Firefox ESR 24.x < 24.3 Multiple Vulnerabilities

critical Nessus Plugin ID 72330

Synopsis

The remote Windows host contains a web browser that is potentially affected by multiple vulnerabilities.

Description

The installed version of Firefox ESR 24.x is earlier than 24.3, and is, therefore, potentially affected by the following vulnerabilities :

- Memory issues exist in the browser engine that could result in a denial of service or arbitrary code execution. (CVE-2014-1477)

- An error exists related to System Only Wrappers (SOW) and the XML Binding Language (XBL) that could allow XUL content to be disclosed. (CVE-2014-1479)

- An error exists related to the JavaScript engine and 'window' object handling that has unspecified impact.
(CVE-2014-1481)

- An error exists related to 'RasterImage' and image decoding that could allow application crashes and possibly arbitrary code execution. (CVE-2014-1482)

- A use-after-free error exists related to image handling and 'imgRequestProxy' that could allow application crashes and possibly arbitrary code execution.
(CVE-2014-1486)

- An error exists related to 'web workers' that could allow cross-origin information disclosure.
(CVE-2014-1487)

- Network Security Services (NSS) contains a race condition in libssl that occurs during session ticket processing. A remote attacker can exploit this flaw to cause a denial of service. (CVE-2014-1490)

- Network Security Services (NSS) does not properly restrict public values in Diffie-Hellman key exchanges, allowing a remote attacker to bypass cryptographic protection mechanisms. (CVE-2014-1491)

Solution

Upgrade to Firefox ESR 24.3 or later.

See Also

http://www.zerodayinitiative.com/advisories/ZDI-14-058/

https://www.mozilla.org/en-US/security/advisories/mfsa2014-01/

https://www.mozilla.org/en-US/security/advisories/mfsa2014-02/

https://www.mozilla.org/en-US/security/advisories/mfsa2014-04/

https://www.mozilla.org/en-US/security/advisories/mfsa2014-08/

https://www.mozilla.org/en-US/security/advisories/mfsa2014-09/

https://www.mozilla.org/en-US/security/advisories/mfsa2014-12/

https://www.mozilla.org/en-US/security/advisories/mfsa2014-13/

Plugin Details

Severity: Critical

ID: 72330

File Name: mozilla_firefox_24_3_esr.nasl

Version: 1.12

Type: local

Agent: windows

Family: Windows

Published: 2/5/2014

Updated: 11/26/2019

Supported Sensors: Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2014-1486

Vulnerability Information

CPE: cpe:/a:mozilla:firefox_esr

Required KB Items: Mozilla/Firefox/Version

Exploit Ease: No known exploits are available

Patch Publication Date: 2/4/2014

Vulnerability Publication Date: 2/4/2014

Reference Information

CVE: CVE-2014-1477, CVE-2014-1479, CVE-2014-1481, CVE-2014-1482, CVE-2014-1486, CVE-2014-1487, CVE-2014-1490, CVE-2014-1491

BID: 65326, 65328, 65330, 65332, 65334, 65335, 65317, 65320