Mozilla Firefox < 52 Multiple Vulnerabilities

critical Nessus Network Monitor Plugin ID 9986

Synopsis

The remote host has a web browser installed that is vulnerable to multiple attack vectors.

Description

Versions of Mozilla Firefox prior to 52 are unpatched for the following vulnerabilities :

- A flaw exists that is triggered when using a JIT-spray targeting 'asm.js' in conjunction with a heap spray that may allow a context-dependent attacker to bypass the Data Execution Protection (DEP) and Address Space Layout Randomization (ASLR) protection mechanisms.
- A flaw exists in the 'txMozillaXMLOutput::createResultDocument()' function in 'dom/xslt/xslt/txMozillaXMLOutput.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists in 'dom/network/UDPSocketParent.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists in 'js/src/jit/arm/MacroAssembler-arm.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'nsDocShell::CreateAboutBlankContentViewer()' function in 'docshell/base/nsDocShell.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated when handling SMIL RAII objects. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated when handling accessibles. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'trace()' function in 'xpcom/base/CycleCollectedJSContext.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An integer underflow condition exists in the 'apply_lookup()' function in 'hb-ot-layout-gsubgpos-private.hh' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and crash a process linked against the library or potentially execute arbitrary code.
- A flaw exists in the 'nsWebBrowser::RemoveWebBrowserListener()' function in 'embedding/browser/nsWebBrowser.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists in 'dom/u2f/U2F.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'Element::DescribeAttribute()' function in 'dom/base/Element.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in 'xpcom/ds/nsSupportsArray.cpp' that is triggered when handling 'nsISupportsArrays'. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists in 'dom/workers/ServiceWorkerPrivate.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists in 'layout/printing/nsPrintEngine.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in 'netwerk/cache2/CacheIndex.cpp' that is triggered when handling cache index serialization. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists in 'media/webrtc/trunk/webrtc/modules/video_coding/rtt_filter.cc' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists related to the camera system service that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in 'js/src/jsgc.cpp' that is triggered as certain input is not properly validated when handling zone groups. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists in 'netwerk/streamconv/converters/nsMultiMixedConv.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in 'netwerk/cache/nsDiskCacheDeviceSQL.cpp' that is triggered when handling cache eviction. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A use-after-free condition exists that is triggered when handling NPAPI plugin references. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A flaw exists in 'dom/base/nsDocument.cpp' that is triggered when handling frame request callbacks rescheduling. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'js::array_sort()' function in 'js/src/jsarray.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'cairo_cff_font_write_cid_fontdict()' function in 'cairo-cff-subset.c' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and crash a process linked against the library or potentially execute arbitrary code.
- A use-after-free error exists that is triggered when using addRange to add the range to an incorrect root object. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists in the 'FontFaceSet' class in 'layout/style/FontFaceSet.cpp' that is triggered when handling events for FontFace objects. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A flaw exists in the JavaScript Garbage Collection mechanism that is triggered during incremental sweeping on memory cleanups. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in 'dom/bindings/ErrorResult.h' that is triggered when handling 'ErrorResult' references. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A use-after-free error exists that is triggered when handling ranges in selections with one node inside and one node outside of a native anonymous tree. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- An out-of-bounds read flaw exists that is triggered when handling SVG filter color value operations. This may allow a context-dependent attacker to potentially disclose sensitive memory contents.
- A flaw exists in the 'HTMLTrackElement::LoadResource()' function in 'dom/html/HTMLTrackElement.cpp' that is triggered as CORS headers are not checked when loading video captions. This may allow a context-dependent attacker to disclose video captions.
- A path truncation flaw exist in the 'NS_main()' function in 'toolkit/mozapps/update/updater/updater.cpp' that is triggered when passing callback parameters through the Mozilla Maintenance Service. This may allow a local attacker to delete arbitrary files with elevated privileges.
- A flaw exists in the 'FilterNodeLightingSoftware::SetAttribute()' function template in 'gfx/2d/FilterNodeSoftware.cpp' that is triggered when handling subnormal surfaceScale values. With a specially crafted SVG filter, a context-dependent attacker can perform a side-channel attack, potentially resulting in disclosure of history information or text values across domains.
- An out-of-bounds access flaw exists that is triggered when handling bidirectional layout operations. This may allow a context-dependent attacker to have an unspecified impact. No further details have been provided by the vendor.
- A flaw exists in the 'Location' class in 'dom/base/Location.cpp' that is triggered when using a Blob URL. This may allow a context-dependent attacker to spoof the address bar.
- A flaw exists in the 'HTMLInputElement' class in 'dom/html/HTMLInputElement.cpp' that is triggered when handling the local default directory for a file picker dialog. This may allow a context-dependent attacker to disclose information e.g. about the operating system or the local account name.

Solution

Upgrade to Firefox version 52 or later.

See Also

https://www.mozilla.org/en-US/security/advisories/mfsa2017-05

https://www.mozilla.org/en-US/security/advisories/mfsa2017-06

Plugin Details

Severity: Critical

ID: 9986

Family: Web Clients

Published: 3/8/2017

Updated: 3/6/2019

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mozilla:firefox

Patch Publication Date: 3/7/2016

Vulnerability Publication Date: 3/7/2017

Reference Information

CVE: CVE-2017-5398, CVE-2017-5399, CVE-2017-5400, CVE-2017-5401, CVE-2017-5402, CVE-2017-5403, CVE-2017-5404, CVE-2017-5407, CVE-2017-5408, CVE-2017-5409, CVE-2017-5410, CVE-2017-5412, CVE-2017-5413, CVE-2017-5414, CVE-2017-5415

BID: 96664, 96693, 96651, 96654, 96691