Synopsis
The remote host has a web browser installed that is vulnerable to multiple attack vectors.
Description
Versions of Mozilla Firefox prior to 48.0 are unpatched for the following vulnerabilities :
- A flaw is triggered as certain input is not properly validated when handling the 'BitmapInfoHeader' in icons. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in 'js/src/frontend/Parser.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'js::array_splice_impl()' function in 'js/src/jsarray.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw is triggered as certain unspecified user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'OSXNotificationCenter::ShowAlertWithIconData()' function in 'widget/cocoa/OSXNotificationCenter.mm' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'Http2Session::TransactionHasDataToWrite()' function in 'netwerk/protocol/http/Http2Session.cpp' and 'SpdySession31::TransactionHasDataToWrite()' function in 'netwerk/protocol/http/SpdySession31.cpp'. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'Assembler::bind()' function in 'js/src/jit/arm/Assembler-arm.cpp' that is triggered when handling certain labels. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'CodeGeneratorShared::assignBailoutId()' function in 'js/src/jit/shared/CodeGenerator-shared.cpp' that is triggered when handling allocation errors. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An overflow condition exists in 'woff2_dec.cc' that is triggered as certain input is not properly validated when decompressing files. This may allow a context-dependent attacker to cause a buffer overflow and potentially execute arbitrary code.
- A flaw exists in the 'SetPaintPattern()' function in 'gfx/2d/DrawTargetSkia.cpp' that is triggered when handling gradients with non-finite endpoints. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'PeerConnectionMedia::ProtocolProxyQueryHandler::OnProxyAvailable()' function in 'media/webrtc/signaling/src/peerconnection/PeerConnectionMedia.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in 'media/mtransport/nr_timer.cpp' that is triggered when handling timers. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A race condition exists in the 'MatchKeyHash()' function in 'security/pkix/lib/pkixocsp.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An overflow condition exists in the 'ClearKeyDecryptor::Decrypt()' function in 'media/gmp-clearkey/0.1/ClearKeyDecryptionManager.cpp' used by the Encrypted Media Extensions (EME) API. The issue is triggered as user-supplied input is not properly validated when handling video files. This may allow a context-dependent attacker to cause a buffer overflow, potentially allowing the execution of arbitrary code.
- A flaw is triggered as file URIs dragged from a web page to a different piece of software failed to have the contents properly filtered. This may allow a context-dependent attacker to gain access to potentially sensitive information.
- A flaw is triggered when handling right-to-left character sets with left-to-right character sets. This may allow a context-dependent attacker to spoof the address bar.
- A flaw is triggered when handling certain specific 'about:' URLs. This may allow a context-dependent attacker to spoof the contents of system information or error messages.
- A flaw exists in the 'HttpBaseChannel::GetPerformance()' function in 'netwerk/protocol/http/HttpBaseChannel.cpp' due to the program leaking potentially sensitive resources of URLs through the Resource Timing API during page navigation. This may allow a context-dependent attacker to potentially disclose sensitive information.
- An integer overflow condition exists in the 'WebSocketChannel::ProcessInput()' function in 'netwerk/protocol/websocket/WebSocketChannel.cpp'. The issue is triggered as user-supplied input is not properly validated when handling specially crafted 'WebSocketChannel' packets. This may allow a context-dependent attacker to potentially execute arbitrary code.
- A use-after-free error exists in the 'nsNodeUtils::NativeAnonymousChildListChange()' function. The issue is triggered when applying effects to SVG element. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists in the 'js::PreliminaryObjectArray::sweep()' function in JavaScript. The issue is triggered when handling objects and pointers during incremental garbage collection. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists in 'WebRTC'. The issue is triggered when handling DTLS objects. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A flaw exists in the r'estorableFormNodes()' function in 'toolkit/modules/sessionstore/XPathGenerator.jsm' that is due to the program persistently storing passwords in in plaintext in session restore data. This may allow a context-dependent attacker to potentially gain access to password information.
