Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Mozilla Firefox < 51 Multiple Vulnerabilities

High

Synopsis

The remote host has a web browser installed that is vulnerable to multiple attack vectors.

Description

Versions of Mozilla Firefox prior to 51 are unpatched for the following vulnerabilities :

- A flaw exists in JIT code allocation that may allow a context-dependent attacker to bypass the Data Execution Protection (DEP) and Address Space Layout Randomization (ASLR) protection mechanisms. (OSVDB 150831) - A use-after-free error exists in the 'txExecutionState::getVariable()' function in 'dom/xslt/xslt/txExecutionState.cpp' that is triggered when handling XSL in XSLT documents. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (OSVDB 150832) - A flaw exists that is due to the program sharing hashed codes of JavaScript objects between pages. This may allow a context-dependent to gain access to potentially sensitive data by discovering the object's address through a pointer leak. (OSVDB 150834) - A use-after-free error exists in the 'nsDocument::GetAnimations()' function in 'dom/base/nsDocument.cpp' that is triggered when handling web animations. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (OSVDB 150835) - A use-after-free error exists in the 'PresShell::FlushPendingNotifications()' function in 'layout/base/PresShell.cpp' that is triggered during DOM manipulation of SVG content. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (OSVDB 150836) - A flaw exists that is due to the JSON viewer in the Developer Tools insecurely creating communication channels for copying and viewing JSON or HTTP headers. This may allow an attacker with the ability to intercept network traffic (e.g. MitM, DNS cache poisoning) can disclose and optionally manipulate transmitted data. (OSVDB 150837) - A flaw exists in the 'mozAddonManager' API that may allow a WebExtension attacker to modify CSP headers. This may allow a context-dependent attacker to use a host request to redirect script load to a malicious site, where it will install additional extensions without the user's consent. (OSVDB 150838) - A flaw exists in the 'RangeAnalysis::addBetaNodes()' function in 'js/src/jit/RangeAnalysis.cpp' related to improper comparisons being performed when adding beta nodes. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 150839) - A flaw exists in 'dom/media/DOMMediaStream.cpp' that is triggered when handling media stream tracks. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 150840) - A flaw exists in the 'Library::Create()' function in 'js/src/ctypes/Library.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 150841) - A flaw exists in the 'Library::Create()' function in 'js/src/ctypes/Library.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 150842) - An unspecified flaw exists in 'dom/workers/ServiceWorkerRegistration.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 150843) - An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 150844) - A flaw exists in the 'nsAttrAndChildArray::GrowBy()' function in 'dom/base/nsAttrAndChildArray.cpp' related to a missing return value check. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 150845) - A flaw exists in the 'AppendUTF16toUTF8()' function in 'xpcom/string/nsReadableUtils.cpp' that is triggered when handling certain size calculations. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 150846) - A flaw exists in 'xpcom/string/nsTSubstringTuple.cpp' that is triggered when handling substring tuble lengths. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 150847) - An integer overflow condition exists in the 'RTCPPacketInformation::AddApplicationData()' function in 'webrtc/modules/rtp_rtcp/source/rtcp_receiver_help.cc' that is triggered when handling RTCP APP packets. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 150848) - An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 150849, OSVDB 150850, OSVDB 150852, OSVDB 150853, OSVDB 150854) - An unspecified flaw exists in 'dom/base/WebSocket.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 150851) - A flaw exists in the 'GetDatabaseFileURL()' function in 'dom/indexedDB/ActorsParent.cpp' that is triggered when handling file: URIs. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 150855) - An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 150856) - A flaw exists in 'gfx/2d/PathRecording.h' that is triggered when handling event recorders. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 150857) - A flaw exists in the 'ICCallStubCompiler::guardFunApply()' function in 'js/src/jit/BaselineIC.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 150858) - A flaw exists in the 'IonBuilder::createThisScriptedSingleton()' function in 'js/src/jit/IonBuilder.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 150859) - A flaw exists in the 'AddLazyFunctionsForCompartment()' function in 'js/src/jscompartment.cpp' that is triggered when handling references to a compartment's lazy functions. