SB2018070206 - Multiple vulnerabilities in Pale Moon

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Use-after-free error (CVE-ID: CVE-2018-12292)

The vulnerability allows a remote attacker to cause DoS condition or execute arbitrary code on the target system.

The weakness exists due to use-after-free error in DOMProxyHandler::EnsureExpandoObject. A remote unauthenticated attacker can trigger memory corruption and cause the service to crash or execute arbitrary code with elevated privileges.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

2) Information disclosure (CVE-ID: CVE-2017-0381)

The vulnerability allows a local attacker to obtain potentially sensitive information.

The vulnerability exists due to a flaw in silk/NLSF_stabilize.c in libopus in Mediaserver. A local attacker can run a specially crafted application to access data outside of its permission levels.

Remediation

Install update from vendor's website.

References

• https://www.palemoon.org/releasenotes.shtml
• https://www.palemoon.org/releasenotes.shtml#