TTCSIRT-211.053119: TT-CSIRT Advisory – Mozilla Security Updates
Mozilla has released a security update stating that it has discovered the following vulnerabilities in Mozilla FireFox ver67.0:
a) Timing Attack Vulnerability (CVE-2019-9815) – if hyperthreading is not disabled, a timing attack vulnerability exists, similar to previous Spectre attacks.
b) Type Confusion Vulnerability (CVE-2019-9816) – a possible vulnerability exists where type confusion can occur when manipulating JavaScript objects in object groups, allowing for the bypassing of security checks within these groups.
c) Stealing of Cross Domain Images (CVE-2019-9817) – images from a different domain can be read using a canvas object in some circumstances. This could be used to steal image data from a different site in violation of same-origin policy.
d) Race Condition Vulnerability (CVE-2019-9818) – a race condition is present in the crash generation server used to generate data for the crash reporter. This issue can lead to a use-after-free in the main process, resulting in a potentially exploitable crash and a sandbox escape.
| Further information on this vulnerability and how it can be mitigated can be found on the Mozilla Website at https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/ |