Firefox ESR 24.x < 24.5 Multiple Vulnerabilities (Mac OS X)

This script is Copyright (C) 2014 Tenable Network Security, Inc.


Synopsis :

The remote Mac OS X host contains a web browser that is potentially
affected by multiple vulnerabilities.

Description :

The installed version of Firefox ESR 24.x is prior to 24.5 and is,
therefore, potentially affected by the following vulnerabilities :

- Memory issues exist that could lead to arbitrary code
execution. (CVE-2014-1518, CVE-2014-1519)

- An out-of-bounds read issue exists when decoding
certain JPG images that could lead to a denial of
service. (CVE-2014-1523)

- A memory corruption issue exists due to improper
validation of XBL objects that could lead to arbitrary
code execution. (CVE-2014-1524)

- A security bypass issue exists in the Web Notification
API that could lead to arbitrary code execution.
(CVE-2014-1529)

- A cross-site scripting issue exists that could allow an
attacker to load another website other than the URL for
the website that is shown in the address bar.
(CVE-2014-1530)

- A use-after-free issue exists due to an 'imgLoader'
object being freed when being resized. This issue
could lead to arbitrary code execution. (CVE-2014-1531)

- A use-after-free issue exists during host resolution
that could lead to arbitrary code execution.
(CVE-2014-1532)

See also :

http://www.mozilla.org/security/announce/2014/mfsa2014-34.html
http://www.mozilla.org/security/announce/2014/mfsa2014-37.html
http://www.mozilla.org/security/announce/2014/mfsa2014-38.html
http://www.mozilla.org/security/announce/2014/mfsa2014-42.html
http://www.mozilla.org/security/announce/2014/mfsa2014-43.html
http://www.mozilla.org/security/announce/2014/mfsa2014-44.html
http://www.mozilla.org/security/announce/2014/mfsa2014-46.html

Solution :

Upgrade to Firefox ESR 24.5 or later.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.1
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false