96692

1037966

https://bugzilla.mozilla.org/show_bug.cgi?id=1325511

https://www.mozilla.org/security/advisories/mfsa2017-05/

https://www.mozilla.org/security/advisories/mfsa2017-09/

The version of Mozilla Firefox installed on the remote Windows host is prior to 52.0. It is, therefore, affected by multiple vulnerabilities :

  - Mozilla developers and community members Boris Zbarsky,     Christian Holler, Honza Bambas, Jon Coppeard, Randell     Jesup, Andre Bargull, Kan-Ru Chen, and Nathan Froyd     reported memory safety bugs present in Firefox 51 and     Firefox ESR 45.7. Some of these bugs showed evidence of     memory corruption and we presume that with enough     effort that some of these could be exploited to run     arbitrary code. (CVE-2017-5398)

  - Mozilla developers and community members Carsten Book,     Calixte Denizet, Christian Holler, Andrew McCreight,     David Bolter, David Keeler, Jon Coppeard, Tyson Smith,     Ronald Crane, Tooru Fujisawa, Ben Kelly, Bob Owen, Jed     Davis, Julian Seward, Julian Hector, Philipp, Markus     Stange, and Andre Bargull reported memory safety bugs     present in Firefox 51. Some of these bugs showed     evidence of memory corruption and we presume that with     enough effort that some of these could be exploited to     run arbitrary code. (CVE-2017-5399)

  - JIT-spray targeting asm.js combined with a heap spray     allows for a bypass of ASLR and DEP protections leading     to potential memory corruption attacks. (CVE-2017-5400)

  - A crash triggerable by web content in which an     ErrorResult references unassigned memory due to a logic     error. The resulting crash may be exploitable.
    (CVE-2017-5401)

  - A use-after-free can occur when events are fired for a     FontFace object after the object has been already been     destroyed while working with fonts. This results in a     potentially exploitable crash. (CVE-2017-5402)

  - When adding a range to an object in the DOM, it is     possible to use addRange to add the range to an     incorrect root object. This triggers a use-after-free,     resulting in a potentially exploitable crash.
    (CVE-2017-5403)

  - A use-after-free error can occur when manipulating     ranges in selections with one node inside a native     anonymous tree and one node outside of it. This results     in a potentially exploitable crash. (CVE-2017-5404)

  - Certain response codes in FTP connections can result in     the use of uninitialized values for ports in FTP     operations. (CVE-2017-5405)

  - A segmentation fault can occur in the Skia graphics     library during some canvas operations due to issues     with mask/clip intersection and empty masks.
    (CVE-2017-5406)

  - Using SVG filters that don't use the fixed point math     implementation on a target iframe, a malicious page can     extract pixel values from a targeted user. This can be     used to extract history information and read text     values across domains. This violates same-origin policy     and leads to information disclosure. (CVE-2017-5407)

  - Video files loaded video captions cross-origin without     checking for the presence of CORS headers permitting     such cross-origin use, leading to potential information     disclosure for video captions. (CVE-2017-5408)

  - The Mozilla Windows updater can be called by a     non-privileged user to delete an arbitrary local file     by passing a special path to the callback parameter     through the Mozilla Maintenance Service, which has     privileged access. Note: This attack requires local     system access and only affects Windows. Other operating     systems are not affected. (CVE-2017-5409)

  - Memory corruption resulting in a potentially     exploitable crash during garbage collection of     JavaScript due errors in how incremental sweeping is     managed for memory cleanup. (CVE-2017-5410)

  - A use-after-free can occur during buffer storage     operations within the ANGLE graphics library, used for     WebGL content. The buffer storage can be freed while     still in use in some circumstances, leading to a     potentially exploitable crash. Note: This issue is in     libGLES, which is only in use on Windows. Other     operating systems are not affected. (CVE-2017-5411)

  - A buffer overflow read during SVG filter color value     operations, resulting in data exposure. (CVE-2017-5412)

  - A segmentation fault can occur during some     bidirectional layout operations. (CVE-2017-5413)

  - The file picker dialog can choose and display the wrong     local default directory when instantiated. On some     operating systems, this can lead to information     disclosure, such as the operating system or the local     account name. (CVE-2017-5414)

  - An attack can use a blob URL and script to spoof an     arbitrary addressbar URL prefaced by blob: as the     protocol, leading to user confusion and further     spoofing attacks. (CVE-2017-5415)

  - In certain circumstances a networking event listener     can be prematurely released. This appears to result in     a null dereference in practice. (CVE-2017-5416)

  - When dragging content from the primary browser pane to     the addressbar on a malicious site, it is possible to     change the addressbar so that the displayed location     following navigation does not match the URL of the     newly loaded page. This allows for spoofing attacks.
    (CVE-2017-5417)

  - An out of bounds read error occurs when parsing some     HTTP digest authorization responses, resulting in     information leakage through the reading of random     memory containing matches to specifically set patterns.
    (CVE-2017-5418)

  - If a malicious site repeatedly triggers a modal     authentication prompt, eventually the browser UI will     become non-responsive, requiring shutdown through the     operating system. This is a denial of service (DOS)     attack. (CVE-2017-5419)

  - A javascript: url loaded by a malicious page can     obfuscate its location by blanking the URL displayed in     the addressbar, allowing for an attacker to spoof an     existing page without the malicious page's address     being displayed correctly. (CVE-2017-5420)

  - A malicious site could spoof the contents of the print     preview window if popup windows are enabled, resulting     in user confusion of what site is currently loaded.
    (CVE-2017-5421)

  - If a malicious site uses the view-source: protocol in a     series within a single hyperlink, it can trigger a     non-exploitable browser crash when the hyperlink is     selected. This was fixed by no longer making     view-source: linkable. (CVE-2017-5422)

  - A non-existent chrome.manifest file will attempt to be     loaded during startup from the primary installation     directory. If a malicious user with local access puts     chrome.manifest and other referenced files in this     directory, they will be loaded and activated during     startup. This could result in malicious software being     added without consent or modification of referenced     installed files. (CVE-2017-5427)

Note that Tenable Network Security has extracted the preceding description block directly from the Mozilla security advisories.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Mozilla Foundation reports :

Please reference CVE/URL list for details

ID	Name	Product	Family	Severity
97639	Mozilla Firefox < 52.0 Multiple Vulnerabilities	Nessus	Windows	critical
97592	FreeBSD : mozilla -- multiple vulnerabilities (96eca031-1313-4daf-9be2-9d6e1c4f1eb5)	Nessus	FreeBSD Local Security Checks	critical

CVE-2017-5411

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins