Synopsis
The remote host has a web browser installed that is vulnerable to multiple attack vectors.
Description
The version of Mozilla Firefox is prior to 40.0 and is affected by multiple vulnerabilities :
- Multiple memory corruption issues exist that allow a remote attacker, via a specially crafted web page, to corrupt memory and potentially execute arbitrary code. (CVE-2015-4473)
- Multiple memory corruption issues exist that allow a remote attacker, via a specially crafted web page, to corrupt memory and potentially execute arbitrary code. (CVE-2015-4474)
- An out-of-bounds read error exists in the 'PlayFromAudioQueue()' function due to improper handling of mismatched sample formats. A remote attacker can exploit this, via a specially crafted MP3 file, to disclose memory contents or execute arbitrary code. (CVE-2015-4475)
- A use-after-free error exists in the Web Audio API during MediaStream playback. A remote attacker can exploit this to dereference already freed memory, resulting in the potential execution of arbitrary code. (CVE-2015-4477)
- A same-origin policy bypass vulnerability exists due to non-configurable properties being redefined in violation of the ECMAScript 6 standard during JSON parsing. A remote attacker can exploit this, by editing these properties to arbitrary values, to bypass the same-origin policy. (CVE-2015-4478)
- Multiple integer overflow conditions exist due to improper validation of user-supplied input when handling 'saio' chunks in MPEG4 video. A remote attacker can exploit this, via a specially crafted MPEG4 file, to execute arbitrary code. (CVE-2015-4479)
- An integer overflow condition exists in the bundled libstagefright component when handling H.264 media content. A remote attacker can exploit this, via a specially crafted MPEG4 file, to execute arbitrary code. (CVE-2015-4480)
- An arbitrary file overwrite vulnerability exists in the Mozilla Maintenance Service due to a race condition. An attacker can exploit this, via the use of a hard link, to overwrite arbitrary files with log output. (CVE-2015-4481)
- An out-of-bounds write error exists due to an array indexing flaw in the 'mar_consume_index()' function when handling index names in MAR files. An attacker can exploit this to execute arbitrary code. (CVE-2015-4482)
- A security bypass vulnerability exists due to a flaw in the 'ShouldLoad()' function that occurs during the handling of POST requests to URLs using the 'feed:' URI handler. An attacker can exploit this to bypass the mixed content blocker. (CVE-2015-4483)
- A denial of service vulnerability exists when handling JavaScript using shared memory without properly gating access to Atomics and SharedArrayBuffer views. An attacker can exploit this to crash the program, resulting in a denial of service condition. (CVE-2015-4484)
- A heap-based buffer overflow condition exists in the 'resize_context_buffers()' function due to improper validation of user-supplied input. A remote attacker can exploit this, via specially crafted WebM content, to cause a heap-based buffer overflow, resulting in the execution of arbitrary code. (CVE-2015-4485)
- A heap-based buffer overflow condition exists in the 'decrease_ref_count()' function due to improper validation of user-supplied input. A remote attacker can exploit this, via specially crafted WebM content, to cause a heap-based buffer overflow, resulting in the execution of arbitrary code. (CVE-2015-4486)
- A buffer overflow condition exists in the 'ReplacePrep()' function. A remote attacker can exploit this to cause a buffer overflow, resulting in the execution of arbitrary code. (CVE-2015-4487)
- A use-after-free error exists in the 'operator=()' function. An attacker can exploit this to dereference already freed memory, resulting in the execution of arbitrary code. (CVE-2015-4488)
- A memory corruption issue exists in the 'nsTArray_Impl()' function due to improper validation of user-supplied input during self-assignment. An attacker can exploit this to corrupt memory, resulting in the execution of arbitrary code. (CVE-2015-4489)
- A security bypass vulnerability exists due to a discrepancy in the implementation of Content Security Policy and the CSP specification. The specification states that 'blob:', 'data:', and 'filesystem:' URLs should be excluded in case of a wildcard when matching source expressions, but Mozilla's implementation allows these in the case of an asterisk wildcard. A remote attacker can exploit this to bypass restrictions. (CVE-2015-4490)
- A use-after-free error exists in the 'XMLHttpRequest::Open()' function due to improper handling of recursive calls. An attacker can exploit this to dereference already freed memory, resulting in the execution of arbitrary code. (CVE-2015-4492)
- An integer underflow condition exists in the bundled libstagefright library. An attacker can exploit this to crash the application, resulting in a denial of service condition. (CVE-2015-4493)
- A flaw in the same origin policy in which an attacker can inject script code into a non-privileged part of browser's built-in PDF reader, resulting in gaining access to sensitive local files. (CVE-2015-4495)
Solution
Upgrade to Firefox 40.0 or later.
Plugin Details
Nessus ID: 85275, 85386
Risk Information
Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vulnerability Information
CPE: cpe:/a:mozilla:firefox
Patch Publication Date: 8/11/2015
Vulnerability Publication Date: 8/11/2015
Exploitable With
CANVAS (CANVAS)
Reference Information
CVE: CVE-2015-4473, CVE-2015-4474, CVE-2015-4475, CVE-2015-4477, CVE-2015-4478, CVE-2015-4479, CVE-2015-4480, CVE-2015-4481, CVE-2015-4482, CVE-2015-4483, CVE-2015-4484, CVE-2015-4485, CVE-2015-4486, CVE-2015-4487, CVE-2015-4488, CVE-2015-4489, CVE-2015-4490, CVE-2015-4491, CVE-2015-4492, CVE-2015-4493, CVE-2015-4495
BID: 76249