Mozilla Firefox < 50.0 Multiple Vulnerabilities

high Nessus Network Monitor Plugin ID 9804

Synopsis

The remote host has a web browser installed that is vulnerable to multiple attack vectors.

Description

Versions of Mozilla Firefox prior to 50.0 are unpatched for the following vulnerabilities :

- An overflow condition exists in the 'RASTERIZE_EDGES()' function in 'gfx/cairo/libpixman/src/pixman-edge-imp.h'. The issue is triggered as certain input is not properly validated when handling SVG content. This may allow a context-dependent attacker to cause a heap-based overflow, potentially allowing the execution of arbitrary code.
- A flaw exists in the 'net_CoalesceDirs()' function in 'netwerk/base/nsURLHelper.cpp' that is triggered when handling specially crafted URLs. This may allow a context-dependent attacker to potentially execute arbitrary code.
- A flaw exists that is triggered when the Mozilla Updater is run with the updater's log file in the working directory pointing to a hardlink. This may allow a local attacker to append data to an arbitrary local file.
- A flaw exists in the Mozilla Updater that is triggered as it may select an arbitrary target working directory to output files from the update process. No further details have been provided by the vendor.
- A flaw exists that is triggered when length checking JavaScript arguments. This may allow a context-dependent attacker to have an unspecified impact.
- A flaw exists that is triggered as add-on update IDs are not properly validated. This may allow an attacker with the ability to intercept network traffic '(e.g'. MitM, DNS cache poisoning) to provide malicious add-on updates.
- A flaw exists that is triggered when a context-dependent attacker forces a user into full-screen mode, which may potentially allow the attacker to use a fake location bar to perform spoofing attacks.
- An integer overflow condition exists in the 'nsScriptLoadHandler::TryDecodeRawData()' function in 'dom/base/nsScriptLoader.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to cause a buffer overflow, potentially allowing the execution of arbitrary code.
- A use-after-free error exists in the 'nsINode::ReplaceOrInsertBefore()' function in 'dom/base/nsINode.cpp' that is triggered when handling certain DOM operations. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists in the 'nsINode::Prepend()' function in 'dom/base/nsINode.cpp' that is triggered when handling DOM operations. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists in 'nsRefreshDriver'. The issue is triggered when handling web animation timelines. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A flaw exists in 'dom/plugins/base/nsPluginTags.cpp' that is triggered as the sandbox for 64-bit NPAPI plugins may not be enabled by default. This may potentially result in less secure behavior than intended.
- A flaw exists in 'toolkit/components/extensions/ExtensionContent.jsm' that is triggered as WebExtensions may inappropriately access the mozAddonManager API. This may allow a context-dependent attacker to use a specially crafted extension to install further extensions without a user's permission.
- A flaw exists in 'dom/canvas/CanvasRenderingContext2D.cpp' that is triggered by the use of the feDisplacementMap filter on images that are loaded cross-origin. This may allow a context-dependent attacker to conduct a timing attack and have an unspecified impact.
- A flaw exists in the 'nsBaseChannel::Redirect()' function in 'netwerk/base/nsBaseChannel.cpp'. The issue is triggered as local shortcut files may be used to bypass the same-origin policy and load local content from the disk.
- A flaw exists in the 'ProcessSoftwareUpdateCommand()' function in 'toolkit/components/maintenanceservice/workmonitor.cpp', as it may copy 'updater.exe' from untrusted directories. This may allow a local attacker to read files with SYSTEM privileges.
- A flaw exists that is triggered when a page load is disrupted. This may result in the previous page's favicon and SSL indicator persisting, potentially misleading a user about the URL of the page being visited.
- A flaw exists that is triggered when a previously installed application defines the same signature-level permissions as Firefox. This may allow a local attacker to intercept and disclose AuthTokens intended to be sent to Firefox.
- A flaw exists that is triggered when a previously installed application defines the same signature-level permissions as Firefox. This may allow a local attacker to intercept and disclose API keys intended to be sent to Firefox.
- A flaw exists in 'mobile/android/base/java/org/mozilla/gecko/PrivateTab.java' that is triggered, as browsing metadata from private browsing may persist in the 'browser.db' and 'browser.db'-wal files within a Firefox profile. This may potentially allow a physically present attacker to disclose information about private browsing.
- A flaw exists in 'dom/bindings/Codegen.py' that is triggered when loading pages in a sidebar via a bookmark. This may allow the page to reference a privileged chrome window, violating the same-origin policy and engaging in limited JavaScript operations.
- A flaw exists that is triggered as the 'windows.create' schema doesn't specify "format": "relativeUrl". This may allow a context-dependent attacker to escape the WebExtension sandbox.
- An unspecified flaw exists in 'divSpoiler' that may allow an attacker to conduct a side-channel attack. No further details have been provided by the vendor.
- A flaw exists that is triggered as the "select" dropdown menu may potentially cover location bar content, allowing a context-dependent attacker to spoof the location bar.
- An integer overflow condition exists in the 'XML_Parse()' function in 'parser/expat/lib/xmlparse.c'. The issue is triggered as certain input is not properly validated when parsing XML content. This may allow a context-dependent attacker to have an unspecified impact.
- A flaw exists in the 'nsCSPHostSrc::permits()' function in 'dom/security/nsCSPUtils.cpp' that is triggered when the Content Security Policy (CSP) is combined with HTTP to HTTPS redirection. This may potentially allow a context-dependent attacker to enumerate the existence of a known site in a user's browser history.
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'EventListenerManager::GetListenerInfo()' function in 'dom/events/EventListenerManager.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists in 'dom/media/mediasource/TrackBuffersManager.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'WebrtcVideoConduit::CodecConfigToWebRTCCodec()' function in 'media/webrtc/signaling/src/media-conduit/VideoConduit.cpp' that is triggered when handling simulcast streams. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists in 'js/src/jit/arm64/MacroAssembler-arm64.h' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exist that is triggered when handling screen/window/app capture. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists related to MessagePort not supporting transferable objects. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists that is triggered when handling DOM tree operations for 'insertBefore()' method calls. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists that is triggered when handling Ion-compiling of scripts with too many typesets. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists related to tracing of script pointers in off-thread compilation tasks. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists that is triggered when handling runtime checks for helper threads tracing. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'GlobalHelperThreadState::finishParseTask()' function in 'js/src/vm/HelperThreads.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated when handling frames. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists that is triggered as certain input is not properly validated when handling HTML5 tokenizing. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists in 'dom/events/IMEStateManager.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'JSStructuredCloneWriter::transferOwnership()' function in 'js/src/vm/StructuredClone.cpp' that is triggered when handling user-defined structured clone tags. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.

