Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.4418
Firefox: Multiple vulnerabilities
16 December 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Firefox
Publisher: Mozilla
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Administrator Compromise -- Remote with User Interaction
Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2020-35114 CVE-2020-35113 CVE-2020-35112
CVE-2020-35111 CVE-2020-26979 CVE-2020-26978
CVE-2020-26977 CVE-2020-26976 CVE-2020-26975
CVE-2020-26974 CVE-2020-26973 CVE-2020-26972
CVE-2020-26971 CVE-2020-16042
Original Bulletin:
https://www.mozilla.org/en-US/security/advisories/mfsa2020-55/
https://www.mozilla.org/en-US/security/advisories/mfsa2020-54/
Comment: This bulletin contains two (2) Mozilla security advisories.
This advisory references vulnerabilities in products which run on
mulitple platforms. It is recommended that administrators
running Firefox check for an updated version of the software for
their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
Mozilla Foundation Security Advisory 2020-54
Security Vulnerabilities fixed in Firefox 84
Announced: December 15, 2020
Impact: critical
Products: Firefox
Fixed in: Firefox 84
# CVE-2020-16042: Operations on a BigInt could have caused uninitialized memory
to be exposed
Reporter: Andre Bargull
Impact: critical
Description
When a BigInt was right-shifted the backing store was not properly cleared,
allowing uninitialized memory to be read.
References
o Bug 1679003
# CVE-2020-26971: Heap buffer overflow in WebGL
Reporter: Omair, Abraruddin Khan
Impact: high
Description
Certain blit values provided by the user were not properly constrained leading
to a heap buffer overflow on some video drivers.
References
o Bug 1663466
# CVE-2020-26972: Use-After-Free in WebGL
Reporter: Brian Carpenter via the ASAN Nightly project
Impact: high
Description
The lifecycle of IPC Actors allows managed actors to outlive their manager
actors; and the former must ensure that they are not attempting to use a dead
actor they have a reference to. Such a check was omitted in WebGL, resulting in
a use-after-free and a potentially exploitable crash.
References
o Bug 1671382
# CVE-2020-26973: CSS Sanitizer performed incorrect sanitization
Reporter: Kai Engert
Impact: high
Description
Certain input to the CSS Sanitizer confused it, resulting in incorrect
components being removed. This could have been used as a sanitizer bypass.
References
o Bug 1680084
# CVE-2020-26974: Incorrect cast of StyleGenericFlexBasis resulted in a heap
use-after-free
Reporter: Pham Bao of VinCSS (Member of Vingroup)
Impact: high
Description
When flex-basis was used on a table wrapper, a StyleGenericFlexBasis object
could have been incorrectly cast to the wrong type. This resulted in a heap
user-after-free, memory corruption, and a potentially exploitable crash.
References
o Bug 1681022
# CVE-2020-26975: Malicious applications on Android could have induced Firefox
for Android into sending arbitrary attacker-specified headers
Reporter: Pedro Oliveira
Impact: moderate
Description
When a malicious application installed on the user's device broadcast an Intent
to Firefox for Android, arbitrary headers could have been specified, leading to
attacks such as abusing ambient authority or session fixation. This was
resolved by only allowing certain safe-listed headers.
Note: This issue only affected Firefox for Android. Other operating systems are
unaffected.
References
o Bug 1661071
# CVE-2020-26976: HTTPS pages could have been intercepted by a registered
service worker when they should not have been
Reporter: Andrew Sutherland
Impact: moderate
Description
When a HTTPS pages was embedded in a HTTP page, and there was a service worker
registered for the former, the service worker could have intercepted the
request for the secure page despite the iframe not being a secure context due
to the (insecure) framing.
References
o Bug 1674343
# CVE-2020-26977: URL spoofing via unresponsive port in Firefox for Android
Reporter: andrew g
Impact: moderate
Description
By attempting to connect a website using an unresponsive port, an attacker
could have controlled the content of a tab while the URL bar displayed the
original domain.
