Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Firefox 69 Patches Critical Code Execution Flaw

Mozilla this week released Firefox 69 in the stable channel with patches for 20 vulnerabilities, including one code execution bug rated Critical severity.

Mozilla this week released Firefox 69 in the stable channel with patches for 20 vulnerabilities, including one code execution bug rated Critical severity.

The issue resides in the fact that, when Firefox is launched by another program, logging-related command line parameters are not properly sanitized. This would normally happen when the user clicks on a link in a chat application, for example.

An attacker looking to exploit the vulnerability could create malicious links that would be used to write a log file to an arbitrary location, such as the Windows ‘Startup’ folder. Tracked as CVE-2019-11751, the vulnerability only affects Firefox on Windows operating systems.

“Successful exploitation […] could allow for arbitrary code execution. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” the Center for Internet Security (CIS) notes in an advisory.

CIS also assesses that these vulnerabilities represent a high risk to large and medium-sized government/business entities, but that they have only a medium impact on small government/business entities.

Firefox 69 also addresses 11 High severity vulnerabilities, 5 Medium risk bugs, and 3 Low severity flaws.

High severity issues addressed in this browser iteration include CVE-2019-11746 (a use-after-free that can occur while manipulating video elements), CVE-2019-11744 (Cross-Site Scripting resulting from some HTML elements containing literal angle brackets that are not treated as markup), and CVE-2019-11752 (a use-after-free residing in the possibility to delete an IndexedDB key value and subsequently trying to extract it during conversion).

Other flaws include a same-origin policy violation (CVE-2019-11742) allowing the theft of cross-origin images; a file manipulation and privilege escalation in Mozilla Maintenance Service (CVE-2019-11736); and privilege escalation with Mozilla Maintenance Service in a custom Firefox installation location (CVE-2019-11753).

Mozilla also addressed a sandbox escape through Firefox Sync (CVE-2019-9812) and isolated addons.mozilla.org and accounts.firefox.com into their own process, to prevent malicious manipulation (CVE-2019-11741).

The remaining High severity issues are memory safety bugs, some of which were found to impact Firefox ESR 68.1 (CVE-2019-11735), and Firefox ESR 68.1 and Firefox ESR 60.9 (CVE-2019-11740) as well. CVE-2019-11734 only impacts Firefox 68.

Medium risk vulnerabilities addressed in this browser iteration are CVE-2019-11743 (cross-origin access to unload event attributes), CVE-2019-11748 (persistence of WebRTC permissions in a third party context), CVE-2019-11749 (camera information available without prompting using getUserMedia), CVE-2019-5849 (out-of-bounds read in Skia), and CVE-2019-11750 (type confusion in Spidermonkey).

The three Low severity issues are CVE-2019-11737 (content security policy directives ignore port and path if host is a wildcard), CVE-2019-11738 (content security policy bypass through hash-based sources in directives), and CVE-2019-11747 (‘Forget about this site’ removes sites from pre-loaded HSTS list).

Related: Firefox Update to Address Antivirus TLS Errors

Related: Firefox Zero-Day Exploited to Deliver Malware to Cryptocurrency Exchanges

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.