
Security vulnerabilities fixed in Firefox 67.0.4 and Firefox ESR 60.7.2 - dredmorbius
https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/
======
est31
They've released two versions of Firefox in a span of 2 days. First 67.0.3 on
June 18 [1] and 67.0.4 on June 20 [2]. Each release fixes a separate component
of what seems the same exploit chain, the June 18 release the RCE and the June
20 release the sandbox escape. Link to the June 18 discussion [3].

Link to the first fix: [https://hg.mozilla.org/releases/mozilla-
release/rev/99a829d2...](https://hg.mozilla.org/releases/mozilla-
release/rev/99a829d2a2a7859b10508b6f05e99780c5e2dc68)

Link to the second fix: [https://hg.mozilla.org/releases/mozilla-
release/rev/ea5154be...](https://hg.mozilla.org/releases/mozilla-
release/rev/ea5154beddff08b919697e3bed6f38cfe3a3d82f)

[1]: [https://www.mozilla.org/en-
US/firefox/67.0.3/releasenotes/](https://www.mozilla.org/en-
US/firefox/67.0.3/releasenotes/)

[2]: [https://www.mozilla.org/en-
US/firefox/67.0.4/releasenotes/](https://www.mozilla.org/en-
US/firefox/67.0.4/releasenotes/)

[3]:
[https://news.ycombinator.com/item?id=20218560](https://news.ycombinator.com/item?id=20218560)

------
staticassertion
Interesting to see a sandbox escape that doesn't involve a kernel exploit
(unlike the attack against Chrome users that leveraged a Windows kernel vuln).
I wonder if seccomp has pushed things to the point where the boundary between
broker and child is the softer spot. More evidence to that being that the
attack on Chrome didn't work on Win10, which has a sort of similar mitigation.

Perhaps in particular for Firefox, which has had the sandbox for less time?

Would love to hear some expert opinions. I can't derive much from this since I
don't personally see any trends.

------
forgotmypw3
Another demonstration of why browsing with JS off by default is a good idea.

~~~
coldtea
Only in the sense that a car accident is a demonstration why walking places is
a good idea.

~~~
forgotmypw3
You're not wrong. Cars are usually by far the most dangerous activity most
first-world people partake in, and individuals' driving habits are horrifying.

Anyone who drives should spend 5 minutes a week watching dashcam videos.

------
SubiculumCode
I'm curious. Are these exploits in code written in Rust?

Edit: Clarification, I was asking a question, not trolling.

~~~
est31
No, it's a vulnerability in privileged JavaScript.
[https://hg.mozilla.org/releases/mozilla-
release/rev/ea5154be...](https://hg.mozilla.org/releases/mozilla-
release/rev/ea5154beddff08b919697e3bed6f38cfe3a3d82f)

Only few components of Firefox are written in Rust. Servo has no privileged
Javascript per design choice, while it does have some components written in
C/C++ (mostly taken from Firefox).

------
dredmorbius
CVE-2019-11708: sandbox escape using Prompt:Open

Reporter Coinbase Security

Impact high

Description Insufficient vetting of parameters passed with the Prompt:Open IPC
message between child and parent processes can result in the non-sandboxed
parent process opening web content chosen by a compromised child process. When
combined with additional vulnerabilities this could result in executing
arbitrary code on the user's computer.

References Bug 1559858

------
dividuum
I guess that's why the JavaScript type confusion fixed in 67.0.3 was
"exploited in the wild"? Because on its own, the rendering/JS process is
compromised (which of course is bad) but it should still be sandboxed from the
rest of the system assuming no sandbox escapes (like this one) are known?

~~~
32032141
Right. The first CVE gets you for example, cross window access. The second
gets you system access outside of the sandbox.

------
neilv
Looks like the Firefox-based Tor Browser plans to lag a day behind, on an
update for a critical vulnerability that's disclosed by the Mozilla update,
like they did the last time. (Does that lag leave a substantial window for
second-tier actors to compromise some security-sensitive dissidents and
journalists?)

Also, a bit less concerning to me, the Debian package of `firefox-esr` still
hasn't been released, as I type this, hours later.

Of course this is a tricky problem, but should there be more coordination on
such updates, in the spirit of responsible disclosure?

~~~
Yoric
I suspect that the ~1 day delay is just the time needed to run automated
tests, rebuild packages, retest them, upload them on the various channels,
turn updates on, etc.

I've worked with people who work on release engineering. Many things can go
wrong by accident and silently, so you take your time to avoid distributing a
broken binary that you could not upgrade.

~~~
neilv
Of course, but perhaps that can be coordinated better?

------
robocat
Is there any reliable source that says which browser is the most secure for a
regular user?

Pwn2Own: One change in the 2016 event is that the Mozilla Firefox Web browser
is no longer part of the contest. "We wanted to focus on the browsers that
have made serious security improvements in the last year," Gorenc said.

The implication is that Firefox just wasn't as secure as other browsers.

My gut feeling is that Chrome is far more secure than Firefox, but I would
like an expert opinion.

~~~
BEN247
Secure is obviously a very wide term but as an approximation you can look at
how much exploit vendors will pay for an exploit, assuming higher price =
harder to exploit = more 'secure'.

On that measure Chrome wins easily:
[https://zerodium.com/program.html](https://zerodium.com/program.html)

~~~
swinglock
Don't you think market share is a factor?

------
tapoxi
Anyone have knowledge of how Firefox's security model compares to Chrome's?

~~~
d33
See this for a potential starting point:
[https://news.ycombinator.com/item?id=17287376](https://news.ycombinator.com/item?id=17287376)

------
elvecinodeabajo
404 Not found

~~~
MattSteelblade
I'm not getting a 404 error

~~~
elvecinodeabajo
Link was broken when I commented.

------
SilasX
Can I ask what led the vulnerabilities to be missed in the development
process?

------
a-wu
Not a good few days for Mozilla and Firefox. They just pushed 67.0.3[0] two
days ago to fix a zero day.

[0] [https://www.mozilla.org/en-
US/security/advisories/mfsa2019-1...](https://www.mozilla.org/en-
US/security/advisories/mfsa2019-18/)

~~~
SubiculumCode
This is not bad. This is good.

The more code inspected, the more zero days that are identified. Every large
code base has security issues. What is scary are the ones that only the wrong
people know about.

