Microsoft Releases Security Updates for Firefox and Firefox ESR (September 04, 2019)

Description

Microsoft has release updates to address a vulnerability in Firefox and Firefox ESR. It is recommended that you take the necessary precautions by ensuring your products are always updated.

Security vulnerabilities fixed in Firefox 69

Critical

  • CVE-2019-11751: Malicious code execution through command line parameters

          https://bugzilla.mozilla.org/show_bug.cgi?id=1572838

High

  • CVE-2019-11746: Use-after-free while manipulating video

         https://bugzilla.mozilla.org/show_bug.cgi?id=1564449

  • CVE-2019-11744: XSS by breaking out of title and textarea elements using innerHTML

          https://bugzilla.mozilla.org/show_bug.cgi?id=1562033

  • CVE-2019-11742: Same-origin policy violation with SVG filters and canvas to steal cross-origin images

          https://bugzilla.mozilla.org/show_bug.cgi?id=1559715

  • CVE-2019-11736: File manipulation and privilege escalation in Mozilla Maintenance Service

         https://bugzilla.mozilla.org/show_bug.cgi?id=1551913

         https://bugzilla.mozilla.org/show_bug.cgi?id=1552206

  • CVE-2019-11753: Privilege escalation with Mozilla Maintenance Service in custom Firefox installation location

          https://bugzilla.mozilla.org/show_bug.cgi?id=1574980

  • CVE-2019-11752: Use-after-free while extracting a key value in IndexedDB

          https://bugzilla.mozilla.org/show_bug.cgi?id=1501152

  • CVE-2019-9812: Sandbox escape through Firefox Sync

          https://bugzilla.mozilla.org/show_bug.cgi?id=1538008

          https://bugzilla.mozilla.org/show_bug.cgi?id=1538015

  • CVE-2019-11741: Isolate addons.mozilla.org and accounts.firefox.com

          https://bugzilla.mozilla.org/show_bug.cgi?id=1539595

  • CVE-2019-11734: Memory safety bugs fixed in Firefox 69

          https://bugzilla.mozilla.org/buglist.cgi?bug_id=1352875%2C1536227%2C1557208%2C1560641

  • CVE-2019-11735: Memory safety bugs fixed in Firefox 69 and Firefox ESR 68.1

          https://bugzilla.mozilla.org/buglist.cgi?        bug_id=1561404%2C1561484%2C1568047%2C1561912%2C1565744%2C1568858%2C1570358

  • CVE-2019-11740: Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9

          https://bugzilla.mozilla.org/buglist.cgi?bug_id=1563133%2C1573160

Moderate

  • CVE-2019-11743: Cross-origin access to unload event attributes

          https://bugzilla.mozilla.org/show_bug.cgi?id=1560495

          https://w3c.github.io/navigation-timing

  • CVE-2019-11748: Persistence of WebRTC permissions in a third party context

          https://bugzilla.mozilla.org/show_bug.cgi?id=1564588

  • CVE-2019-11749: Camera information available without prompting using getUserMedia

          https://bugzilla.mozilla.org/show_bug.cgi?id=1565374

  • CVE-2019-5849: Out-of-bounds read in Skia

          https://bugzilla.mozilla.org/show_bug.cgi?id=1555838

  • CVE-2019-11750: Type confusion in Spidermonkey

          https://bugzilla.mozilla.org/show_bug.cgi?id=1568397

Low

  • CVE-2019-11737: Content security policy directives ignore port and path if host is a wildcard

          https://bugzilla.mozilla.org/show_bug.cgi?id=1388015

  • CVE-2019-11738: Content security policy bypass through hash-based sources in directives

          https://bugzilla.mozilla.org/show_bug.cgi?id=1452037

  • CVE-2019-11747: 'Forget about this site' removes sites from pre-loaded HSTS list

          https://bugzilla.mozilla.org/show_bug.cgi?id=1564481

 

