Mozilla has released security updates for Firefox, Firefox ESR and Thunderbird. Eleven vulnerabilities were identified and fixed in Firefox and eight in Firefox ESR and Thunderbird each. The advisories have been ranked high in severity which indicates that the vulnerabilities can be used to gather sensitive data from sites in other windows or inject data or code into those sites with just normal browsing actions. Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code, gain access to sensitive information or conduct denial of service attacks.
Important high severity vulnerabilities in Mozilla Firefox, Firefox ESR and Thunderbird
- CVE-2019-17008 : A use-after-free issue exists when using nested workers. During worker destruction, a use-after-free issue could occur leading to a potentially exploitable crash.
- CVE-2019-13722 : A stack corruption issue exists when setting a thread name on Windows in WebRTC. When an incorrect number of arguments have been supplied, it could lead to a potentially exploitable crash. This vulnerability only affects Windows systems.
- CVE-2019-11745 : An out-of-bounds write issue exists when encrypting with a block cipher. A small out of bounds write could occur if a call to
NSC_EncryptUpdatewas made with data smaller than the block size. This can lead to heap corruption and a potentially exploitable crash.
- CVE-2019-17012 : A set of memory safety bugs showed evidence of memory corruption and could be exploited to run arbitrary code.
Other important vulnerabilities
- CVE-2019-17009 is an information disclosure vulnerability that exists because the updater service writes status and log files to an unrestricted location.
- CVE-2019-17010 is a use-after-free issue that arises when checking the Resist Fingerprinting preference during device orientation checks. This flaw can lead to a potentially exploitable crash.
- CVE-2019-17011 is a use-after free issue that arises when retrieving a document from a DocShell in the antitracking code which could lead to a potentially exploitable crash.
- CVE-2019-17005 is a buffer overflow issue in text serializer due to the presence of a fixed-size array for the number of elements it could process. However, it is possible to overflow the static-sized array leading to memory corruption and a potentially exploitable crash.
The other important vulnerabilities in Firefox are CVE-2019-11756 and CVE-2019-17013. CVE-2019-11756 is a use-after-free issue in SFTKSession object and CVE-2019-17013 falls under memory safety bugs.
- Mozilla Firefox versions before 71
- Mozilla Firefox ESR versions before 68.3
- Mozilla Thunderbird versions before 68.3
- Mozilla Firefox version 71
- Mozilla Firefox ESR version 68.3
- Mozilla Thunderbird version 68.3