Note: This issue only affects Firefox for Android. Other operating systems are
unaffected.
References
o Bug 1676311
# CVE-2020-26978: Internal network hosts could have been probed by a malicious
webpage
Reporter: Samy Kamkar, Ben Seri, and Gregory Vishnepolsky
Impact: moderate
Description
Using techniques that built on the slipstream research, a malicious webpage
could have exposed both an internal network's hosts as well as services running
on the user's local machine.
References
o Bug 1677047
# CVE-2020-26979: When entering an address in the address or search bars, a
website could have redirected the user before they were navigated to the
intended url
Reporter: David Schutz
Impact: low
Description
When a user typed a URL in the address bar or the search bar and quickly hit
the enter key, a website could sometimes capture that event and then redirect
the user before navigation occurred to the desired, entered address. To
construct a convincing spoof the attacker would have had to guess what the user
was typing, perhaps by suggesting it.
References
o Bug 1641287, 1673299
# CVE-2020-35111: The proxy.onRequest API did not catch view-source URLs
Reporter: Yassine Tioual
Impact: low
Description
When an extension with the proxy permission registered to receive <all_urls>,
the proxy.onRequest callback was not triggered for view-source URLs. While web
content cannot navigate to such URLs, a user opening View Source could have
inadvertently leaked their IP address.
References
o Bug 1657916
# CVE-2020-35112: Opening an extension-less download may have inadvertently
launched an executable instead
Reporter: Samuel Attard via the Chrome Security Team
Impact: low
Description
If a user downloaded a file lacking an extension on Windows, and then "Open"-ed
it from the downloads panel, if there was an executable file in the downloads
directory with the same name but with an executable extension (such as .bat or
.exe) that executable would have been launched instead.
Note: This issue only affected Windows operating systems. Other operating
systems are unaffected.
References
o Bug 1661365
# CVE-2020-35113: Memory safety bugs fixed in Firefox 84 and Firefox ESR 78.6
Reporter: Christian Holler
Impact: high
Description
Mozilla developer Christian Holler reported memory safety bugs present in
Firefox 83 and Firefox ESR 78.5. Some of these bugs showed evidence of memory
corruption and we presume that with enough effort some of these could have been
exploited to run arbitrary code.
References
o Memory safety bugs fixed in Firefox 84 and Firefox ESR 78.6
# CVE-2020-35114: Memory safety bugs fixed in Firefox 84
Reporter: Mozilla developers
Impact: high
Description
Mozilla developers Christian Holler, Jan-Ivar Bruaroey, and Gabriele Svelto
reported memory safety bugs present in Firefox 83. Some of these bugs showed
evidence of memory corruption and we presume that with enough effort some of
these could have been exploited to run arbitrary code.
References
o Memory safety bugs fixed in Firefox 84
- -------------------------------------------------------------------------------
Mozilla Foundation Security Advisory 2020-55
Security Vulnerabilities fixed in Firefox ESR 78.6
Announced: December 15, 2020
Impact: critical
Products: Firefox ESR
Fixed in: Firefox ESR 78.6
# CVE-2020-16042: Operations on a BigInt could have caused uninitialized memory
to be exposed
Reporter: Andre Bargull
Impact: critical
Description
When a BigInt was right-shifted the backing store was not properly cleared,
allowing uninitialized memory to be read.
References
o Bug 1679003
# CVE-2020-26971: Heap buffer overflow in WebGL
Reporter: Omair, Abraruddin Khan
Impact: high
Description
Certain blit values provided by the user were not properly constrained leading
to a heap buffer overflow on some video drivers.
References
o Bug 1663466
# CVE-2020-26973: CSS Sanitizer performed incorrect sanitization
Reporter: Kai Engert
Impact: high
Description
Certain input to the CSS Sanitizer confused it, resulting in incorrect
components being removed. This could have been used as a sanitizer bypass.
