ASA-2019-00356 – Mozilla Firefox and Thunderbird: Type confusion in Array.pop


Allele Security Alert

ASA-2019-00356

Identifier(s)

ASA-2019-00356, CVE-2019-11707, MFSA2019-18, MFSA2019-20

Title

Type confusion in Array.pop

Vendor(s)

Mozilla

Product(s)

Mozilla Firefox
Mozilla Firefox ESR
Mozilla Firefox Thunderbird

Affected version(s)

Mozilla Firefox versions before 67.0.3
Mozilla Firefox ESR versions before 60.7.1
Mozilla Thunderbird versions before 60.7.2

Fixed version(s)

Mozilla Firefox version 67.0.3
Mozilla Firefox ESR version 60.7.1
Mozilla Thunderbird version 60.7.2

Proof of concept

Yes

Description

A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw.

Technical details

Unknown

Credits

Samuel Groß (Google Project Zero) and Coinbase Security

Reference(s)

Security vulnerabilities fixed in Firefox 67.0.3 and Firefox ESR 60.7.1 — Mozilla
https://www.mozilla.org/en-US/security/advisories/mfsa2019-18/#CVE-2019-11707

Security vulnerabilities fixed in Thunderbird 60.7.2
https://www.mozilla.org/en-US/security/advisories/mfsa2019-20/#CVE-2019-11707

Burned by Fire(fox) a firefox 0day drops a macOS backdoor (part 1)
https://objective-see.com/blog/blog_0x43.html

Issue 1820: Spidermonkey: IonMonkey incorrectly predicts return type of Array.prototype.pop, leading to type confusions
https://bugs.chromium.org/p/project-zero/issues/detail?id=1820

Bug 1544386 part 1 – Call ElementAccessHasExtraIndexedProperty instead of ArrayPrototypeHasIndexedProperty when inlining array natives. r=tcampbell, a=jcristau
https://hg.mozilla.org/releases/mozilla-beta/rev/109cefe117fbdd1764097e06796960082f4fee4e

Twitter
https://twitter.com/5aelo/status/1143823601885466624

CVE-2019-11707
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11707

CVE-2019-11707
https://nvd.nist.gov/vuln/detail/CVE-2019-11707

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: July 23, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.