Releases Security Updates (March 19, 2019)

Ref# Mozilla | Date: Apr 24th 2019

Description

The Mozilla Foundation has released several security vulnerability fixes for Firefox and Firefox ESR. It I recommended to take the necessary precautions by ensuring your products are always updated to avoid an attacker from exploiting one of these vulnerabilities by taking control of an affected system. 

The Firefox 66 update includes, 5 critical, 7 high, 5 moderate and 4 low vulnerability fixes.

Critical

  • CVE-2019-9790: Use-after-free when removing in-use DOM elements
  • CVE-2019-9791: Type inference is incorrect for constructors entered through on-stack replacement with IonMonkey
  •  CVE-2019-9792: IonMonkey leaks JS_OPTIMIZED_OUT magic value to script
  • CVE-2019-9789: Memory safety bugs fixed in Firefox 66
  • CVE-2019-9788: Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6

High

  • CVE-2019-9793: Improper bounds checks when Spectre mitigations are disabled
  • CVE-2019-9794: Command line arguments not discarded during execution
  • CVE-2019-9795: Type-confusion in IonMonkey JIT compiler
  • CVE-2019-9796: Use-after-free with SMIL animation controller
  • CVE-2019-9797: Cross-origin theft of images with createImageBitmap
  • CVE-2019-9798: Library is loaded from world writable APITRACE_LIB location
  • CVE-2019-9799: Information disclosure via IPC channel messages

Moderate

  • CVE-2019-9801: Windows programs that are not “URL Handlers” are exposed to web content
  • CVE-2019-9802: Chrome process information leak
  • CVE-2019-9803: Upgrade-Insecure-Requests incorrectly enforced for same-origin navigation
  • CVE-2019-9804: Code execution through “Copy as cURL” in Firefox Developer Tools on macOS
  • CVE-2019-9805: Potential use of uninitialized memory in Prio

Low

  • CVE-2019-9806: Denial of service through successive FTP authorization prompts
  • CVE-2019-9807: Text sent through FTP connection can be incorporated into alert messages
  • CVE-2019-9809: Denial of service through FTP modal alert error messages
  • CVE-2019-9808: WebRTC permissions can display incorrect origin with data: and blob: URLs

The Firefox ESR 6o.6 update includes, 4 critical, 4 high, 2 moderate vulnerability fixes.

Critical

  • CVE-2019-9790: Use-after-free when removing in-use DOM elements
  • CVE-2019-9791: Type inference is incorrect for constructors entered through on-stack replacement with IonMonkey
  • CVE-2019-9792: IonMonkey leaks JS_OPTIMIZED_OUT magic value to script
  • CVE-2019-9788: Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6

High

  • CVE-2019-9793: Improper bounds checks when Spectre mitigations are disabled
  • CVE-2019-9794: Command line arguments not discarded during execution
  • CVE-2019-9795: Type-confusion in IonMonkey JIT compiler
  • CVE-2019-9796: Use-after-free with SMIL animation controller

Moderate

  • CVE-2019-9801: Windows programs that are not “URL Handlers” are exposed to web content
  • CVE-2018-18506: Proxy Auto-Configuration file can define localhost access to be proxied

The Guyana National CIRT recommends that users and administration review these updates and apply them where necessary.

Reference

  • Mozilla Foundation Security Advisory (US-Cert)

https://www.us-cert.gov/ncas/current-activity/2019/03/19/Mozilla-Releases-Security-Updates-Firefox