TTCSIRT-224.090919: TT-CSIRT Advisory – Mozilla Security Updates
Mozilla has released a security update stating that it has discovered the following issues in versions of Mozilla Firefox Browser prior to 69.0:
a) A use-after-free vulnerability can occur while manipulating video elements if the body is freed while still in use. This results in a potentially exploitable crash – (CVE-2019-11746).
b) Navigation events do not not fully adhere to the W3C’s “Navigation-Timing Level 2” draft specification in some instances for the unload event which restricts access to detailed timing attributes to only be same-origin. This resuls in potential cross-origin information exposure of history through timing side-channel attacks – (CVE-2019-11743).
c) The Mozilla Maintenance Service does not guard against files being hardlinked to another file in the updates directory allowing for the replacement of local files including the Maintenance Service executable which is run with privileged access – (CVE-2019-11736).
|Further information on these vulnerabilities and how they can be mitigated can be found on the Mozilla Website at https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/|