Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Mozilla Firefox < 50.0 Multiple Vulnerabilities

High

Synopsis

The remote host has a web browser installed that is vulnerable to multiple attack vectors.

Description

Versions of Mozilla Firefox prior to 50.0 are unpatched for the following vulnerabilities :

- An overflow condition exists in the 'RASTERIZE_EDGES()' function in 'gfx/cairo/libpixman/src/pixman-edge-imp.h'. The issue is triggered as certain input is not properly validated when handling SVG content. This may allow a context-dependent attacker to cause a heap-based overflow, potentially allowing the execution of arbitrary code. (OSVDB 147338) - A flaw exists in the 'net_CoalesceDirs()' function in 'netwerk/base/nsURLHelper.cpp' that is triggered when handling specially crafted URLs. This may allow a context-dependent attacker to potentially execute arbitrary code. (OSVDB 147339) - A flaw exists that is triggered when the Mozilla Updater is run with the updater's log file in the working directory pointing to a hardlink. This may allow a local attacker to append data to an arbitrary local file. (OSVDB 147340) - A flaw exists in the Mozilla Updater that is triggered as it may select an arbitrary target working directory to output files from the update process. No further details have been provided by the vendor. (OSVDB 147341) - A flaw exists that is triggered when length checking JavaScript arguments. This may allow a context-dependent attacker to have an unspecified impact. (OSVDB 147342) - A flaw exists that is triggered as add-on update IDs are not properly validated. This may allow an attacker with the ability to intercept network traffic '(e.g'. MitM, DNS cache poisoning) to provide malicious add-on updates. (OSVDB 147343) - A flaw exists that is triggered when a context-dependent attacker forces a user into full-screen mode, which may potentially allow the attacker to use a fake location bar to perform spoofing attacks. (OSVDB 147344) - An integer overflow condition exists in the 'nsScriptLoadHandler::TryDecodeRawData()' function in 'dom/base/nsScriptLoader.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to cause a buffer overflow, potentially allowing the execution of arbitrary code. (OSVDB 147345) - A use-after-free error exists in the 'nsINode::ReplaceOrInsertBefore()' function in 'dom/base/nsINode.cpp' that is triggered when handling certain DOM operations. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (OSVDB 147346) - A use-after-free error exists in the 'nsINode::Prepend()' function in 'dom/base/nsINode.cpp' that is triggered when handling DOM operations. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (OSVDB 147347) - A use-after-free error exists in 'nsRefreshDriver'. The issue is triggered when handling web animation timelines. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (OSVDB 147348) - A flaw exists in 'dom/plugins/base/nsPluginTags.cpp' that is triggered as the sandbox for 64-bit NPAPI plugins may not be enabled by default. This may potentially result in less secure behavior than intended. (OSVDB 147349) - A flaw exists in 'toolkit/components/extensions/ExtensionContent.jsm' that is triggered as WebExtensions may inappropriately access the mozAddonManager API. This may allow a context-dependent attacker to use a specially crafted extension to install further extensions without a user's permission. (OSVDB 147350) - A flaw exists in 'dom/canvas/CanvasRenderingContext2D.cpp' that is triggered by the use of the feDisplacementMap filter on images that are loaded cross-origin. This may allow a context-dependent attacker to conduct a timing attack and have an unspecified impact. (OSVDB 147351) - A flaw exists in the 'nsBaseChannel::Redirect()' function in 'netwerk/base/nsBaseChannel.cpp'. The issue is triggered as local shortcut files may be used to bypass the same-origin policy and load local content from the disk. (OSVDB 147352) - A flaw exists in the 'ProcessSoftwareUpdateCommand()' function in 'toolkit/components/maintenanceservice/workmonitor.cpp', as it may copy 'updater.exe' from untrusted directories. This may allow a local attacker to read files with SYSTEM privileges. (OSVDB 147353) - A flaw exists that is triggered when a page load is disrupted. This may result in the previous page's favicon and SSL indicator persisting, potentially misleading a user about the URL of the page being visited. (OSVDB 147354) - A flaw exists that is triggered when a previously installed application defines the same signature-level permissions as Firefox. This may allow a local attacker to intercept and disclose AuthTokens intended to be sent to Firefox. (OSVDB 147356) - A flaw exists that is triggered