Allele Security Alert
ASA-2019-00356
Identifier(s)
ASA-2019-00356, CVE-2019-11707, MFSA2019-18, MFSA2019-20
Title
Type confusion in Array.pop
Vendor(s)
Mozilla
Product(s)
Mozilla Firefox
Mozilla Firefox ESR
Mozilla Firefox Thunderbird
Affected version(s)
Mozilla Firefox versions before 67.0.3
Mozilla Firefox ESR versions before 60.7.1
Mozilla Thunderbird versions before 60.7.2
Fixed version(s)
Mozilla Firefox version 67.0.3
Mozilla Firefox ESR version 60.7.1
Mozilla Thunderbird version 60.7.2
Proof of concept
Yes
Description
A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw.
Technical details
Unknown
Credits
Samuel Groß (Google Project Zero) and Coinbase Security
Reference(s)
Security vulnerabilities fixed in Firefox 67.0.3 and Firefox ESR 60.7.1 — Mozilla
https://www.mozilla.org/en-US/security/advisories/mfsa2019-18/#CVE-2019-11707
Security vulnerabilities fixed in Thunderbird 60.7.2
https://www.mozilla.org/en-US/security/advisories/mfsa2019-20/#CVE-2019-11707
Burned by Fire(fox) a firefox 0day drops a macOS backdoor (part 1)
https://objective-see.com/blog/blog_0x43.html
Issue 1820: Spidermonkey: IonMonkey incorrectly predicts return type of Array.prototype.pop, leading to type confusions
https://bugs.chromium.org/p/project-zero/issues/detail?id=1820
Bug 1544386 part 1 – Call ElementAccessHasExtraIndexedProperty instead of ArrayPrototypeHasIndexedProperty when inlining array natives. r=tcampbell, a=jcristau
https://hg.mozilla.org/releases/mozilla-beta/rev/109cefe117fbdd1764097e06796960082f4fee4e
Twitter
https://twitter.com/5aelo/status/1143823601885466624
CVE-2019-11707
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11707
CVE-2019-11707
https://nvd.nist.gov/vuln/detail/CVE-2019-11707
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: July 23, 2019