Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.4418 Firefox: Multiple vulnerabilities 16 December 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Firefox Publisher: Mozilla Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Administrator Compromise -- Remote with User Interaction Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2020-35114 CVE-2020-35113 CVE-2020-35112 CVE-2020-35111 CVE-2020-26979 CVE-2020-26978 CVE-2020-26977 CVE-2020-26976 CVE-2020-26975 CVE-2020-26974 CVE-2020-26973 CVE-2020-26972 CVE-2020-26971 CVE-2020-16042 Original Bulletin: https://www.mozilla.org/en-US/security/advisories/mfsa2020-55/ https://www.mozilla.org/en-US/security/advisories/mfsa2020-54/ Comment: This bulletin contains two (2) Mozilla security advisories. This advisory references vulnerabilities in products which run on mulitple platforms. It is recommended that administrators running Firefox check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- Mozilla Foundation Security Advisory 2020-54 Security Vulnerabilities fixed in Firefox 84 Announced: December 15, 2020 Impact: critical Products: Firefox Fixed in: Firefox 84 # CVE-2020-16042: Operations on a BigInt could have caused uninitialized memory to be exposed Reporter: Andre Bargull Impact: critical Description When a BigInt was right-shifted the backing store was not properly cleared, allowing uninitialized memory to be read. References o Bug 1679003 # CVE-2020-26971: Heap buffer overflow in WebGL Reporter: Omair, Abraruddin Khan Impact: high Description Certain blit values provided by the user were not properly constrained leading to a heap buffer overflow on some video drivers. References o Bug 1663466 # CVE-2020-26972: Use-After-Free in WebGL Reporter: Brian Carpenter via the ASAN Nightly project Impact: high Description The lifecycle of IPC Actors allows managed actors to outlive their manager actors; and the former must ensure that they are not attempting to use a dead actor they have a reference to. Such a check was omitted in WebGL, resulting in a use-after-free and a potentially exploitable crash. References o Bug 1671382 # CVE-2020-26973: CSS Sanitizer performed incorrect sanitization Reporter: Kai Engert Impact: high Description Certain input to the CSS Sanitizer confused it, resulting in incorrect components being removed. This could have been used as a sanitizer bypass. References o Bug 1680084 # CVE-2020-26974: Incorrect cast of StyleGenericFlexBasis resulted in a heap use-after-free Reporter: Pham Bao of VinCSS (Member of Vingroup) Impact: high Description When flex-basis was used on a table wrapper, a StyleGenericFlexBasis object could have been incorrectly cast to the wrong type. This resulted in a heap user-after-free, memory corruption, and a potentially exploitable crash. References o Bug 1681022 # CVE-2020-26975: Malicious applications on Android could have induced Firefox for Android into sending arbitrary attacker-specified headers Reporter: Pedro Oliveira Impact: moderate Description When a malicious application installed on the user's device broadcast an Intent to Firefox for Android, arbitrary headers could have been specified, leading to attacks such as abusing ambient authority or session fixation. This was resolved by only allowing certain safe-listed headers. Note: This issue only affected Firefox for Android. Other operating systems are unaffected. References o Bug 1661071 # CVE-2020-26976: HTTPS pages could have been intercepted by a registered service worker when they should not have been Reporter: Andrew Sutherland Impact: moderate Description When a HTTPS pages was embedded in a HTTP page, and there was a service worker registered for the former, the service worker could have intercepted the request for the secure page despite the iframe not being a secure context due to the (insecure) framing. References o Bug 1674343 # CVE-2020-26977: URL spoofing via unresponsive port in Firefox for Android Reporter: andrew g Impact: moderate Description By attempting to connect a website using an unresponsive port, an attacker could have controlled the content of a tab while the URL bar displayed the original domain. Note: This issue only affects Firefox for Android. Other operating systems are unaffected. References o Bug 1676311 # CVE-2020-26978: Internal network hosts could have been probed by a malicious webpage Reporter: Samy Kamkar, Ben Seri, and Gregory Vishnepolsky Impact: moderate Description Using techniques that built on the slipstream research, a malicious webpage could have exposed both an internal network's hosts as well as services running on the user's local machine. References o Bug 1677047 # CVE-2020-26979: When entering an address in the address or search bars, a website could have redirected the user before they were navigated to the intended url Reporter: David Schutz Impact: low Description When a user typed a URL in the address bar or the search bar and quickly hit the enter key, a website could sometimes capture that event and then redirect the user before navigation occurred to the desired, entered address. To construct a convincing spoof the attacker would have had to guess what the user was typing, perhaps by suggesting it. References o Bug 1641287, 1673299 # CVE-2020-35111: The proxy.onRequest API did not catch view-source URLs Reporter: Yassine Tioual Impact: low Description When an extension with the proxy permission registered to receive <all_urls>, the proxy.onRequest callback was not triggered for view-source URLs. While