References
o Bug 1680084
# CVE-2020-26974: Incorrect cast of StyleGenericFlexBasis resulted in a heap
use-after-free
Reporter: Pham Bao of VinCSS (Member of Vingroup)
Impact: high
Description
When flex-basis was used on a table wrapper, a StyleGenericFlexBasis object
could have been incorrectly cast to the wrong type. This resulted in a heap
user-after-free, memory corruption, and a potentially exploitable crash.
References
o Bug 1681022
# CVE-2020-26978: Internal network hosts could have been probed by a malicious
webpage
Reporter: Samy Kamkar, Ben Seri, and Gregory Vishnepolsky
Impact: moderate
Description
Using techniques that built on the slipstream research, a malicious webpage
could have exposed both an internal network's hosts as well as services running
on the user's local machine.
References
o Bug 1677047
# CVE-2020-35111: The proxy.onRequest API did not catch view-source URLs
Reporter: Yassine Tioual
Impact: low
Description
When an extension with the proxy permission registered to receive <all_urls>,
the proxy.onRequest callback was not triggered for view-source URLs. While web
content cannot navigate to such URLs, a user opening View Source could have
inadvertently leaked their IP address.
References
o Bug 1657916
# CVE-2020-35112: Opening an extension-less download may have inadvertently
launched an executable instead
Reporter: Samuel Attard via the Chrome Security Team
Impact: low
Description
If a user downloaded a file lacking an extension on Windows, and then "Open"-ed
it from the downloads panel, if there was an executable file in the downloads
directory with the same name but with an executable extension (such as .bat or
.exe) that executable would have been launched instead.
Note: This issue only affected Windows operating systems. Other operating
systems are unaffected.
References
o Bug 1661365
# CVE-2020-35113: Memory safety bugs fixed in Firefox 84 and Firefox ESR 78.6
Reporter: Christian Holler
Impact: high
Description
Mozilla developer Christian Holler reported memory safety bugs present in
Firefox 83 and Firefox ESR 78.5. Some of these bugs showed evidence of memory
corruption and we presume that with enough effort some of these could have been
exploited to run arbitrary code.
References
o Memory safety bugs fixed in Firefox 84 and Firefox ESR 78.6
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX9mH/+NLKJtyKPYoAQj41Q/+KyeUcLchj2iXN4deW1kdNFTDfyo5MVqM
XyR6WpoowIA0SK3VTXFKsXbFJQvmm/WTqS99bZNN25ra3YrGV63Cq/SDTAEbwYd/
kpluurte/Ci6PPuzSta2vsQurnwJO2+1kXIIdwmgwxbxxq/3mv/3X8w5rvfc24wj
jpvnyK2yOqyd0/b320vXtshbEHFgavDjfxEYYauffFvQ9CiTNSD7yYBhdofnIfrR
UIAk2G/4hNezb6g+ExMyltlf2hqT3kD8fQX+8CioH+K4RKLfKq7fBa35mSWatCXA
KZgcdb98m0fpSVcFz+jQ0baa/HM3ltQXOqktQpwxiWDnS3GmFLORxv2A82+RnbeB
sUkho/I3eGqF9HD6pTarZE0binSzJD9uSQNjHlYrr5Wv8HfVKs8frIW1rqf0lreZ
pjFFLtbne+2SmLrtjpQ8TrP17tnjaeCNJ2hvFCknuWZB7anhM6EdNu0lmycCPoW+
KR23kB6kwqXpFrgjQO3tVEmQjiD0kFwVDJ5dwIZk64kMcF9MribWhJNW+Ob1m7Bh
2WxM2rOXrCwKZsCl2xZ72drKiwOK1r7RTKT/TI9JH5kMcM7UdULiBepdl4IEtPpi
ZmFfgOgYUjjJjFbTNf/76DvqGB9pbsk7sDypfw1rxryjsiRkk0ru7hyrp+knLm/W
1cwj6FqdTCI=
=1PaR
-----END PGP SIGNATURE-----