Firefox < 14.0 Multiple Vulnerabilities (Mac OS X)

This script is Copyright (C) 2012-2014 Tenable Network Security, Inc.


Synopsis :

The remote Mac OS X host contains a web browser that is affected by
multiple vulnerabilities.

Description :

The installed version of Firefox is earlier than 14.0 and thus, is
potentially affected by the following security issues :

- Several memory safety issues exist, some of which could
potentially allow arbitrary code execution.
(CVE-2012-1948, CVE-2012-1949)

- An error related to drag and drop can allow incorrect
URLs to be displayed. (CVE-2012-1950)

- Several memory safety issues exist related to the Gecko
layout engine. (CVE-2012-1951, CVE-2012-1952,
CVE-2012-1953, CVE-2012-1954)

- An error related to JavaScript functions
'history.forward' and 'history.back' can allow
incorrect URLs to be displayed. (CVE-2012-1955)

- Cross-site scripting attacks are possible due to an
error related to the '<embed>' tag within an RSS
'<description>' element. (CVE-2012-1957)

- A use-after-free error exists related to the method
'nsGlobalWindow::PageHidden'. (CVE-2012-1958)

- An error exists that can allow 'same-compartment
security wrappers' (SCSW) to be bypassed.
(CVE-2012-1959)

- An out-of-bounds read error exists related to the color
management library (QCMS). (CVE-2012-1960)

- The 'X-Frames-Options' header is ignored if it is
duplicated. (CVE-2012-1961)

- A memory corruption error exists related to the method
'JSDependentString::undepend'. (CVE-2012-1962)

- An error related to the 'Content Security Policy' (CSP)
implementation can allow the disclosure of OAuth 2.0
access tokens and OpenID credentials. (CVE-2012-1963)

- An error exists related to the 'feed:' URL that can
allow cross-site scripting attacks. (CVE-2012-1965)

- Cross-site scripting attacks are possible due to an
error related to the 'data:' URL and context menus.
(CVE-2012-1966)

- An error exists related to the 'javascript:' URL that
can allow scripts to run at elevated privileges outside
the sandbox. (CVE-2012-1967)

See also :

http://www.mozilla.org/security/announce/2012/mfsa2012-42.html
http://www.mozilla.org/security/announce/2012/mfsa2012-43.html
http://www.mozilla.org/security/announce/2012/mfsa2012-44.html
http://www.mozilla.org/security/announce/2012/mfsa2012-45.html
http://www.mozilla.org/security/announce/2012/mfsa2012-46.html
http://www.mozilla.org/security/announce/2012/mfsa2012-47.html
http://www.mozilla.org/security/announce/2012/mfsa2012-48.html
http://www.mozilla.org/security/announce/2012/mfsa2012-49.html
http://www.mozilla.org/security/announce/2012/mfsa2012-50.html
http://www.mozilla.org/security/announce/2012/mfsa2012-51.html
http://www.mozilla.org/security/announce/2012/mfsa2012-52.html
http://www.mozilla.org/security/announce/2012/mfsa2012-53.html
http://www.mozilla.org/security/announce/2012/mfsa2012-55.html
http://www.mozilla.org/security/announce/2012/mfsa2012-56.html

Solution :

Upgrade to Firefox 14.0 or later.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.1
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false