TTCSIRT-218.072519: TT-CSIRT Advisory – Mozilla Security Updates
Mozilla has released a security update stating that it has discovered the following issues in Mozilla FireFox:
a) Application permissions give additional remote troubleshooting permission to the site input.mozilla.org, which has been retired and now redirects to another site. This additional permission is unnecessary and is a potential vector for malicious attacks – (CVE-2019-11724).
b) A use-after-free vulnerability can occur in HTTP/2 when a cached HTTP/2 stream is closed while still in use, resulting in a potentially exploitable crash – (CVE-2019-11713).
c) Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used – (CVE-2019-11729).
d) The unicode latin ‘kra’ character can be used to spoof a standard ‘k’ character in the addressbar. This allows for domain spoofing attacks as do not display as punycode text, allowing for user confusion – (CVE-2019-11721).
e) When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure -(CVE-2019-11719).
| Further information on these vulnerabilities and how they can be mitigated can be found on the Mozilla Website at https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/ |