when a previously installed application defines the same signature-level permissions as Firefox. This may allow a local attacker to intercept and disclose API keys intended to be sent to Firefox. (OSVDB 147357) - A flaw exists in 'mobile/android/base/java/org/mozilla/gecko/PrivateTab.java' that is triggered, as browsing metadata from private browsing may persist in the 'browser.db' and 'browser.db'-wal files within a Firefox profile. This may potentially allow a physically present attacker to disclose information about private browsing. (OSVDB 147358) - A flaw exists in 'dom/bindings/Codegen.py' that is triggered when loading pages in a sidebar via a bookmark. This may allow the page to reference a privileged chrome window, violating the same-origin policy and engaging in limited JavaScript operations. (OSVDB 147360) - A flaw exists that is triggered as the 'windows.create' schema doesn't specify "format": "relativeUrl". This may allow a context-dependent attacker to escape the WebExtension sandbox. (OSVDB 147361) - An unspecified flaw exists in 'divSpoiler' that may allow an attacker to conduct a side-channel attack. No further details have been provided by the vendor. (OSVDB 147362) - A flaw exists that is triggered as the "select" dropdown menu may potentially cover location bar content, allowing a context-dependent attacker to spoof the location bar. (OSVDB 147363) - An integer overflow condition exists in the 'XML_Parse()' function in 'parser/expat/lib/xmlparse.c'. The issue is triggered as certain input is not properly validated when parsing XML content. This may allow a context-dependent attacker to have an unspecified impact. (OSVDB 147364) - A flaw exists in the 'nsCSPHostSrc::permits()' function in 'dom/security/nsCSPUtils.cpp' that is triggered when the Content Security Policy (CSP) is combined with HTTP to HTTPS redirection. This may potentially allow a context-dependent attacker to enumerate the existence of a known site in a user's browser history. (OSVDB 147365) - An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 147366, OSVDB 147367, OSVDB 147371, OSVDB 147376, OSVDB 147378, OSVDB 147380, OSVDB 147384) - A flaw exists in the 'EventListenerManager::GetListenerInfo()' function in 'dom/events/EventListenerManager.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 147368) - An unspecified flaw exists in 'dom/media/mediasource/TrackBuffersManager.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 147369) - A flaw exists in the 'WebrtcVideoConduit::CodecConfigToWebRTCCodec()' function in 'media/webrtc/signaling/src/media-conduit/VideoConduit.cpp' that is triggered when handling simulcast streams. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 147370) - An unspecified flaw exists in 'js/src/jit/arm64/MacroAssembler-arm64.h' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 147372) - An unspecified flaw exist that is triggered when handling screen/window/app capture. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 147373) - An unspecified flaw exists related to MessagePort not supporting transferable objects. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 147374) - A flaw exists that is triggered when handling DOM tree operations for 'insertBefore()' method calls. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 147375) - A flaw exists that is triggered when handling Ion-compiling of scripts with too many typesets. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 147377) - An unspecified flaw exists related to tracing of script pointers in off-thread compilation tasks. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 147379) - A flaw exists that is triggered when handling runtime checks for helper threads tracing. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 147381) - A flaw exists in the 'GlobalHelperThreadState::finishParseTask()' function in 'js/src/vm/HelperThreads.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 147382) - An unspecified flaw exists that is triggered as certain input is not properly validated when handling frames. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 147383) - A flaw exists that is triggered as certain input is not properly validated when handling HTML5 tokenizing. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 147385) - An unspecified flaw exists in 'dom/events/IMEStateManager.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 147386) - A flaw exists in the 'JSStructuredCloneWriter::transferOwnership()' function in 'js/src/vm/StructuredClone.cpp' that is triggered when handling user-defined structured clone tags. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 147387)

Solution

Upgrade to Firefox version 50.0 or later.