8DIsZWmEkkUYi1Je
BlnPIG2uYB6DKDfdOFOuv5bas+eckOW12uiDeJ3+7g59551v0wHZZt5N3tIkQjRO
iqWzkd94oHEf2h3bnDEfGeiUXrVlRDu8dJzGsfwnj1QFSlscAMiskGQrmzjRRNJx
XZgLlYuf2dBlMgRqu+pmx9xWFhrZbWk1cFHlTIgrBwpL/6SqIDHP6MAIO2ENRJyX
0sofcSfVAHb7uItf44Kb1fTqNnBEPCBqlOoyvajyjz4ADvP4OfWphEl6lN8uyqte
YrwD8W8sHY4=
=koEq
-----END PGP SIGNATURE-----