Niklas Baumstark

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 109 **Description** A compromised web child process could disable web security opening restrictions, leading to a new child process being spawned within the file:// context. Given a reliable exploit primitive, this new process could be exploited again leading to arbitrary file read. The vulnerability is related to errors in security settings and can be exploited by a remote attacker to read arbitrary files. **Recommendations** For versions prior to 109, update to a version that contains a fix for this issue to prevent exploitation. As a temporary workaround, consider restricting access to sensitive files and directories to minimize the risk of arbitrary file read.

**Nome do software vulnerável e versões afetadas** Versões do Google Chrome anteriores à 89.0.4389.128 **Descrição** O problema está relacionado à validação insuficiente de entradas não confiáveis no mecanismo V8 do Google Chrome, o que poderia permitir que um invasor remoto explorasse potencialmente uma corrupção de heap por meio de uma página HTML maliciosa. Isso poderia levar ao acesso não autorizado a informações confidenciais ou causar uma negação de serviço. A vulnerabilidade teria sido explorada por agentes como o Water Labbu em aplicativos baseados em Electron, visando particularmente o setor financeiro. **Recomendações** Para versões do Google Chrome anteriores à 89.0.4389.128, atualize para a versão 89.0.4389.128 ou posterior para resolver o problema. Como solução temporária, considere restringir o acesso a pontos de extremidade de API potencialmente vulneráveis ou desativar o uso de entradas não confiáveis no mecanismo V8 até que um patch seja aplicado. Evite usar páginas HTML criadas especificamente para explorar a vulnerabilidade de corrupção de heap.

**Nome do software vulnerável e versões afetadas** Versões do Firefox anteriores à 76 Versões do Firefox ESR anteriores à 68.8 **Descrição** O problema está relacionado a um controle de acesso insuficiente nos processos de conteúdo do Firefox, o que poderia resultar em uma fuga da sandbox. Esse problema afeta apenas o Firefox em sistemas operacionais Windows. A vulnerabilidade está associada a uma validação inadequada de entradas, permitindo potencialmente que um invasor remoto execute código arbitrário. **Recomendações** Para versões do Firefox anteriores à 76, atualize para a versão 76 ou posterior para resolver o problema. Para versões do Firefox ESR anteriores à 68.8, atualize para a versão 68.8 ou posterior para resolver o problema.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 69 **Description** A compromised sandboxed content process can perform a Universal Cross-site Scripting (UXSS) attack on content from any site it can cause to be loaded in the same process. This issue is related to the lack of protection for the web page structure, which can be exploited by a remote attacker to compromise data integrity. The vulnerability is particularly concerning for sites closely tied to the Firefox product, such as addons.mozilla.org and accounts.firefox.com, as malicious manipulation of these sites can potentially modify a user's Firefox configuration. To mitigate this, these sites will be isolated into their own process. **Recommendations** For versions prior to 69, update to version 69 or later to resolve the issue. As a temporary workaround, consider isolating sensitive sites into their own process to minimize the risk of exploitation. Restrict access to potentially vulnerable sites within the standard content process to reduce the attack surface.