- A use-after-free error exists in the 'WorkerPrivate::DestroySyncLoop()' function in 'dom/workers/WorkerPrivate.cpp'. The issue is triggered when handling nested sync event loops in Service Workers. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A type confusion flaw exists in the 'nsDisplayList::HitTest()' function in 'layout/base/nsDisplayList.cpp' that is triggered during the handling of display transformations. This may allow a context-dependent attacker to potentially execute arbitrary code.
- A flaw exists in the 'nsBaseChannel::Redirect()' function in 'netwerk/base/nsBaseChannel.cpp' that is triggered when a malicious shortcut is called from the same directory as a local HTML file. This may allow a local attacker to bypass the same-origin policy.
- An underflow condition exists in the 'mozilla::gfx::BasePoint4d()' function in 'gfx/2d/Matrix.h'. The issue is triggered as user-supplied input is not properly validated when calculating clipping regions in 2D graphics. This may allow a context-dependent attacker to cause a stack buffer underflow, potentially allowing the execution of arbitrary code.
- An overflow condition exists in the 'nsBidi::BracketData::ProcessPDI()' function in 'layout/base/nsBidi.cpp'. The issue is triggered as user-supplied input is not properly validated when rendering SVG format graphics with directional content. This may allow a context-dependent attacker to cause a heap-based buffer overflow, potentially allowing the execution of arbitrary code.
- A flaw exists in the 'Cairo' graphics layer that is triggered when allocating the 'LibAV' header during video decoding. This may allow a context-dependent attacker to crash the Cairo graphics layer.
- A flaw is due to event handler attributes on a 'marquee' tag being executed inside a sandboxed iframe that does not have the allow-scripts flag set. This may allow a context-dependent attacker to bypass XSS protection mechanisms.
- A flaw is due to the program failing to close connections after requesting favicons. This may allow a context-dependent attacker to continue to send requests to the user's browser and gain access to potentially sensitive information.
- A use-after-free error exists in the 'nsXULPopupManager::KeyDown()' function in 'layout/xul/nsXULPopupManager.cpp'. The issue is triggered when using the alt key in conjunction with top level menu items in Firefox. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A flaw is triggered when decoding url-encoded values in 'data:' URLs. This may allow a context-dependent attacker to use non-ASCII or emoji characters to spoof the address bar.
- A flaw exists in 'toolkit/mozapps/update/updater/updater.cpp' that is due to the 'Updater', when opened using the callback application path parameter, creating a copy of a user specified file as a callback file with a locked hardlink. This may allow a local attacker to run the target file and gain elevated privileges.
- An unspecified flaw exists that is triggered during the handling of TTC detection. This may allow a context-dependent attacker to have an unspecified impact. No further details have been provided.
- An out-of-bounds access flaw exists in the 'ReconstructTransformedHmtx()' function in 'woff2_dec.cc' that may allow a context-dependent attacker to have an unspecified impact.
- An unspecified flaw exists in 'woff2_dec.cc' that may allow a context-dependent attacker to have an unspecified impact.
- An unspecified flaw exists in 'woff2_dec.cc' that is triggered during memory allocation, which may allow a context-dependent attacker to crash a process linked against the library.
Solution
Upgrade to Firefox version 48.0 or later.
Plugin Details
Nessus ID: 92755
Risk Information
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:mozilla:firefox
Patch Publication Date: 8/2/2016
Vulnerability Publication Date: 7/21/2016
Reference Information
CVE: CVE-2016-2830, CVE-2016-2835, CVE-2016-2836, CVE-2016-2837, CVE-2016-2838, CVE-2016-2839, CVE-2016-5250, CVE-2016-5251, CVE-2016-5252, CVE-2016-5253, CVE-2016-5254, CVE-2016-5255, CVE-2016-5258, CVE-2016-5259, CVE-2016-5260, CVE-2016-5261, CVE-2016-5262, CVE-2016-5263, CVE-2016-5264, CVE-2016-5265, CVE-2016-5266, CVE-2016-5267, CVE-2016-5268
BID: 92258, 92261, 92260