Microsoft Releases Security Updates for Firefox and Firefox ESR (July 09, 2019)

Description

Microsoft has release updates to address vulnerabilities in Firefox and Firefox ESR. It is recommended that you take the necessary precautions by ensuring your product are always updated.

Security vulnerabilities fixed in Firefox 68

Critical

  • CVE-2019-11710: Memory safety bugs fixed in Firefox 68

          https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11710

  • CVE-2019-11709: Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8

         https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11709

High

  • CVE-2019-9811: Sandbox escape via installation of malicious language pack

          https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-9811

  • CVE-2019-11711: Script injection within domain through inner window reuse

         https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11711

  • CVE-2019-11712: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects

         https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11712

  • CVE-2019-11713: Use-after-free with HTTP/2 cached stream

        https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11713

Moderate

  • CVE-2019-11714: NeckoChild can trigger crash when accessed off of main thread

         https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11714

  • CVE-2019-11729: Empty or malformed p256-ECDH public keys may trigger a segmentation fault

         https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11729

  • CVE-2019-11715: HTML parsing error can contribute to content XSS

         https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11715

  • CVE-2019-11716: globalThis not enumerable until accessed

         https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11716

  • CVE-2019-11717: Caret character improperly escaped in origins

         https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11717

  • CVE-2019-11718: Activity Stream writes unsanitized content to innerHTML

         https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11718

  • CVE-2019-11719: Out-of-bounds read when importing curve25519 private key

         https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11719

  • CVE-2019-11720: Character encoding XSS vulnerability

        https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11720

  • CVE-2019-11721: Domain spoofing through unicode latin 'kra' character

         https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11721

  • CVE-2019-11730: Same-origin policy treats all files in a directory as having the same-origin

         https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11730

Low

  • CVE-2019-11723: Cookie leakage during add-on fetching across private browsing boundaries

          https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11723

  • CVE-2019-11724: Retired site input.mozilla.org has remote troubleshooting permissions

          https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11724

  • CVE-2019-11725: Websocket resources bypass safebrowsing protections

          https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11725

  • CVE-2019-11727: PKCS#1 v1.5 signatures can be used for TLS 1.3

          https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727

  • CVE-2019-11728: Port scanning through Alt-Svc header

          https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11728

 

Security vulnerabilities fixed in Firefox ESR 60.8

Critical

  • CVE-2019-11709: Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8

          https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11709

High

  • CVE-2019-9811: Sandbox escape via installation of malicious language pack

         https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-9811

  • CVE-2019-11711: Script injection within domain through inner window reuse

         https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11711

  • CVE-2019-11712: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects

         https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11712

  • CVE-2019-11713: Use-after-free with HTTP/2 cached stream

         https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11713

Moderate

  • CVE-2019-11729: Empty or malformed p256-ECDH public keys may trigger a segmentation fault

          https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11729

  • CVE-2019-11715: HTML parsing error can contribute to content XSS

         https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11715

  • CVE-2019-11717: Caret character improperly escaped in origins

         https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11717

  • CVE-2019-11719: Out-of-bounds read when importing curve25519 private key

         https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11719

  • CVE-2019-11730: Same-origin policy treats all files in a directory as having the same-origin

         https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11730

The Guyana National CIRT recommends users and administration to review these updates and to apply them where necessary.

Reference

  • Microsoft release Security updates for Firefox and Firefox ESR (US-Cert)

        https://www.us-cert.gov/ncas/current-activity/2019/07/09/mozilla-releases-security-updates-firefox-and-firefox-esr