SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Mozilla Firefox Vendors:   Mozilla.org
Mozilla Firefox Multiple Bugs Let Remote Users Spoof the Address Bar, Bypass Security Restrictions, and Execute Arbitrary Code
SecurityTracker Alert ID:  1041610
SecurityTracker URL:  http://securitytracker.com/id/1041610
CVE Reference:   CVE-2017-16541, CVE-2018-12375, CVE-2018-12376, CVE-2018-12377, CVE-2018-12378, CVE-2018-12379, CVE-2018-12381, CVE-2018-12382, CVE-2018-12383   (Links to External Site)
Updated:  Sep 7 2018
Original Entry Date:  Sep 7 2018
Impact:   Execution of arbitrary code via network, Modification of system information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Multiple vulnerabilities were reported in Mozilla Firefox. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can bypass security controls on the target system. A remote user can spoof the address bar.

A remote user can use a 'javascript:' URI with JavaScript to insert text before the domain name to spoof the address bar [CVE-2018-12382]. Firefox for Android is affected.

A remote user can create specially crafted content that, when loaded by the target user, will execute arbitrary code on the target user's system.

A use-after-free memory error may occur in certain cases when refresh driver timers are refreshed [CVE-2018-12377].

A use-after-free memory error may occur when an IndexedDB index is deleted while still in use [CVE-2018-12378].

An out-of-bounds memory write error may occur when the Mozilla Updater opens a MAR format file that contains a very long item filename [CVE-2018-12379].

When the automount feature with autofs is used to create a mount point on the local file system, content can be loaded from this file system using a 'file:' URI without being processed via the proxy settings [CVE-2017-16541]. macOS is affected. Linux-based systems with autofs installed are also affected.

When the target user drags and drops an Outlook email message into the browser, a page navigation may occur [CVE-2018-12381]. Windows-based systems with Outlook installed are affected.

When a master password is set after version 58.0, unencrypted passwords are not deleted [CVE-2018-12383].

Other memory safety errors may occur [CVE-2018-12375, CVE-2018-12376].

Alex Gaynor, Andrei Cristian Petcu, Bogdan Tara, Boris Zbarsky, Christian Holler, Christoph Diehl, Filippo Cavallarin, Gary Kwong, Holger Fuhrmannek, Jana Squires, Jason Kratzer, Jed Davis, Jesse Ruderman, Jordi Chancel, Jurgen Gaeremyn, Karl Tomlinson, Looben Yang, Mats Palmgren, Nicolas Grunbaum, Nika Layzell, Nils, Sebastian Hengst, Ted Campbell, Tyson Smith, and Zhanjia Song reported these vulnerabilities.

Impact:   A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.

A remote user can bypass security controls on the target system.

A remote user can spoof the address bar.

Solution:   The vendor has issued a fix (62.0).

The vendor has also issued a fix for CVE-2017-16541, CVE-2018-12376, CVE-2018-12377, CVE-2018-12378, CVE-2018-12379, and CVE-2018-12381 (ESR 60.2).

The vendor advisories are available at:

https://www.mozilla.org/en-US/security/advisories/mfsa2018-20/
https://www.mozilla.org/en-US/security/advisories/mfsa2018-21/

Vendor URL:  www.mozilla.org/en-US/security/advisories/mfsa2018-20/ (Links to External Site)
Cause:   Access control error, Input validation error, State error
Underlying OS:  Android, Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Sep 7 2018 (Ubuntu Issues Fix) Mozilla Firefox Multiple Bugs Let Remote Users Spoof the Address Bar, Bypass Security Restrictions, and Execute Arbitrary Code
Ubuntu has issued a fix for Ubuntu Linux 14.04 LTS, 16.04 LTS, and 18.04 LTS.
Sep 12 2018 (Red Hat Issues Fix) Mozilla Firefox Multiple Bugs Let Remote Users Spoof the Address Bar, Bypass Security Restrictions, and Execute Arbitrary Code
Red Hat has issued a fix for Red Hat Enterprise Linux 6 and 7.
Sep 14 2018 (Oracle Issues Fix for Oracle Linux) Mozilla Firefox Multiple Bugs Let Remote Users Spoof the Address Bar, Bypass Security Restrictions, and Execute Arbitrary Code
Oracle has issued a fix for Oracle Linux 7.
Sep 17 2018 (Ubuntu Issues Revised Fix) Mozilla Firefox Multiple Bugs Let Remote Users Spoof the Address Bar, Bypass Security Restrictions, and Execute Arbitrary Code
Ubuntu has issued a revised fix for Ubuntu Linux 14.04 LTS, 16.04 LTS, and 18.04 LTS to correct regressions.
Sep 27 2018 (Red Hat Issues Fix) Mozilla Firefox Multiple Bugs Let Remote Users Spoof the Address Bar, Bypass Security Restrictions, and Execute Arbitrary Code
Red Hat has issued a fix for Red Hat Enterprise Linux 6.
Sep 27 2018 (Red Hat Issues Fix) Mozilla Firefox Multiple Bugs Let Remote Users Spoof the Address Bar, Bypass Security Restrictions, and Execute Arbitrary Code
Red Hat has issued a fix for Red Hat Enterprise Linux 7.
Sep 28 2018 (Oracle Issues Fix for Oracle Linux) Mozilla Firefox Multiple Bugs Let Remote Users Spoof the Address Bar, Bypass Security Restrictions, and Execute Arbitrary Code
Oracle has issued a fix for Oracle Linux 7.
Oct 16 2018 (Ubuntu Issues Fix for Mozilla Thunderbird) Mozilla Firefox Multiple Bugs Let Remote Users Spoof the Address Bar, Bypass Security Restrictions, and Execute Arbitrary Code
Ubuntu has issued a fix for Mozilla Thunderbird for Ubuntu Linux 14.04 LTS, 16.04 LTS, and 18.04 LTS.
Nov 2 2018 (Oracle Issues Fix for Oracle Linux) Mozilla Firefox Multiple Bugs Let Remote Users Spoof the Address Bar, Bypass Security Restrictions, and Execute Arbitrary Code
Oracle has issued a fix for Oracle Linux 6.
Nov 5 2018 (Red Hat Issues Fix for Mozilla Thunderbird) Mozilla Firefox Multiple Bugs Let Remote Users Spoof the Address Bar, Bypass Security Restrictions, and Execute Arbitrary Code
Red Hat has issued a fix for Mozilla Thunderbird for Red Hat Enterprise Linux 7.
Nov 9 2018 (Oracle Issues Fix for Oracle Linux for Mozilla Thunderbird) Mozilla Firefox Multiple Bugs Let Remote Users Spoof the Address Bar, Bypass Security Restrictions, and Execute Arbitrary Code
Oracle has issued a fix for Mozilla Thunderbird for Oracle Linux 7.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC