Firefox, Chrome Bugs Allow Arbitrary Code-Execution

mozilla firefox update

Multiple critical memory safety bugs in Firefox 69 and Firefox ESR 68.1 in particular affect medium and large government entities and enterprises.

Critical vulnerabilities have been discovered in the Mozilla Firefox web browser and Firefox Extended Support Release (ESR), and a high-severity bug has been reported for Google Chrome, all of which could allow for arbitrary code execution.

The bugs were announced as part of larger updates (to Chrome 78 stable channel release, Firefox 70 and Firefox ESR 68.2) that also included several fixes for high-severity and moderate flaws.

“Depending on the privileges associated with the user, an attacker could then install programs; view, change or delete data; or create new accounts with full user rights,” MS-ISAC said in an emailed advisory. “Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.”

One tracker, CVE-2019-11764, encompasses multiple critical memory safety bugs in Firefox 69 and Firefox ESR 68.1.

“Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could be exploited to run arbitrary code,” Mozilla Foundation said in its advisory, issued Tuesday.

According to the Multi-State Information Sharing and Analysis Center (MS-ISAC), the impact of the bug depends on privilege level. It also said that large and medium government entities and enterprises are at the most risk.

Mozilla also patched a slew of other vulnerabilities with the update. Out of these, three are rated “high” in severity level and five are rated “moderate.”

The high-severity bugs in Firefox ESR include a heap overflow in expat library in XML_GetCurrentLineNumber (CVE-2019-15903); a potentially exploitable crash due to 360 Total Security (CVE-2019-11758); and a use-after-free bug that occurs when creating index updates in IndexedDB (CVE-2019-11757).

The moderate issues in Firefox ESR consist of a stack buffer overflow in HKDF output (CVE-2019-11759); a stack buffer overflow in WebRTC networking (CVE-2019-11760); unintended access to a privileged JSONView object (CVE-2019-11761); incorrect HTML parsing resulting in a cross-site scripting (XSS) bypass technique (CVE-2019-11763); and the fact that document.domain-based origin isolation has same-origin-property violation (CVE-2019-11762).

The high-severity bugs in Mozilla Firefox include CVE-2019-15903 and CVE-2019-11757 found in Firefox ESR, as well as a heap buffer overflow in FEC processing in WebRTC (CVE-2018-6156).

The moderate issues include all of those found in Firefox ESR and detailed above, as well as a CSP bypass using object tag with data: URI (CVE-2019-17000); an additional CSP bypass using object tag when script-src ‘none’ is specified (CVE-2019-17001); the fact that incorrect permissions could be granted to a website (CVE-2019-11765); and the fact that upgrade-insecure-requests was not being honored for links dragged and dropped (CVE-2019-17002).

MS-ISAC recommends patching immediately after appropriate testing. Other best practices include running all software as a non-privileged user by default and applying the principle of least privilege to all systems and services; and reminding users to not visit untrusted websites or follow untrusted links.

Google Chrome Bugs

The Google Chrome update includes 37 security fixes, the most severe of which earned the reporter (Man Yue Mo of Semmle Security Research Team) a $20,000 bounty. CVE-2019-13699 is a high-severity use-after-free bug in media. Few details are available, but MS-ISAC said that successful exploitation could allow an attacker to execute arbitrary code in the context of the browser, obtain sensitive information, bypass security restrictions and perform unauthorized actions, or cause denial-of-service conditions.
The other two high-severity bugs fixed in the update are CVE-2019-13700, a buffer overrun in Blink; and CVE-2019-13701, which is a URL spoof in navigation.
Google also patched several medium- and low-severity bugs, ranging from privilege escalation and CSP bypasses to out-of-bounds reads and a buffer overflow.

What are the top cybersecurity issues associated with privileged account access and credential governance? Experts from Thycotic on Oct. 23 will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.

Suggested articles