Ubuntu 12.04 LTS / 12.10 / 13.04 / 13.10 : firefox vulnerabilities (USN-2009-1)

Ubuntu Security Notice (C) 2013-2014 Canonical, Inc. / NASL script (C) 2013-2014 Tenable Network Security, Inc.


Synopsis :

The remote Ubuntu host is missing a security-related patch.

Description :

Multiple memory safety issues were discovered in Firefox. If a user
were tricked in to opening a specially crafted page, an attacker could
possibly exploit these to cause a denial of service via application
crash, or potentially execute arbitrary code with the privileges of
the user invoking Firefox. (CVE-2013-1739, CVE-2013-5590,
CVE-2013-5591, CVE-2013-5592)

Jordi Chancel discovered that HTML select elements could display
arbitrary content. An attacker could potentially exploit this to
conduct URL spoofing or clickjacking attacks (CVE-2013-5593)

Abhishek Arya discovered a crash when processing XSLT data in some
circumstances. An attacker could potentially exploit this to execute
arbitrary code with the privileges of the user invoking Firefox.
(CVE-2013-5604)

Dan Gohman discovered a flaw in the JavaScript engine. When combined
with other vulnerabilities, an attacked could possibly exploit this to
execute arbitrary code with the privileges of the user invoking
Firefox. (CVE-2013-5595)

Ezra Pool discovered a crash on extremely large pages. An attacked
could potentially exploit this to execute arbitrary code with the
privileges of the user invoking Firefox. (CVE-2013-5596)

Byoungyoung Lee discovered a use-after-free when updating the offline
cache. An attacker could potentially exploit this to cause a denial of
service via application crash or execute arbitrary code with the
privileges of the user invoking Firefox. (CVE-2013-5597)

Cody Crews discovered a way to append an iframe in to an embedded PDF
object displayed with PDF.js. An attacked could potentially exploit
this to read local files, leading to information disclosure.
(CVE-2013-5598)

Multiple use-after-free flaws were discovered in Firefox. An attacker
could potentially exploit these to cause a denial of service via
application crash or execute arbitrary code with the privileges of the
user invoking Firefox. (CVE-2013-5599, CVE-2013-5600, CVE-2013-5601)

A memory corruption flaw was discovered in the JavaScript engine when
using workers with direct proxies. An attacker could potentially
exploit this to cause a denial of service via application crash or
execute arbitrary code with the privileges of the user invoking
Firefox. (CVE-2013-5602)

Abhishek Arya discovered a use-after-free when interacting with HTML
document templates. An attacker could potentially exploit this to
cause a denial of service via application crash or execute arbitrary
code with the privileges of the user invoking Firefox. (CVE-2013-5603).

Solution :

Update the affected firefox package.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.7
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false