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 150860) - A flaw exists in the 'js::DefineTypedArrayElement()' function in 'js/src/vm/TypedArrayObject.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 150861) - A flaw exists in the 'DataViewObject::create()' function in 'js/src/vm/TypedArrayObject.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 150062) - An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 150063) - A flaw exists in the 'IonBuilder::initEnvironmentChain()' function in 'js/src/jit/IonBuilder.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 150064) - An unspecified flaw exists in the JavaScript JIT compiler that is triggered when handling windows. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 150065) - A flaw exists in the 'nsDOMConstructor::HasInstance()' function in 'dom/base/nsDOMClassInfo.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 150066) - A use-after-free flaw exists in the 'nsDocument::SetScriptGlobalObject()' function in 'dom/base/nsDocument.cpp' that is triggered when handling specially crafted media files. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (OSVDB 150075) - A flaw exists in 'security/manager/pki/resources/content/pippki.js' that allows traversing outside of a restricted path. The issue is due to the export functions in the certificate viewer not properly sanitizing user input, specifically path traversal style attacks (e.g. '../'). This may allow a context-dependent attacker to make changes to the save destination for certificate content. (OSVDB 150876) - A flaw exists that may allow a remote attacker to use the preview feature for RSS feeds to view potentially sensitive privileged content errors and exceptions. (OSVDB 150877) - A flaw exists that is triggered during the handling of a specially crafted URL that contains certain unicode glyphs for alternative hyphens and quotes. This may allow a context-dependent attacker to spoof the location bar. (OSVDB 150878) - A flaw exists that is triggered during the handling of a specially crafted Proxy Auto-Config (PAC) file. This file may potentially specify which JavaScript function is called for URL requests, allowing a context-dependent attacker to gain access to potentially sensitive information. (OSVDB 150879) - A flaw exists in 'dom/base/nsDocument.cpp' that is triggered as data sent with multipart channels, such as the multipart/x-mixed-replace MIME type, ignores the bypass referrer-policy response header. This may allow a context-dependent attacker to and gain access to sensitive information related to sites using the header. (OSVDB 150880) - A flaw exists that may allow WebExtension scripts to use the 'data: protocol' to affect pages loaded by other extensions. This may allow a context-dependent attacker to potentially disclose sensitive information or gain elevated privileges related to other extensions. (OSVDB 150881) - A flaw exists in 'mobile/android/chrome/content/browser.js' that is triggered when handling a series of JavaScript events in fullscreen mode. This may allow a context-dependent attacker to spoof the location bar. (OSVDB 150882) - A flaw exists that is triggered as certain 'about: pages' used by web content may load other privileged 'about: pages' within an iframe. This may potentially allow a context-dependent attacker to gain elevated privileges. (OSVDB 150883) - A flaw exists that is triggered as weak proxy objects may have weak references on multiple threads, instead of only one. This may potentially allow a context-dependent attacker to corrupt memory and execute arbitrary code. (OSVDB 150884) - A flaw exists in 'toolkit/mozapps/extensions/AddonManager.jsm' that is triggered as mozAddonManager allows for extension installation from the CDN for addons.mozilla.org. This may potentially allow a malicious extension to install additional extensions. (OSVDB 150885) - A flaw exists that is triggered when the location bar of a new page has been scrolled out of view. This may potentially allow a context-dependent attacker to spoof the location bar. (OSVDB 150886) - A flaw exists in the 'HTMLTrackElement::SetReadyState()' function in 'dom/html/HTMLTrackElement.cpp' that is triggered when handling TRACK tag error messages. This may allow a context-dependent attacker to enumerate the existence of local files. (OSVDB 150887) - A flaw exists in 'media/mtransport/nr_socket_prsock.cpp' that is triggered when a STUN server is used in conjunction with a saturation of webkitRTCPeerConnection objects, which may in turn produce a high volume of STUN packets. This may allow a remote attacker to generate significant UDP traffic, resulting in an amplification denial-of-service attack. When performed by multiple machines, a distributed denial-of-service (DDoS) attack can be carried out very effectively. (OSVDB 150888)

Solution

Upgrade to Firefox version 51 or later.