Page 1 of 1
CVE-2019-11707 (Firefox) and Pale Moon
Posted: 2019-06-20, 08:34
by terranigma
There is a remote code execution exploit surfaced on Firefox side. All versions prior Firefox 60.7.1 and 67.0.3 affected. As far as I know Pale Moon 28 is based on Firefox 57. Is there any info regarding Pale Moon and this CVE?
Re: CVE-2019-11707 (Firefox) and Pale Moon
Posted: 2019-06-20, 09:17
by roytam1
You may check this out:
https://twitter.com/palemoonbrowser/sta ... 2260123648
BTW UXP is forked from gecko-52.6.0, not 57.
Re: CVE-2019-11707 (Firefox) and Pale Moon
Posted: 2019-06-20, 10:05
by Moonchild
terranigma wrote: ↑2019-06-20, 08:34
All versions prior Firefox 60.7.1 and 67.0.3 affected.
Incorrect. All
supported branches of Firefox prior to those versions are affected (meaning 60ESR and the current release).
This does not go back as far as our fork point because it became vulnerable with one of the JS refactoring sprees Mozilla did.
I've analyzed the issue and we aren't vulnerable to this exploit because we do not crash at all (let alone in an exploitable way). None of the UXP applications are vulnerable to this because it's in the shared JS platform component.
As an aside, it's peculiar that this is actually used in the wild. It's a Google Zero Day initiative exploit that was found through fuzzing in April (which starts a 90 day countdown for public exposure of the details). It's extremely unlikely that someone outside of the investigating team hit the same fuzzing parameters to trigger this (since by design fuzzing is random), so this may have been leaked on purpose.
Re: CVE-2019-11707 (Firefox) and Pale Moon
Posted: 2019-06-20, 12:24
by New Tobin Paradigm
I'd be interested in exactly when this refactoring change exposed this.
Re: CVE-2019-11707 (Firefox) and Pale Moon
Posted: 2019-06-20, 13:18
by Moonchild
New Tobin Paradigm wrote: ↑2019-06-20, 12:24
I'd be interested in exactly when this refactoring change exposed this.
Looks like it was exposed in Firefox 56.
Re: CVE-2019-11707 (Firefox) and Pale Moon
Posted: 2019-06-24, 12:40
by Fedor2
https://news.ycombinator.com/item?id=20221327
They told that all versions of Firefox >= 38.0a1 (21 Apr 2015) might be vulnerable
So what about non uxp versions such as Palemoon 27 and Basilisk 55?
Re: CVE-2019-11707 (Firefox) and Pale Moon
Posted: 2019-06-24, 12:54
by roytam1
Re: CVE-2019-11707 (Firefox) and Pale Moon
Posted: 2019-06-24, 12:55
by Moonchild
They are wrong. I already analyzed this and it was exposed as a vulnerability in Firefox 56.
The sensitive code may have been introduced that far back, but as long as it's not actually exposed, there is no issue and no vulnerability. So their "might be vulnerable" is theoretical. My "is not vulnerable" is practical.
Of course it can't hurt to port as a defense-in-depth measure (we've done that on UXP too) but it's not critical in any way.