Critical vulnerabilities have been discovered in the Mozilla Firefox web browser and Firefox Extended Support Release (ESR), and a high-severity bug has been reported for Google Chrome, all of which could allow for arbitrary code execution.
The bugs were announced as part of larger updates (to Chrome 78 stable channel release, Firefox 70 and Firefox ESR 68.2) that also included several fixes for high-severity and moderate flaws.
“Depending on the privileges associated with the user, an attacker could then install programs; view, change or delete data; or create new accounts with full user rights,” MS-ISAC said in an emailed advisory. “Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.”
Mozilla Firefox Bugs
One tracker, CVE-2019-11764, encompasses multiple critical memory safety bugs in Firefox 69 and Firefox ESR 68.1.
“Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could be exploited to run arbitrary code,” Mozilla Foundation said in its advisory, issued Tuesday.
According to the Multi-State Information Sharing and Analysis Center (MS-ISAC), the impact of the bug depends on privilege level. It also said that large and medium government entities and enterprises are at the most risk.
Mozilla also patched a slew of other vulnerabilities with the update. Out of these, three are rated “high” in severity level and five are rated “moderate.”
The high-severity bugs in Firefox ESR include a heap overflow in expat library in XML_GetCurrentLineNumber (CVE-2019-15903); a potentially exploitable crash due to 360 Total Security (CVE-2019-11758); and a use-after-free bug that occurs when creating index updates in IndexedDB (CVE-2019-11757).
The moderate issues in Firefox ESR consist of a stack buffer overflow in HKDF output (CVE-2019-11759); a stack buffer overflow in WebRTC networking (CVE-2019-11760); unintended access to a privileged JSONView object (CVE-2019-11761); incorrect HTML parsing resulting in a cross-site scripting (XSS) bypass technique (CVE-2019-11763); and the fact that document.domain-based origin isolation has same-origin-property violation (CVE-2019-11762).
The high-severity bugs in Mozilla Firefox include CVE-2019-15903 and CVE-2019-11757 found in Firefox ESR, as well as a heap buffer overflow in FEC processing in WebRTC (CVE-2018-6156).
The moderate issues include all of those found in Firefox ESR and detailed above, as well as a CSP bypass using object tag with data: URI (CVE-2019-17000); an additional CSP bypass using object tag when script-src ‘none’ is specified (CVE-2019-17001); the fact that incorrect permissions could be granted to a website (CVE-2019-11765); and the fact that upgrade-insecure-requests was not being honored for links dragged and dropped (CVE-2019-17002).
MS-ISAC recommends patching immediately after appropriate testing. Other best practices include running all software as a non-privileged user by default and applying the principle of least privilege to all systems and services; and reminding users to not visit untrusted websites or follow untrusted links.
Google Chrome Bugs
What are the top cybersecurity issues associated with privileged account access and credential governance? Experts from Thycotic on Oct. 23 will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.