CVE-2018-12405

Q: How do I fix CVE-2018-12405?

1. Open browser menu > Help > About Firefox/Thunderbird. 2. Browser will check for updates automatically. 3. Click 'Restart to update' when prompted. 4. For enterprise deployments, use centralized management tools or download updated installers from Mozilla.

Q: What is the severity of CVE-2018-12405?

CVE-2018-12405 has a CVSS score of 9.8 (CRITICAL). CVE-2018-12405 is a critical memory corruption vulnerability in Mozilla Firefox, Firefox ESR, and Thunderbird that could allow remote attackers to execute arbitrary code. The vulnerability affects users running outdated versions of these browsers. Attackers could exploit this by tricking users into visiting malicious websites.

9.8 CRITICAL

Remote Code Execution

📋 TL;DR

CVE-2018-12405 is a critical memory corruption vulnerability in Mozilla Firefox, Firefox ESR, and Thunderbird that could allow remote attackers to execute arbitrary code. The vulnerability affects users running outdated versions of these browsers. Attackers could exploit this by tricking users into visiting malicious websites.

💻 Affected Systems

Products:

Mozilla Firefox
Mozilla Firefox ESR
Mozilla Thunderbird

Versions: Firefox < 64, Firefox ESR < 60.4, Thunderbird < 60.4

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. No special configuration required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the same privileges as the browser user, potentially leading to full system compromise.

🟠

Likely Case

Browser crash or arbitrary code execution leading to malware installation or data theft.

🟢

If Mitigated

No impact if browsers are updated to patched versions or if exploit attempts are blocked by security controls.

🌐 Internet-Facing: HIGH - Web browsers are inherently internet-facing and users regularly visit untrusted websites.

🏢 Internal Only: MEDIUM - Internal users could still be targeted via phishing or compromised internal websites.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Memory corruption vulnerabilities require specific conditions to achieve reliable exploitation, but CVSS 9.8 indicates high exploitability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 64, Firefox ESR 60.4, Thunderbird 60.4

Vendor Advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2018-29/

Restart Required: Yes

Instructions:

1. Open browser menu > Help > About Firefox/Thunderbird. 2. Browser will check for updates automatically. 3. Click 'Restart to update' when prompted. 4. For enterprise deployments, use centralized management tools or download updated installers from Mozilla.

🔧 Temporary Workarounds

Disable JavaScript

all

Temporarily disable JavaScript to prevent exploitation through malicious web content

about:config > javascript.enabled = false

Use Content Security Policy

all

Implement CSP headers to restrict script execution from untrusted sources

Content-Security-Policy: script-src 'self'

🧯 If You Can't Patch

Restrict browser usage to trusted websites only
Implement application whitelisting to prevent execution of unknown binaries

🔍 How to Verify

Check if Vulnerable:

Check browser version in Help > About Firefox/Thunderbird and compare with affected versions

Check Version:

firefox --version (Linux) or check About dialog (Windows/macOS)

Verify Fix Applied:

Confirm version is Firefox ≥64, Firefox ESR ≥60.4, or Thunderbird ≥60.4

📡 Detection & Monitoring

Log Indicators:

Browser crash reports
Unexpected process termination
Memory access violation errors

Network Indicators:

Unusual outbound connections from browser process
Downloads from suspicious domains

SIEM Query:

process_name="firefox.exe" AND (event_id=1000 OR event_id=1001) OR process_name="thunderbird.exe" AND crash

📊 Metadata

CVE ID: CVE-2018-12405

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-119

Published: February 28, 2019

Last Updated: November 25, 2025

🔗 References

http://www.securityfocus.com/bid/106168 Third Party Advisory,VDB Entry
https://access.redhat.com/errata/RHSA-2018:3831 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3833 Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0159 Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0160 Third Party Advisory
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1494752%2C1498765%2C1503326%2C1505181%2C1500759%2C1504365%2C1506640%2C1503082%2C1502013%2C1510471 Broken Link,Issue Tracking,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2018/12/msg00002.html Third Party Advisory
https://security.gentoo.org/glsa/201903-04 Third Party Advisory
https://usn.ubuntu.com/3844-1/ Third Party Advisory
https://usn.ubuntu.com/3868-1/ Third Party Advisory
https://www.debian.org/security/2018/dsa-4354 Third Party Advisory
https://www.debian.org/security/2019/dsa-4362 Third Party Advisory
https://www.mozilla.org/security/advisories/mfsa2018-29/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2018-30/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2018-31/ Vendor Advisory
http://www.securityfocus.com/bid/106168 Third Party Advisory,VDB Entry
https://access.redhat.com/errata/RHSA-2018:3831 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3833 Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0159 Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0160 Third Party Advisory
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1494752%2C1498765%2C1503326%2C1505181%2C1500759%2C1504365%2C1506640%2C1503082%2C1502013%2C1510471 Broken Link,Issue Tracking,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2018/12/msg00002.html Third Party Advisory
https://security.gentoo.org/glsa/201903-04 Third Party Advisory
https://usn.ubuntu.com/3844-1/ Third Party Advisory
https://usn.ubuntu.com/3868-1/ Third Party Advisory
https://www.debian.org/security/2018/dsa-4354 Third Party Advisory
https://www.debian.org/security/2019/dsa-4362 Third Party Advisory
https://www.mozilla.org/security/advisories/mfsa2018-29/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2018-30/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2018-31/ Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Debian Linux by Debian

Enterprise Linux Desktop by Redhat

Enterprise Linux Desktop by Redhat

Enterprise Linux Server by Redhat

Enterprise Linux Server by Redhat

Enterprise Linux Server Aus by Redhat

Enterprise Linux Server Eus by Redhat

Enterprise Linux Server Tus by Redhat

Enterprise Linux Workstation by Redhat

Enterprise Linux Workstation by Redhat

Firefox by Mozilla

Firefox by Mozilla

Thunderbird by Mozilla

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable JavaScript

Use Content Security Policy

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities