Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.3656 MFSA 2022-28 Security Vulnerabilities fixed in Firefox 103 28 July 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Firefox Publisher: Mozilla Operating System: Windows UNIX variants (UNIX, Linux, OSX) Resolution: Patch/Upgrade CVE Names: CVE-2022-36320 CVE-2022-36319 CVE-2022-36318 CVE-2022-36317 CVE-2022-36316 CVE-2022-36315 CVE-2022-36314 CVE-2022-2505 Original Bulletin: https://www.mozilla.org/en-US/security/advisories/mfsa2022-28/ Comment: CVSS (Max): None available when published - --------------------------BEGIN INCLUDED TEXT-------------------- Mozilla Foundation Security Advisory 2022-28 Security Vulnerabilities fixed in Firefox 103 Announced: July 26, 2022 Impact: moderate Products: Firefox Fixed in: Firefox 103 # CVE-2022-36319: Mouse Position spoofing with CSS transforms Reporter: Irvan Kurniawan Impact: moderate Description When combining CSS properties for overflow and transform, the mouse cursor could interact with different coordinates than displayed. References o Bug 1737722 # CVE-2022-36317: Long URL would hang Firefox for Android Reporter: Irwan Impact: moderate Description When visiting a website with an overly long URL, the user interface would start to hang. Due to session restore, this could lead to a permanent Denial of Service. This bug only affects Firefox for Android. Other operating systems are unaffected. References o Bug 1759951 # CVE-2022-36318: Directory indexes for bundled resources reflected URL parameters Reporter: Gijs Kruitbosch Impact: moderate Description When visiting directory listings for chrome:// URLs as source text, some parameters were reflected. References o Bug 1771774 # CVE-2022-36314: Opening local <code>.lnk</code> files could cause unexpected network loads Reporter: akucybersec Impact: moderate Description When opening a Windows shortcut from the local filesystem, an attacker could supply a remote path that would lead to unexpected network requests from the operating system. This bug only affects Firefox for Windows. Other operating systems are unaffected.* References o Bug 1773894 # CVE-2022-36315: Preload Cache Bypasses Subresource Integrity Reporter: Hiroshige Hayashizaki Impact: low Description When loading a script with Subresource Integrity, attackers with an injection capability could trigger the reuse of previously cached entries with incorrect, different integrity metadata. References o Bug 1762520 # CVE-2022-36316: Performance API leaked whether a cross-site resource is redirecting Reporter: Jannis Rautenstrauch Impact: low Description When using the Performance API, an attacker was able to notice subtle differences between PerformanceEntries and thus learn whether the target URL had been subject to a redirect. References o Bug 1768583 # CVE-2022-36320: Memory safety bugs fixed in Firefox 103 Reporter: Mozilla developers and community Impact: high Description Mozilla developers and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 102. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References o Memory safety bugs fixed in Firefox 103 # CVE-2022-2505: Memory safety bugs fixed in Firefox 103 and 102.1 Reporter: Mozilla developers and community Impact: high Description Mozilla developers and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 102. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References o Memory safety bugs fixed in Firefox 103 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYuG+VckNZI30y1K9AQggHA/+OMU7hckwp+aIiBgFjJLSAIs06IfDTKkO gwaNILfqjR7tHZkDiID/zstHDAgrRRWR104IfetWJ9y/uisB25IF9U+uFXuvrxu2 J0AFaFdK46LfNIZ5MOVuYlSikQ3XSfnueSsHz9Ykc9josMOrnYM5jBDsg01wnWKK pyIHDvhZsOiQv2Nmeu4BRR9SOIjMoGQcIX4J/31wxiABABdpKhS6PAZ5v6rMBzQV BE4gDVc7ZEH6idUzSVXGNguC2fsdQLedfhvvIP8mekXv2YLGCpLGFBmDe4ZyjMER v38BkIFK5V7plOcSiUdoXP/2TO3p0p4BTe/qk7SANLITHk4GthtDojrC06IN5ZBe +7v/uyBfU7OlJAsMYEwrw4s+wVZKvliD+q+jJ+ss9dOhWX9y5K7hKB8NqKR/jUHu 4IupEH9EUKi2cH+RAHwTQaXlYq2N7u7/HH0FR8NgydNublYZyulUDps14IH2+jCn NiFJPJ3gvfNuXtbnFCJ3FMGxvejUf9wBs71pLUJIRXaZCebSalV904u5KN8E/zJa wTGd8hfGz/avj2goT2Rey75VP267FVAjB4qO9U5A6VyciOPurziCxtg87QyZcybf iuI7OOA/GHosW2g97U4/FZkocl6VCNAoGZ1DuMHCpwze0bH1hYY51pBISNUk0sEr cxMnjpNEdg0= =tRFp -----END PGP SIGNATURE-----