Government of the Republic of Trinidad and Tobago                                                                                                                                        


News

TTCSIRT-177.102918: TT-CSIRT Advisory – Mozilla Security Updates

29th October 2018

Mozilla has released a security stating that it has discovered the following vulnerabilities in Mozilla Firefox ver 63.0:

a) Crash with nested event loops – when manipulating user events in nested loops while opening a document through script, it is possible to trigger a potentially exploitable crash due to poor event handling (CVE-2018-12392).

b) Integer overflow during Unicode conversion while loading JavaScript – integer overflow during the conversion of scripts to an internal UTF-16 representation could result in allocating a buffer too small for the conversion. This leads to a possible out-of-bounds write (CVE-2018-12393).

c) WebExtension bypass of domain restrictions through header rewriting – by rewriting the Host request headers using the webRequest API, a WebExtension can bypass domain restrictions through domain fronting. This would allow access to domains that share a host that are otherwise restricted (CVE-2018-12395).

d) WebExtension content scripts can execute in disallowed contexts – a vulnerability where a WebExtension can run content scripts in disallowed contexts following navigation or other events. This allows for potential privilege escalation by the WebExtension on sites where content scripts should not be run (CVE-2018-12396).

Further information on these vulnerabilities and how they can be mitigated can be found on the Mozilla Website at https://www.mozilla.org/en-US/security/advisories/mfsa2018-26/