A bunch of critical security vulnerabilities affect Mozilla Firefox browser. Another high-severity flaw was also discovered in Google Chrome. It appears that all bugs could lead to arbitrary code execution.
According to an advisory by MS-ISAC (Multi-State Information Sharing and Analysis Center), depending on the privileges associated with the user, an attacker could install programs, as well as view, change or delete data. An attacker could also create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights, the advisory said.
Mozilla Firefox’s Bugs
According to Mozilla’s advisory, 9 security issues were fixed in Firefox ESR. The CVE-2019-11764 advisory, in particular, is described as a memory safety issue, and has addressed several issues in Firefox 69 and Firefox ESR 68.1. The impact of the vulnerability is rated as critical.
The Mozilla Foundation says that some of the vulnerabilities displayed “evidence of memory corruption” meaning that they could be exploited by determined attackers to run arbitrary code. It appears that large and medium government and business organizations are mostly at risk.
Other high-severity bugs addressed in the latest patch of Firefox ESR include the following:
CVE-2019-15903 – a heap overflow in expat library in XML_GetCurrentLineNumber;
CVE-2019-11758 – a potentially exploitable crash due to 360 Total Security;
CVE-2019-11757 – a use-after-free bug that occurs when creating index updates in IndexedDB.
Several high-severity vulnerabilities were fixed in Mozilla Firefox are CVE-2019-15903 and CVE-2019-11757 which also affect Firefox ESR, and a heap buffer overflow in FEC processing in WebRTC known under the CVE-2018-6156 identifier.
The recommendation MS-ISAC gives is patching immediately but only after appropriate testing is done.
Chrome Chrome’s Issues
The Google Chrome update has fixed a total of 37 security issues. One of the vulnerabilities was reported by security researcher Man Yue of Semmle Security Research Team, who got paid a bounty of $20,000. The vulnerability in question is CVE-2019-13699 – a highly severe use-after-free issue in media. There are two other severe bugs fixed in the browser – CVE-2019-13700 (a buffer overrun in Blink) and CVE-2019-13701 (URL spoof in navigation.)
More information about Chrome’s issues is available in Google’s advisory.