icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

Mozilla Firefox < 48.0 Multiple Vulnerabilities

High

Synopsis

The remote host has a web browser installed that is vulnerable to multiple attack vectors.

Description

Versions of Mozilla Firefox prior to 48.0 are unpatched for the following vulnerabilities :

- A flaw is triggered as certain input is not properly validated when handling the 'BitmapInfoHeader' in icons. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 142419) - A flaw exists in 'js/src/frontend/Parser.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 142420) - A flaw exists in the 'js::array_splice_impl()' function in 'js/src/jsarray.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 142421) - A flaw is triggered as certain unspecified user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 142422, OSVDB 142423, OSVDB 142431, OSVDB 142434) - A flaw exists in the 'OSXNotificationCenter::ShowAlertWithIconData()' function in 'widget/cocoa/OSXNotificationCenter.mm' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 142424) - A flaw exists in the 'Http2Session::TransactionHasDataToWrite()' function in 'netwerk/protocol/http/Http2Session.cpp' and 'SpdySession31::TransactionHasDataToWrite()' function in 'netwerk/protocol/http/SpdySession31.cpp'. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 142426) - A flaw exists in the 'Assembler::bind()' function in 'js/src/jit/arm/Assembler-arm.cpp' that is triggered when handling certain labels. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 142427) - A flaw exists in the 'CodeGeneratorShared::assignBailoutId()' function in 'js/src/jit/shared/CodeGenerator-shared.cpp' that is triggered when handling allocation errors. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 142428) - An overflow condition exists in 'woff2_dec.cc' that is triggered as certain input is not properly validated when decompressing files. This may allow a context-dependent attacker to cause a buffer overflow and potentially execute arbitrary code. (OSVDB 142429) - A flaw exists in the 'SetPaintPattern()' function in 'gfx/2d/DrawTargetSkia.cpp' that is triggered when handling gradients with non-finite endpoints. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 142430) - A flaw exists in the 'PeerConnectionMedia::ProtocolProxyQueryHandler::OnProxyAvailable()' function in 'media/webrtc/signaling/src/peerconnection/PeerConnectionMedia.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 142432) - A flaw exists in 'media/mtransport/nr_timer.cpp' that is triggered when handling timers. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 142433) - A race condition exists in the 'MatchKeyHash()' function in 'security/pkix/lib/pkixocsp.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 142435) - An overflow condition exists in the 'ClearKeyDecryptor::Decrypt()' function in 'media/gmp-clearkey/0.1/ClearKeyDecryptionManager.cpp' used by the Encrypted Media Extensions (EME) API. The issue is triggered as user-supplied input is not properly validated when handling video files. This may allow a context-dependent attacker to cause a buffer overflow, potentially allowing the execution of arbitrary code. (OSVDB 142468) - A flaw is triggered as file URIs dragged from a web page to a different piece of software failed to have the contents properly filtered. This may allow a context-dependent attacker to gain access to potentially sensitive information. (OSVDB 142469) - A flaw is triggered when handling right-to-left character sets with left-to-right character sets. This may allow a context-dependent attacker to spoof the address bar. (OSVDB 142470) - A flaw is triggered when handling certain specific 'about:' URLs. This may allow a context-dependent attacker to spoof the contents of system information or error messages. (OSVDB 142471) - A flaw exists in the 'HttpBaseChannel::GetPerformance()' function in 'netwerk/protocol/http/HttpBaseChannel.cpp' due to the program leaking potentially sensitive resources of URLs through the Resource Timing API during page navigation. This may allow a context-dependent attacker to potentially disclose sensitive information. (OSVDB 142472) - An integer overflow condition exists in the 'WebSocketChannel::ProcessInput()' function in 'netwerk/protocol/websocket/WebSocketChannel.cpp'. The issue is triggered as user-supplied input is not properly validated when handling specially crafted 'WebSocketChannel' packets. This may allow a context-dependent attacker to potentially execute arbitrary code. (OSVDB 142473) - A use-after-free error exists in the 'nsNodeUtils::NativeAnonymousChildListChange()' function. The issue is triggered when applying effects to SVG element. