Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.0054 MFSA 2020-01 Security Vulnerabilities fixed in Firefox 72 8 January 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Firefox Publisher: Mozilla Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2019-17025 CVE-2019-17024 CVE-2019-17023 CVE-2019-17022 CVE-2019-17021 CVE-2019-17020 CVE-2019-17019 CVE-2019-17018 CVE-2019-17017 CVE-2019-17016 CVE-2019-17015 Original Bulletin: https://www.mozilla.org/en-US/security/advisories/mfsa2020-01/ - --------------------------BEGIN INCLUDED TEXT-------------------- Mozilla Foundation Security Advisory 2020-01 Security Vulnerabilities fixed in Firefox 72 Announced January 7, 2020 Impact high Products Firefox Fixed in Firefox 72 # CVE-2019-17015: Memory corruption in parent process during new content process initialization on Windows Reporter Thomas Imbert Impact high Description During the initialization of a new content process, a pointer offset can be manipulated leading to memory corruption and a potentially exploitable crash in the parent process. Note: this issue only occurs on Windows. Other operating systems are unaffected. References o Bug 1599005 # CVE-2019-17016: Bypass of @namespace CSS sanitization during pasting Reporter Michal Bentkowski Impact high Description When pasting a <style> tag from the clipboard into a rich text editor, the CSS sanitizer incorrectly rewrites a @namespace rule. This could allow for injection into certain types of websites resulting in data exfiltration. References o Bug 1599181 # CVE-2019-17017: Type Confusion in XPCVariant.cpp Reporter bo13oy Impact high Description Due to a missing case handling object types, a type confusion vulnerability could occur, resulting in a crash. We presume that with enough effort that it could be exploited to run arbitrary code. References o Bug 1603055 # CVE-2019-17018: Windows Keyboard in Private Browsing Mode may retain word suggestions Reporter Siye Lui Impact moderate Description When in Private Browsing Mode on Windows 10, the Windows keyboard may retain word suggestions to improve the accuracy of the keyboard. References o Bug 1549394 # CVE-2019-17019: Python files could be inadvertently executed upon opening a download Reporter Prithwishk Kumar Pal Impact moderate Description When Python was installed on Windows, a python file being served with the MIME type of text/plain could be executed by Python instead of being opened as a text file when the Open option was selected upon download. Note: this issue only occurs on Windows. Other operating systems are unaffected. References o Bug 1568003 # CVE-2019-17020: Content Security Policy not applied to XSL stylesheets applied to XML documents Reporter Matthew Somerville Impact moderate Description If an XML file is served with a Content Security Policy and the XML file includes an XSL stylesheet, the Content Security Policy will not be applied to the contents of the XSL stylesheet. If the XSL sheet e.g. includes JavaScript, it would bypass any of the restrictions of the Content Security Policy applied to the XML document. References o Bug 1597645 # CVE-2019-17021: Heap address disclosure in parent process during content process initialization on Windows Reporter Thomas Imbert Impact moderate Description During the initialization of a new content process, a race condition occurs that can allow a content process to disclose heap addresses from the parent process. Note: this issue only occurs on Windows. Other operating systems are unaffected. References o Bug 1599008 # CVE-2019-17022: CSS sanitization does not escape HTML tags Reporter Michal Bentkowski Impact moderate Description When pasting a <style> tag from the clipboard into a rich text editor, the CSS sanitizer does not escape < and > characters. Because the resulting string is pasted directly into the text node of the element this does not result in a direct injection into the webpage; however, if a webpage subsequently copies the node's innerHTML, assigning it to another innerHTML, this would result in an XSS vulnerability. Two WYSIWYG editors were identified with this behavior, more may exist. References o Bug 1602843 # CVE-2019-17023: NSS may negotiate TLS 1.2 or below after a TLS 1.3 HelloRetryRequest had been sent Reporter Google oss-fuzz Impact low Description After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. References o Bug 1590001 # CVE-2019-17024: Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4 Reporter Mozilla developers Impact high Description Mozilla developers Jason Kratzer, Christian Holler, and Bob Clary reported memory safety bugs present in Firefox 71 and Firefox ESR 68.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References o Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4 # CVE-2019-17025: Memory safety bugs fixed in Firefox 72 Reporter Mozilla developers Impact high Description Mozilla developers Karl Tomlinson, Jason Kratzer, Tyson Smith, Jon Coppeard, and Christian Holler reported memory safety bugs present in Firefox 71. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References o Memory safety bugs fixed in Firefox 72 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXhUS4WaOgq3Tt24GAQiOiBAAxN0XX/I6HfUngwoHSSd2mMe8qwa4N1Kq MduwjFYccVrenXE6nwkaKjPo4fNGmhahuuHMOcRK6tyFdRRsCRvdcnghAM5NWc7T eFo3SXGZlwevw/lfVNk0U+fUl4e9A8Y/aDnKZ5qTt3otwlv45TmSCsw3wp3OU2kR +akxAC51Ctk6cypl+kFdH8+9KKa3CEACIJD8AAmVuoAtc4mXy67fwC2U6gP8lPgv QPRb9TCzW7tomATzwYOq52+J/XiJ31deZhE1YL72oK55vndbHyUtJsiqYs8I3R2X SWrs2/ociZhTJAAQdfrSnHWOw8DqQ48ddY081JHY1VOy1k1z5MANaTzul4z9DNnV dr7WXO3/UjU5VHZ6HPJVxqwjKr1MZCk9jDwfvNzZJpxQAZkV1+SfsHNeRYO5eM9I bgWdABrkSig2defxRS5GGxfYwx27an9mqC7n3vnVzfC+8F3lnRBwkSJuXoH0z5KJ rWL6Y8Pp6iLxxLgfqzgKpaoYbC0RTIkhPZYAMukY7k7daSbivbdQnq4M/FVz8YQn OrEl9GMHryy4GoJWenLxcME1GBhbFEsDTBiDZyHnMKC+g4G6rRzkRNLjgEpfriN8 24RrsOZ4kvDkLStW1H9ixN777UBaODznJoD0kRd8yAF9A82yK7qYTBCUgzxOPiS2 CWoE5+eJiL8= =92u0 -----END PGP SIGNATURE-----