web content cannot navigate to such URLs, a user opening View Source could have inadvertently leaked their IP address. References o Bug 1657916 # CVE-2020-35112: Opening an extension-less download may have inadvertently launched an executable instead Reporter: Samuel Attard via the Chrome Security Team Impact: low Description If a user downloaded a file lacking an extension on Windows, and then "Open"-ed it from the downloads panel, if there was an executable file in the downloads directory with the same name but with an executable extension (such as .bat or .exe) that executable would have been launched instead. Note: This issue only affected Windows operating systems. Other operating systems are unaffected. References o Bug 1661365 # CVE-2020-35113: Memory safety bugs fixed in Firefox 84 and Firefox ESR 78.6 Reporter: Christian Holler Impact: high Description Mozilla developer Christian Holler reported memory safety bugs present in Firefox 83 and Firefox ESR 78.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References o Memory safety bugs fixed in Firefox 84 and Firefox ESR 78.6 # CVE-2020-35114: Memory safety bugs fixed in Firefox 84 Reporter: Mozilla developers Impact: high Description Mozilla developers Christian Holler, Jan-Ivar Bruaroey, and Gabriele Svelto reported memory safety bugs present in Firefox 83. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References o Memory safety bugs fixed in Firefox 84 - ------------------------------------------------------------------------------- Mozilla Foundation Security Advisory 2020-55 Security Vulnerabilities fixed in Firefox ESR 78.6 Announced: December 15, 2020 Impact: critical Products: Firefox ESR Fixed in: Firefox ESR 78.6 # CVE-2020-16042: Operations on a BigInt could have caused uninitialized memory to be exposed Reporter: Andre Bargull Impact: critical Description When a BigInt was right-shifted the backing store was not properly cleared, allowing uninitialized memory to be read. References o Bug 1679003 # CVE-2020-26971: Heap buffer overflow in WebGL Reporter: Omair, Abraruddin Khan Impact: high Description Certain blit values provided by the user were not properly constrained leading to a heap buffer overflow on some video drivers. References o Bug 1663466 # CVE-2020-26973: CSS Sanitizer performed incorrect sanitization Reporter: Kai Engert Impact: high Description Certain input to the CSS Sanitizer confused it, resulting in incorrect components being removed. This could have been used as a sanitizer bypass. References o Bug 1680084 # CVE-2020-26974: Incorrect cast of StyleGenericFlexBasis resulted in a heap use-after-free Reporter: Pham Bao of VinCSS (Member of Vingroup) Impact: high Description When flex-basis was used on a table wrapper, a StyleGenericFlexBasis object could have been incorrectly cast to the wrong type. This resulted in a heap user-after-free, memory corruption, and a potentially exploitable crash. References o Bug 1681022 # CVE-2020-26978: Internal network hosts could have been probed by a malicious webpage Reporter: Samy Kamkar, Ben Seri, and Gregory Vishnepolsky Impact: moderate Description Using techniques that built on the slipstream research, a malicious webpage could have exposed both an internal network's hosts as well as services running on the user's local machine. References o Bug 1677047 # CVE-2020-35111: The proxy.onRequest API did not catch view-source URLs Reporter: Yassine Tioual Impact: low Description When an extension with the proxy permission registered to receive <all_urls>, the proxy.onRequest callback was not triggered for view-source URLs. While web content cannot navigate to such URLs, a user opening View Source could have inadvertently leaked their IP address. References o Bug 1657916 # CVE-2020-35112: Opening an extension-less download may have inadvertently launched an executable instead Reporter: Samuel Attard via the Chrome Security Team Impact: low Description If a user downloaded a file lacking an extension on Windows, and then "Open"-ed it from the downloads panel, if there was an executable file in the downloads directory with the same name but with an executable extension (such as .bat or .exe) that executable would have been launched instead. Note: This issue only affected Windows operating systems. Other operating systems are unaffected. References o Bug 1661365 # CVE-2020-35113: Memory safety bugs fixed in Firefox 84 and Firefox ESR 78.6 Reporter: Christian Holler Impact: high Description Mozilla developer Christian Holler reported memory safety bugs present in Firefox 83 and Firefox ESR 78.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References o Memory safety bugs fixed in Firefox 84 and Firefox ESR 78.6 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX9mH/+NLKJtyKPYoAQj41Q/+KyeUcLchj2iXN4deW1kdNFTDfyo5MVqM XyR6WpoowIA0SK3VTXFKsXbFJQvmm/WTqS99bZNN25ra3YrGV63Cq/SDTAEbwYd/ kpluurte/Ci6PPuzSta2vsQurnwJO2+1kXIIdwmgwxbxxq/3mv/3X8w5rvfc24wj jpvnyK2yOqyd0/b320vXtshbEHFgavDjfxEYYauffFvQ9CiTNSD7yYBhdofnIfrR UIAk2G/4hNezb6g+ExMyltlf2hqT3kD8fQX+8CioH+K4RKLfKq7fBa35mSWatCXA KZgcdb98m0fpSVcFz+jQ0baa/HM3ltQXOqktQpwxiWDnS3GmFLORxv2A82+RnbeB sUkho/I3eGqF9HD6pTarZE0binSzJD9uSQNjHlYrr5Wv8HfVKs8frIW1rqf0lreZ pjFFLtbne+2SmLrtjpQ8TrP17tnjaeCNJ2hvFCknuWZB7anhM6EdNu0lmycCPoW+ KR23kB6kwqXpFrgjQO3tVEmQjiD0kFwVDJ5dwIZk64kMcF9MribWhJNW+Ob1m7Bh 2WxM2rOXrCwKZsCl2xZ72drKiwOK1r7RTKT/TI9JH5kMcM7UdULiBepdl4IEtPpi ZmFfgOgYUjjJjFbTNf/76DvqGB9pbsk7sDypfw1rxryjsiRkk0ru7hyrp+knLm/W 1cwj6FqdTCI= =1PaR -----END PGP SIGNATURE-----