TTCSIRT-211.053119: TT-CSIRT Advisory – Mozilla Security Updates
Mozilla has released a security update stating that it has discovered the following vulnerabilities in Mozilla FireFox ver67.0:
a) Timing Attack Vulnerability (CVE-2019-9815) – if hyperthreading is not disabled, a timing attack vulnerability exists, similar to previous Spectre attacks.
c) Stealing of Cross Domain Images (CVE-2019-9817) – images from a different domain can be read using a canvas object in some circumstances. This could be used to steal image data from a different site in violation of same-origin policy.
d) Race Condition Vulnerability (CVE-2019-9818) – a race condition is present in the crash generation server used to generate data for the crash reporter. This issue can lead to a use-after-free in the main process, resulting in a potentially exploitable crash and a sandbox escape.
|Further information on this vulnerability and how it can be mitigated can be found on the Mozilla Website at https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/|