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (OSVDB 142474) - A use-after-free error exists in the 'js::PreliminaryObjectArray::sweep()' function in JavaScript. The issue is triggered when handling objects and pointers during incremental garbage collection. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (OSVDB 142475) - A use-after-free error exists in 'WebRTC'. The issue is triggered when handling DTLS objects. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (OSVDB 142476) - A flaw exists in the r'estorableFormNodes()' function in 'toolkit/modules/sessionstore/XPathGenerator.jsm' that is due to the program persistently storing passwords in in plaintext in session restore data. This may allow a context-dependent attacker to potentially gain access to password information. (OSVDB 142477) - A use-after-free error exists in the 'WorkerPrivate::DestroySyncLoop()' function in 'dom/workers/WorkerPrivate.cpp'. The issue is triggered when handling nested sync event loops in Service Workers. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (OSVDB 142478) - A type confusion flaw exists in the 'nsDisplayList::HitTest()' function in 'layout/base/nsDisplayList.cpp' that is triggered during the handling of display transformations. This may allow a context-dependent attacker to potentially execute arbitrary code. (OSVDB 142479) - A flaw exists in the 'nsBaseChannel::Redirect()' function in 'netwerk/base/nsBaseChannel.cpp' that is triggered when a malicious shortcut is called from the same directory as a local HTML file. This may allow a local attacker to bypass the same-origin policy. (OSVDB 142480) - An underflow condition exists in the 'mozilla::gfx::BasePoint4d()' function in 'gfx/2d/Matrix.h'. The issue is triggered as user-supplied input is not properly validated when calculating clipping regions in 2D graphics. This may allow a context-dependent attacker to cause a stack buffer underflow, potentially allowing the execution of arbitrary code. (OSVDB 142481) - An overflow condition exists in the 'nsBidi::BracketData::ProcessPDI()' function in 'layout/base/nsBidi.cpp'. The issue is triggered as user-supplied input is not properly validated when rendering SVG format graphics with directional content. This may allow a context-dependent attacker to cause a heap-based buffer overflow, potentially allowing the execution of arbitrary code. (OSVDB 142482) - A flaw exists in the 'Cairo' graphics layer that is triggered when allocating the 'LibAV' header during video decoding. This may allow a context-dependent attacker to crash the Cairo graphics layer. (OSVDB 142483) - A flaw is due to event handler attributes on a 'marquee' tag being executed inside a sandboxed iframe that does not have the allow-scripts flag set. This may allow a context-dependent attacker to bypass XSS protection mechanisms. (OSVDB 142484) - A flaw is due to the program failing to close connections after requesting favicons. This may allow a context-dependent attacker to continue to send requests to the user's browser and gain access to potentially sensitive information. (OSVDB 142485) - A use-after-free error exists in the 'nsXULPopupManager::KeyDown()' function in 'layout/xul/nsXULPopupManager.cpp'. The issue is triggered when using the alt key in conjunction with top level menu items in Firefox. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (OSVDB 142486) - A flaw is triggered when decoding url-encoded values in 'data:' URLs. This may allow a context-dependent attacker to use non-ASCII or emoji characters to spoof the address bar. (OSVDB 142487) - A flaw exists in 'toolkit/mozapps/update/updater/updater.cpp' that is due to the 'Updater', when opened using the callback application path parameter, creating a copy of a user specified file as a callback file with a locked hardlink. This may allow a local attacker to run the target file and gain elevated privileges. (OSVDB 142488) - An unspecified flaw exists that is triggered during the handling of TTC detection. This may allow a context-dependent attacker to have an unspecified impact. No further details have been provided. (OSVDB 142603) - An out-of-bounds access flaw exists in the 'ReconstructTransformedHmtx()' function in 'woff2_dec.cc' that may allow a context-dependent attacker to have an unspecified impact. (OSVDB 142607) - An unspecified flaw exists in 'woff2_dec.cc' that may allow a context-dependent attacker to have an unspecified impact. (OSVDB 142608) - An unspecified flaw exists in 'woff2_dec.cc' that is triggered during memory allocation, which may allow a context-dependent attacker to crash a process linked against the library. (OSVDB 142609)

Solution

Upgrade to Firefox version 48.0 or later.