Race condition in Mozilla Firefox - CVE-2019-9815

 

Race condition in Mozilla Firefox - CVE-2019-9815

Published: May 21, 2019


Vulnerability identifier: #VU18549
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2019-9815
CWE-ID: CWE-362
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Mozilla
Affected software:
Mozilla Firefox

Detailed vulnerability description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to enabled hyperthreading in applications running untrusted code in a thread through a new sysctl on macOS. A remote attacker can perform timing attack, similar to previous Spectre attacks and execute arbitrary code on the target system.

The vulnerability affects macOS users.

For this mitigation to take effect, users must install macOS 10.14.5.


How to mitigate CVE-2019-9815

Install updates from vendor's website.

Sources