SB2018051017 - Multiple vulnerabilities in Mozilla Firefox

Description

This security bulletin contains information about 26 secuirty vulnerabilities.

1) Use-after-free error (CVE-ID: CVE-2018-5154)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error while enumerating attributes during SVG animations with clip paths. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability result may result in system compromise.

2) Use-after-free error (CVE-ID: CVE-2018-5155)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error while adjusting layout during SVG animations with text paths. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability result may result in system compromise.

3) Same-origin policy bypass (CVE-ID: CVE-2018-5157)

The vulnerability allows a remote attacker to bypass same-origin policy on the target system.

The weakness exists due to improper input validation. A remote attacker can trick the victim into visiting a specially crafted website, bypass same-origin protections for the PDF viewer and cause a malicious site to intercept messages meant for the viewer and retrieve PDF files restricted to viewing by an authenticated user on a third-party website.

4) Cross-site scripting (CVE-ID: CVE-2018-5158)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to the PDF viewer does not sufficiently sanitize PostScript calculator functions. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks

5) Memory corruption (CVE-ID: CVE-2018-5159)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to integer overflow in the Skia library while 32-bit integer use in an array without integer overflow checks. A remote attacker can trick the victim into visiting a specially crafted website, trigger out-of-bounds write and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability result may result in system compromise.

6) Memory corruption (CVE-ID: CVE-2018-5160)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to WebRTC can use a WrappedI420Buffer pixel buffer but the owning image object can be freed while it is still in use. A remote attacker can trick the victim into visiting a specially crafted website, cause the WebRTC encoder using uninitialized memory, trigger memory corruption and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability result may result in system compromise.

7) Memory leak (CVE-ID: CVE-2018-5152)

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to WebExtensions with the appropriate permissions can attach content scripts to Mozilla sites such as accounts.firefox.com and listen to network traffic to the site through the webRequest API. A remote attacker can intercept username and an encrypted password during login to Firefox Accounts.

8) Out-of-bounds read (CVE-ID: CVE-2018-5153)

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to out-of-bounds read in mixed content websocket messages. A remote attacker can send websocket data with mixed text and binary in a single message, corrupt binary data, trigger an out-of-bounds read with the read memory sent to the originating server in response.

9) Security restrictions bypass (CVE-ID: CVE-2018-5163)

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to replacing of cached data in JavaScript start-up bytecode cache. A remote attacker with full control over a content process can replace the alternate data resources stored in the JavaScript Start-up Bytecode Cache (JSBC) for other JavaScript code, run the executed script with the parent process' privileges and escaping the sandbox on content processes.

10) Cross-site scripting (CVE-ID: CVE-2018-5164)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to Content Security Policy (CSP) is not applied correctly to all parts of multipart content sent with the multipart/x-mixed-replace MIME type. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

11) Security restrictions bypass (CVE-ID: CVE-2018-5166)

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to WebExtensions can use request redirection and a filterReponseData filter. A remote attacker can bypass host permission settings to redirect network traffic and access content from a host for which he does not have explicit user permission.

12) Information disclosure (CVE-ID: CVE-2018-5167)

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to improper linkification of chrome: and javascript: content in web console and JavaScript debugger. A remote attacker can supply specially crafted output
and cause JavaScript debugger to display some content as clickable links.

13) Security restrictions bypass (CVE-ID: CVE-2018-5168)

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to improper privileges or access controls. A remote attacker can manipulate the baseURI property of the theme element, bypass security restrictions and cause lightweight themes to be installed without user interaction which could contain offensive or embarrassing images.

14) Security restrictions bypass (CVE-ID: CVE-2018-5169)

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to improper privileges or access controls. A remote attacker can drag and drop specially crafted manipulated hyperlinked text containing chrome: URL on the "home" icon, cause the home page to be reset to include a normally-unlinkable chrome page as one of the home page tabs.

15) Security restrictions bypass (CVE-ID: CVE-2018-5172)

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to the Live Bookmarks page and the PDF viewer can run injected script content from the clipboard. A remote attacker can trick the victim into coping and pasting script from the clipboard into the Live Bookmarks page and the PDF viewer while viewing RSS feeds or PDF files and run malicious script content with the context of the page.

16) Spoofing attack (CVE-ID: CVE-2018-5173)

The vulnerability allows a remote attacker to conduct spoofing attack.

The vulnerability exists due to the filename appearing in the Downloads panel improperly renders some Unicode characters. A remote attacker can spoof the filename and obscure the file extension of potentially executable files from user view in the panel.

17) Security restrictions bypass (CVE-ID: CVE-2018-5174)

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The vulnerability exists due to the Windows Defender SmartScreen UI runs with less secure behavior for downloaded files. A remote attacker can bypass security restrictions and perform further attack.

18) Security restrictions bypass (CVE-ID: CVE-2018-5175)

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The vulnerability exists due to improper security mechanism of Content Security Policy (CSP) protections on sites that have a script-src policy of 'strict-dynamic'. A remote attacker can inject a reference to a copy of the require.js library that is part of Firefox’s Developer Tools and bypass Content Security Policy (CSP) protections for sites that have a script-src policy of 'strict-dynamic'.

19) Cross-site scripting (CVE-ID: CVE-2018-5176)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to JSON Viewer displays clickable hyperlinks for strings that are parseable as URLs, including javascript: links. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

20) Buffer overflow (CVE-ID: CVE-2018-5177)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to boundary error in XSLT during number formatting. A remote unauthenticated attacker can allocate negative buffer size, trigger memory corruption and cause the service to crash.

21) Security restrictions bypass (CVE-ID: CVE-2018-5165)

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The vulnerability exists due to the Adobe Flash plugin setting for 'Enable Adobe Flash protected mode' displays the opposite status of the Adobe Flash sandbox. A remote attacker can bypass security restrictions and turn protections off.

22) Heap-use-after-free error (CVE-ID: CVE-2018-5180)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to heap-used-after-free error during WebGL operations. A remote attacker can trick the victim into visiting a specially crafted website, cause the memory to be freed and reused in a brief window of time during the freeing of the same callstack.

Successful exploitation of the vulnerability result may result in system compromise.

23) Information disclosure (CVE-ID: CVE-2018-5181)

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

24) Information disclosure (CVE-ID: CVE-2018-5182)

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

25) Memory corruption (CVE-ID: CVE-2018-5151)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when handling malicious input. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability result may result in system compromise.

26) Buffer overflow (CVE-ID: CVE-2018-5150)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when handling malicious input. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability result may result in system compromise.

Remediation

Install update from vendor's website.

References

• https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/