Security vulnerabilities fixed in Firefox ESR 68.1

Critical

  • CVE-2019-11751: Malicious code execution through command line parameters

          https://bugzilla.mozilla.org/show_bug.cgi?id=1572838

High

  • CVE-2019-11746: Use-after-free while manipulating video

          https://bugzilla.mozilla.org/show_bug.cgi?id=1564449

  • CVE-2019-11744: XSS by breaking out of title and textarea elements using innerHTML

          https://bugzilla.mozilla.org/show_bug.cgi?id=1562033

  • CVE-2019-11742: Same-origin policy violation with SVG filters and canvas to steal cross-origin images

          https://bugzilla.mozilla.org/show_bug.cgi?id=1559715

  • CVE-2019-11736: File manipulation and privilege escalation in Mozilla Maintenance Service

          https://bugzilla.mozilla.org/show_bug.cgi?id=1551913

          https://bugzilla.mozilla.org/show_bug.cgi?id=1552206

  • CVE-2019-11753: Privilege escalation with Mozilla Maintenance Service in custom Firefox installation location

          https://bugzilla.mozilla.org/show_bug.cgi?id=1574980

  • CVE-2019-11752: Use-after-free while extracting a key value in IndexedDB

          https://bugzilla.mozilla.org/show_bug.cgi?id=1501152

  • CVE-2019-9812: Sandbox escape through Firefox Sync

          https://bugzilla.mozilla.org/show_bug.cgi?id=1538008

          https://bugzilla.mozilla.org/show_bug.cgi?id=1538015

  • CVE-2019-11735: Memory safety bugs fixed in Firefox 69 and Firefox ESR 68.1

 https://bugzilla.mozilla.org/buglist.cgi? bug_id=1561404%2C1561484%2C1568047%2C1561912%2C1565744%2C1568858%2C1570358

  • CVE-2019-11740: Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9

          https://bugzilla.mozilla.org/buglist.cgi?bug_id=1563133%2C1573160

Moderate

  • CVE-2019-11743: Cross-origin access to unload event attributes

          https://bugzilla.mozilla.org/show_bug.cgi?id=1560495

          https://w3c.github.io/navigation-timing

  • CVE-2019-11748: Persistence of WebRTC permissions in a third party context

          https://bugzilla.mozilla.org/show_bug.cgi?id=1564588

  • CVE-2019-11749: Camera information available without prompting using getUserMedia

          https://bugzilla.mozilla.org/show_bug.cgi?id=1565374

  • CVE-2019-11750: Type confusion in Spidermonkey

          https://bugzilla.mozilla.org/show_bug.cgi?id=1568397

Low

  • CVE-2019-11738: Content security policy bypass through hash-based sources in directives

          https://bugzilla.mozilla.org/show_bug.cgi?id=1452037

  • CVE-2019-11747: 'Forget about this site' removes sites from pre-loaded HSTS list

          https://bugzilla.mozilla.org/show_bug.cgi?id=1564481

 

Security vulnerabilities fixed in Firefox ESR 60.9

High

  • CVE-2019-11746: Use-after-free while manipulating video

          https://bugzilla.mozilla.org/show_bug.cgi?id=1564449

  • CVE-2019-11744: XSS by breaking out of title and textarea elements using innerHTML

          https://bugzilla.mozilla.org/show_bug.cgi?id=1562033

  • CVE-2019-11742: Same-origin policy violation with SVG filters and canvas to steal cross-origin images

          https://bugzilla.mozilla.org/show_bug.cgi?id=1559715

  • CVE-2019-11753: Privilege escalation with Mozilla Maintenance Service in custom Firefox installation location

         https://bugzilla.mozilla.org/show_bug.cgi?id=1574980

  • CVE-2019-11752: Use-after-free while extracting a key value in IndexedDB

          https://bugzilla.mozilla.org/show_bug.cgi?id=1501152

  • CVE-2019-9812: Sandbox escape through Firefox Sync

          https://bugzilla.mozilla.org/show_bug.cgi?id=1538008

          https://bugzilla.mozilla.org/show_bug.cgi?id=1538015

  • CVE-2019-11740: Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9

          https://bugzilla.mozilla.org/buglist.cgi?bug_id=1563133%2C1573160

Moderate

  • CVE-2019-11743: Cross-origin access to unload event attributes

          https://bugzilla.mozilla.org/show_bug.cgi?id=1560495

          https://w3c.github.io/navigation-timing

The Guyana National CIRT recommends users and administration to review these updates and to apply them where necessary.

Reference

•    Microsoft release Security updates for Firefox and Firefox ESR (US-Cert)

https://www.us-cert.gov/ncas/current-activity/2019/09/04/mozilla-releases-security-updates-firefox-and-firefox-esr