**Name of the Vulnerable Software and Affected Versions** Firefox ESR versions prior to 60.9 Firefox ESR versions prior to 68.1 Firefox versions prior to 69 **Description** The issue allows an attacker to escape the sandbox of a compromised Firefox browser by loading accounts.firefox.com and forcing a log-in to a malicious Firefox Sync account. This can lead to preference settings that disable the sandbox being synchronized to the local machine, causing the compromised browser to restart without the sandbox if a crash is triggered. The vulnerability can be exploited remotely and may allow an attacker to compromise data integrity or cause a denial of service. **Recommendations** For Firefox ESR versions prior to 60.9, update to version 60.9 or later to resolve the issue. For Firefox ESR versions prior to 68.1, update to version 68.1 or later to resolve the issue. For Firefox versions prior to 69, update to version 69 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Firefox ESR versions prior to 60.8 Firefox versions prior to 68 Thunderbird versions prior to 60.8 **Description** The issue is related to insufficient access control in Firefox ESR, Firefox, and the Thunderbird email client. It can be exploited by a remote attacker to cause a denial of service by loading a malicious language pack. A researcher demonstrated a sandbox escape by installing a malicious language pack and then opening a browser feature that used the compromised translation. **Recommendations** For Firefox ESR versions prior to 60.8, update to version 60.8 or later to resolve the issue. For Firefox versions prior to 68, update to version 68 or later to resolve the issue. For Thunderbird versions prior to 60.8, update to version 60.8 or later to resolve the issue. As a temporary workaround, consider restricting the installation of language packs to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 66.0.1 Firefox ESR versions prior to 60.6.1 Thunderbird versions prior to 60.6.1 **Description** The issue is related to incorrect handling of ` proto ` mutations, which may lead to type confusion in IonMonkey JIT code. This can be leveraged for arbitrary memory read and write, potentially allowing a remote attacker to impact the confidentiality, integrity, and availability of protected information. **Recommendations** For Firefox versions prior to 66.0.1, update to version 66.0.1 or later to resolve the issue. For Firefox ESR versions prior to 60.6.1, update to version 60.6.1 or later to resolve the issue. For Thunderbird versions prior to 60.6.1, update to version 60.6.1 or later to resolve the issue. As a temporary workaround, consider disabling the IonMonkey JIT compiler until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Thunderbird versions prior to 60.6 Firefox ESR versions prior to 60.6 Firefox versions prior to 66 **Description** A mechanism was discovered that removes some bounds checking for string, array, or typed array accesses if Spectre mitigations have been disabled. This could allow an attacker to create an arbitrary value in compiled JavaScript, for which the range analysis will infer a fully controlled, incorrect range in circumstances where users have explicitly disabled Spectre mitigations. The vulnerability is related to reading data beyond buffer memory boundaries, which may allow a remote attacker to gain unauthorized access to protected data. **Recommendations** For Thunderbird versions prior to 60.6, update to version 60.6 or later. For Firefox ESR versions prior to 60.6, update to version 60.6 or later. For Firefox versions prior to 66, update to version 66 or later.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 62.0.3 Firefox ESR versions prior to 60.2.2 **Description** A vulnerability in register allocation in JavaScript can lead to type confusion, allowing for an arbitrary read and write. This leads to remote code execution inside the sandboxed content process when triggered. The issue is related to errors in data type conversion. **Recommendations** For Firefox versions prior to 62.0.3, update to version 62.0.3 or later to resolve the issue. For Firefox ESR versions prior to 60.2.2, update to version 60.2.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Firefox ESR versions prior to 60.2.2 Firefox versions prior to 62.0.3 **Description** The issue is related to the JavaScript JIT compiler inlining Array.prototype.push with multiple arguments, resulting in the stack pointer being off by 8 bytes after a bailout. This can leak a memory address to the calling function, potentially used as part of an exploit inside the sandboxed content process. The vulnerability is also described as being related to insufficient input validation in the implementation of the Array.prototype.push method in Firefox and Firefox ESR browsers, which could allow a remote attacker to execute arbitrary code. **Recommendations** For Firefox ESR versions prior to 60.2.2, update to version 60.2.2 or later. For Firefox versions prior to 62.0.3, update to version 62.0.3 or later.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 70.0.3538.67 **Description** The issue is related to incorrect reference counting in the AppCache component of the Google Chrome web browser, which is associated with errors in access control for the isolated environment. Exploitation of this issue may allow a remote attacker to escape the sandbox and execute arbitrary code via a crafted HTML page. **Recommendations** For Google Chrome versions prior to 70.0.3538.67, update to version 70.0.3538.67 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Oracle VM VirtualBox versions prior to 5.1.32 Oracle VM VirtualBox versions prior to 5.2.6 **Description** The issue is related to insufficient access control in the Core component of Oracle VM VirtualBox, allowing a low-privileged attacker with logon access to the infrastructure to compromise Oracle VM VirtualBox. Successful attacks can result in the takeover of Oracle VM VirtualBox and may significantly impact additional products. **Recommendations** For versions prior to 5.1.32, update to version 5.1.32 or later. For versions prior to 5.2.6, update to version 5.2.6 or later.

