Description
Microsoft has release updates to address a vulnerability in Firefox and Firefox ESR. It is recommended that you take the necessary precautions by ensuring your products are always updated.
Security vulnerabilities fixed in Firefox 69
Critical
- CVE-2019-11751: Malicious code execution through command line parameters
https://bugzilla.mozilla.org/show_bug.cgi?id=1572838
High
- CVE-2019-11746: Use-after-free while manipulating video
https://bugzilla.mozilla.org/show_bug.cgi?id=1564449
- CVE-2019-11744: XSS by breaking out of title and textarea elements using innerHTML
https://bugzilla.mozilla.org/show_bug.cgi?id=1562033
- CVE-2019-11742: Same-origin policy violation with SVG filters and canvas to steal cross-origin images
https://bugzilla.mozilla.org/show_bug.cgi?id=1559715
- CVE-2019-11736: File manipulation and privilege escalation in Mozilla Maintenance Service
https://bugzilla.mozilla.org/show_bug.cgi?id=1551913
https://bugzilla.mozilla.org/show_bug.cgi?id=1552206
- CVE-2019-11753: Privilege escalation with Mozilla Maintenance Service in custom Firefox installation location
https://bugzilla.mozilla.org/show_bug.cgi?id=1574980
- CVE-2019-11752: Use-after-free while extracting a key value in IndexedDB
https://bugzilla.mozilla.org/show_bug.cgi?id=1501152
- CVE-2019-9812: Sandbox escape through Firefox Sync
https://bugzilla.mozilla.org/show_bug.cgi?id=1538008
https://bugzilla.mozilla.org/show_bug.cgi?id=1538015
- CVE-2019-11741: Isolate addons.mozilla.org and accounts.firefox.com
https://bugzilla.mozilla.org/show_bug.cgi?id=1539595
- CVE-2019-11734: Memory safety bugs fixed in Firefox 69
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1352875%2C1536227%2C1557208%2C1560641
- CVE-2019-11735: Memory safety bugs fixed in Firefox 69 and Firefox ESR 68.1
- CVE-2019-11740: Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1563133%2C1573160
Moderate
- CVE-2019-11743: Cross-origin access to unload event attributes
https://bugzilla.mozilla.org/show_bug.cgi?id=1560495
https://w3c.github.io/navigation-timing
- CVE-2019-11748: Persistence of WebRTC permissions in a third party context
https://bugzilla.mozilla.org/show_bug.cgi?id=1564588
- CVE-2019-11749: Camera information available without prompting using getUserMedia
https://bugzilla.mozilla.org/show_bug.cgi?id=1565374
- CVE-2019-5849: Out-of-bounds read in Skia
https://bugzilla.mozilla.org/show_bug.cgi?id=1555838
- CVE-2019-11750: Type confusion in Spidermonkey
https://bugzilla.mozilla.org/show_bug.cgi?id=1568397
Low
- CVE-2019-11737: Content security policy directives ignore port and path if host is a wildcard
https://bugzilla.mozilla.org/show_bug.cgi?id=1388015
- CVE-2019-11738: Content security policy bypass through hash-based sources in directives
https://bugzilla.mozilla.org/show_bug.cgi?id=1452037
- CVE-2019-11747: 'Forget about this site' removes sites from pre-loaded HSTS list
https://bugzilla.mozilla.org/show_bug.cgi?id=1564481
Security vulnerabilities fixed in Firefox ESR 68.1
Critical
- CVE-2019-11751: Malicious code execution through command line parameters
https://bugzilla.mozilla.org/show_bug.cgi?id=1572838
High
- CVE-2019-11746: Use-after-free while manipulating video
https://bugzilla.mozilla.org/show_bug.cgi?id=1564449
- CVE-2019-11744: XSS by breaking out of title and textarea elements using innerHTML
https://bugzilla.mozilla.org/show_bug.cgi?id=1562033
- CVE-2019-11742: Same-origin policy violation with SVG filters and canvas to steal cross-origin images
https://bugzilla.mozilla.org/show_bug.cgi?id=1559715
- CVE-2019-11736: File manipulation and privilege escalation in Mozilla Maintenance Service
https://bugzilla.mozilla.org/show_bug.cgi?id=1551913
https://bugzilla.mozilla.org/show_bug.cgi?id=1552206
- CVE-2019-11753: Privilege escalation with Mozilla Maintenance Service in custom Firefox installation location
https://bugzilla.mozilla.org/show_bug.cgi?id=1574980
- CVE-2019-11752: Use-after-free while extracting a key value in IndexedDB
https://bugzilla.mozilla.org/show_bug.cgi?id=1501152
- CVE-2019-9812: Sandbox escape through Firefox Sync
https://bugzilla.mozilla.org/show_bug.cgi?id=1538008
https://bugzilla.mozilla.org/show_bug.cgi?id=1538015
- CVE-2019-11735: Memory safety bugs fixed in Firefox 69 and Firefox ESR 68.1
- CVE-2019-11740: Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1563133%2C1573160
Moderate
- CVE-2019-11743: Cross-origin access to unload event attributes
https://bugzilla.mozilla.org/show_bug.cgi?id=1560495
https://w3c.github.io/navigation-timing
- CVE-2019-11748: Persistence of WebRTC permissions in a third party context
https://bugzilla.mozilla.org/show_bug.cgi?id=1564588
- CVE-2019-11749: Camera information available without prompting using getUserMedia
https://bugzilla.mozilla.org/show_bug.cgi?id=1565374
- CVE-2019-11750: Type confusion in Spidermonkey
https://bugzilla.mozilla.org/show_bug.cgi?id=1568397
Low
- CVE-2019-11738: Content security policy bypass through hash-based sources in directives
https://bugzilla.mozilla.org/show_bug.cgi?id=1452037
- CVE-2019-11747: 'Forget about this site' removes sites from pre-loaded HSTS list
https://bugzilla.mozilla.org/show_bug.cgi?id=1564481
Security vulnerabilities fixed in Firefox ESR 60.9
High
- CVE-2019-11746: Use-after-free while manipulating video
https://bugzilla.mozilla.org/show_bug.cgi?id=1564449
- CVE-2019-11744: XSS by breaking out of title and textarea elements using innerHTML
https://bugzilla.mozilla.org/show_bug.cgi?id=1562033
- CVE-2019-11742: Same-origin policy violation with SVG filters and canvas to steal cross-origin images
https://bugzilla.mozilla.org/show_bug.cgi?id=1559715
- CVE-2019-11753: Privilege escalation with Mozilla Maintenance Service in custom Firefox installation location
https://bugzilla.mozilla.org/show_bug.cgi?id=1574980
- CVE-2019-11752: Use-after-free while extracting a key value in IndexedDB
https://bugzilla.mozilla.org/show_bug.cgi?id=1501152
- CVE-2019-9812: Sandbox escape through Firefox Sync
https://bugzilla.mozilla.org/show_bug.cgi?id=1538008
https://bugzilla.mozilla.org/show_bug.cgi?id=1538015
- CVE-2019-11740: Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1563133%2C1573160
Moderate
- CVE-2019-11743: Cross-origin access to unload event attributes
https://bugzilla.mozilla.org/show_bug.cgi?id=1560495
https://w3c.github.io/navigation-timing
The Guyana National CIRT recommends users and administration to review these updates and to apply them where necessary.
Reference
• Microsoft release Security updates for Firefox and Firefox ESR (US-Cert)