Mozilla this week released Firefox 69 in the stable channel with patches for 20 vulnerabilities, including one code execution bug rated Critical severity.
The issue resides in the fact that, when Firefox is launched by another program, logging-related command line parameters are not properly sanitized. This would normally happen when the user clicks on a link in a chat application, for example.
An attacker looking to exploit the vulnerability could create malicious links that would be used to write a log file to an arbitrary location, such as the Windows ‘Startup’ folder. Tracked as CVE-2019-11751, the vulnerability only affects Firefox on Windows operating systems.
“Successful exploitation […] could allow for arbitrary code execution. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” the Center for Internet Security (CIS) notes in an advisory.
CIS also assesses that these vulnerabilities represent a high risk to large and medium-sized government/business entities, but that they have only a medium impact on small government/business entities.
Firefox 69 also addresses 11 High severity vulnerabilities, 5 Medium risk bugs, and 3 Low severity flaws.
High severity issues addressed in this browser iteration include CVE-2019-11746 (a use-after-free that can occur while manipulating video elements), CVE-2019-11744 (Cross-Site Scripting resulting from some HTML elements containing literal angle brackets that are not treated as markup), and CVE-2019-11752 (a use-after-free residing in the possibility to delete an IndexedDB key value and subsequently trying to extract it during conversion).
Other flaws include a same-origin policy violation (CVE-2019-11742) allowing the theft of cross-origin images; a file manipulation and privilege escalation in Mozilla Maintenance Service (CVE-2019-11736); and privilege escalation with Mozilla Maintenance Service in a custom Firefox installation location (CVE-2019-11753).
Mozilla also addressed a sandbox escape through Firefox Sync (CVE-2019-9812) and isolated addons.mozilla.org and accounts.firefox.com into their own process, to prevent malicious manipulation (CVE-2019-11741).
The remaining High severity issues are memory safety bugs, some of which were found to impact Firefox ESR 68.1 (CVE-2019-11735), and Firefox ESR 68.1 and Firefox ESR 60.9 (CVE-2019-11740) as well. CVE-2019-11734 only impacts Firefox 68.
Medium risk vulnerabilities addressed in this browser iteration are CVE-2019-11743 (cross-origin access to unload event attributes), CVE-2019-11748 (persistence of WebRTC permissions in a third party context), CVE-2019-11749 (camera information available without prompting using getUserMedia), CVE-2019-5849 (out-of-bounds read in Skia), and CVE-2019-11750 (type confusion in Spidermonkey).
The three Low severity issues are CVE-2019-11737 (content security policy directives ignore port and path if host is a wildcard), CVE-2019-11738 (content security policy bypass through hash-based sources in directives), and CVE-2019-11747 (‘Forget about this site’ removes sites from pre-loaded HSTS list).
Related: Firefox Update to Address Antivirus TLS Errors
Related: Firefox Zero-Day Exploited to Deliver Malware to Cryptocurrency Exchanges