**Name of the Vulnerable Software and Affected Versions** macOS versions prior to 10.13.1 **Description** The issue involves the `802.1X` component and is related to errors in the implementation of the TLS 1.0 protocol. This allows attackers to have an unspecified impact, potentially compromising the confidentiality, integrity, and availability of protected information by leveraging TLS 1.0 support. **Recommendations** For macOS versions prior to 10.13.1, update to version 10.13.1 or later to resolve the issue. As a temporary workaround, consider disabling the `802.1X` component until a patch is available. Restrict access to sensitive information and networks to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** macOS versions prior to 10.13.1 **Description** The issue involves the `CFNetwork` component and allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. This is due to a heap-based buffer overflow in the `CFNetwork` component. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. **Recommendations** For macOS versions prior to 10.13.1, update to version 10.13.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `CFNetwork` component until a patch is available. Avoid using crafted apps that may exploit the heap-based buffer overflow vulnerability in the `CFNetwork` component.

**Name of the Vulnerable Software and Affected Versions** macOS versions prior to 10.13.1 **Description** The issue involves the `CFNetwork` component and allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. This is due to a buffer overflow in memory, which can be exploited by a remote attacker. **Recommendations** For macOS versions prior to 10.13.1, update to version 10.13.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `CFNetwork` component until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Apple iOS versions prior to 11 Apple Safari versions prior to 11 Apple iCloud versions prior to 7.0 on Windows Apple iTunes versions prior to 12.7 on Windows Apple tvOS versions prior to 11 **Description** The issue involves the WebKit component and allows remote attackers to execute arbitrary code or cause a denial of service, resulting in memory corruption and application crash, via a crafted web site. **Recommendations** For iOS versions prior to 11, update to version 11 or later. For Safari versions prior to 11, update to version 11 or later. For iCloud versions prior to 7.0 on Windows, update to version 7.0 or later. For iTunes versions prior to 12.7 on Windows, update to version 12.7 or later. For tvOS versions prior to 11, update to version 11 or later.

**Name of the Vulnerable Software and Affected Versions** Apple iOS versions prior to 11 Apple Safari versions prior to 11 Apple iCloud versions prior to 7.0 on Windows Apple iTunes versions prior to 12.7 on Windows Apple tvOS versions prior to 11 **Description** The issue involves the WebKit component and allows remote attackers to execute arbitrary code or cause a denial of service, resulting in memory corruption and application crash, via a crafted web site. **Recommendations** For iOS versions prior to 11, update to version 11 or later. For Safari versions prior to 11, update to version 11 or later. For iCloud versions prior to 7.0 on Windows, update to version 7.0 or later. For iTunes versions prior to 12.7 on Windows, update to version 12.7 or later. For tvOS versions prior to 11, update to version 11 or later.

**Name of the Vulnerable Software and Affected Versions** iOS versions prior to 10.3.2 Safari versions prior to 10.1.1 **Description** The issue involves the WebKit component and allows remote attackers to conduct Universal XSS (UXSS) attacks via a crafted web site that improperly interacts with cached frames. **Recommendations** For iOS versions prior to 10.3.2, update to version 10.3.2 or later. For Safari versions prior to 10.1.1, update to version 10.1.1 or later.

**Name of the Vulnerable Software and Affected Versions** macOS versions prior to 10.12.5 **Description** The issue involves the `Speech Framework` component and allows attackers to conduct sandbox-escape attacks or cause a denial of service (memory corruption) via a crafted app. **Recommendations** For macOS versions prior to 10.12.5, update to version 10.12.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** macOS versions prior to 10.12.5 **Description** The issue involves the `Security` component and allows attackers to conduct sandbox-escape attacks or cause a denial of service via a crafted app. **Recommendations** For macOS versions prior to 10.12.5, update to version 10.12.5 or later to resolve the issue.