Releases Security Updates for Firefox, Thunderbird (May 22, 2019

Ref# Mozilla | Date: May 29th 2019

Description

The Microsoft Foundation released several security vulnerability fixes for the Firefox. Firefox ESR, and thunderbird. It is recommended to take the necessary precautions by ensuring products are always updated to avoid an attacker from exploiting one of these vulnerabilities by taking control of an affected system.

Mozilla Foundation Security Advisory 2019-13

Mozilla Release Security updates for Firefox includes: 2 Critical, 11 High, 6 Medium, and 2 low vulnerability fixes.

Critical

  • CVE-2019-9814: Memory safety bugs fixed in Firefox 67

          https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9814

  • CVE-2019-9800: Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7

         https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9800

High

  • CVE-2019-9815: Disable hyperthreading on content JavaScript threads on macOS

         https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9815

  • CVE-2019-9816: Type confusion with object groups and UnboxedObjects

         https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9816

  • CVE-2019-9817: Stealing of cross-domain images using canvas

         https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9817

  • CVE-2019-9818: Use-after-free in crash generation server

         https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9818

  • CVE-2019-9819: Compartment mismatch with fetch API

         https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9819

  • CVE-2019-9820: Use-after-free of ChromeEventHandler by DocShell

         https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9820

  • CVE-2019-9821: Use-after-free in AssertWorkerThread

         https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9821

  • CVE-2019-11691: Use-after-free in XMLHttpRequest

         https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11691

  • CVE-2019-11692: Use-after-free removing listeners in the event listener manager

         https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11692

  • CVE-2019-11693: Buffer overflow in WebGL bufferdata on Linux

         https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11693

  • CVE-2019-7317: Use-after-free in png_image_free of libpng library

         https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-7317

Moderate

  • CVE-2019-11694: Uninitialized memory memory leakage in Windows sandbox

         https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11694

  • CVE-2019-11695: Custom cursor can render over user interface outside of web content

         https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11695

  • CVE-2019-11696: Java web start .JNLP files are not recognized as executable files for download prompts

          https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11696

  • CVE-2019-11697: Pressing key combinations can bypass installation prompt delays and install extensions

          https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11697

  • CVE-2019-11698: Theft of user history data through drag and drop of hyperlinks to and from bookmarks

         https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11698

  • CVE-2019-11700: res: protocol can be used to open known local files

         https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11700

Low

  • CVE-2019-11699: Incorrect domain name highlighting during page navigation

         https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11699

  • CVE-2019-11701: webcal: protocol default handler loads vulnerable web page

         https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11701

The Guyana National CIRT recommends that users and administration review these updates and apply them where necessary.

Reference

Microsoft Releases Security Updates to Address Remote Code Execution Vulnerability (US-Cert)

https://www.us-cert.gov/ncas/current-activity/2019/05/21/Mozilla-Releases-Security-Updates-Firefox