Solution

Upgrade to Firefox version 50.0 or later.

See Also

https://www.mozilla.org/en-US/security/advisories/mfsa2016-89

https://www.mozilla.org/en-US/security/advisories/mfsa2016-90

Plugin Details

Severity: High

ID: 9804

Family: Web Clients

Published: 12/2/2016

Updated: 3/6/2019

Nessus ID: 94960

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 8.1

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mozilla:firefox

Patch Publication Date: 11/15/2016

Vulnerability Publication Date: 10/3/2016

Reference Information

CVE: CVE-2014-8644, CVE-2016-5289, CVE-2016-5290, CVE-2016-5291, CVE-2016-5292, CVE-2016-5293, CVE-2016-5294, CVE-2016-5295, CVE-2016-5296, CVE-2016-5297, CVE-2016-5298, CVE-2016-5299, CVE-2016-9061, CVE-2016-9062, CVE-2016-9063, CVE-2016-9064, CVE-2016-9065, CVE-2016-9066, CVE-2016-9067, CVE-2016-9068, CVE-2016-9069, CVE-2016-9070, CVE-2016-9071, CVE-2016-9072, CVE-2016-9073, CVE-2016-9074, CVE-2016-9075, CVE-2016-9076, CVE-2016-9077

BID: 94335, 94336, 94337, 94339, 94341, 94342