Mozilla Foundation Security Advisory 2018-24

Security vulnerabilities fixed in Firefox 62.0.3 and Firefox ESR 60.2.2

Announced

October 2, 2018

Impact

critical

Products

Firefox, Firefox ESR

Fixed in

Firefox 62.0.3
Firefox ESR 60.2.2

#CVE-2018-12386: Type confusion in JavaScript

Reporter: Niklas Baumstark, Samuel Groß, Bruno Keith via Beyond Security’s SecuriTeam Secure Disclosure program
Impact: critical

Description

A vulnerability in register allocation in JavaScript can lead to type confusion, allowing for an arbitrary read and write. This leads to remote code execution inside the sandboxed content process when triggered.

References

Bug 1493900

#CVE-2018-12387:

Reporter: Bruno Keith, Niklas Baumstark via Beyond Security’s SecuriTeam Secure Disclosure program
Impact: critical

Description

A vulnerability where the JavaScript JIT compiler inlines Array.prototype.push with multiple arguments that results in the stack pointer being off by 8 bytes after a bailout. This leaks a memory address to the calling function which can be used as part of an exploit inside the sandboxed content process.

References

Bug 1493903

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice

Mozilla Foundation Security Advisory 2018-24

Security vulnerabilities fixed in Firefox 62.0.3 and Firefox ESR 60.2.2

#CVE-2018-12386: Type confusion in JavaScript

Description

References

#CVE-2018-12387:

Description

References