100373

1039124

https://bugzilla.mozilla.org/show_bug.cgi?id=1367531

https://www.mozilla.org/security/advisories/mfsa2017-18/

Versions of Mozilla Firefox prior to 55 are unpatched for the following vulnerabilities :

 - A flaw exists that is triggered as the HTTP Strict-Transport-Security (HSTS) header is ignored when processing a response containing multiple HSTS headers. This may allow an attacker with the ability to intercept network traffic (e.g. MitM, DNS cache poisoning) to bypass HSTS protection and downgrade the HTTP communication.
 - A flaw exists in the 'Key::EncodeAsString()' function in 'dom/indexedDB/Key.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'SelectionManager::SetControlSelectionListener()' and 'SelectionManager::ClearControlSelectionListener()' functions in 'accessible/base/SelectionManager.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. No further details have been provided by the vendor.
 - A flaw exists in the 'DocAccessible::MoveChild()' function in 'accessible/generic/DocAccessible.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A use-after-free error exists in 'xpcom/threads/MozPromise.h' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - A use-after-free error exists that is triggered when handling edit transactions. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - A flaw exists related to the Android UI thread. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'CanonicalizeLanguageTag()' function in 'js/src/builtin/Intl.js' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists that is triggered as certain input is not properly validated when handling freezing of dense elements. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'Module::instantiate()' function in 'js/src/wasm/WasmModule.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'Accessible::RemoveChild()' function in 'accessible/generic/Accessible.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'IonBuilder::build()' and 'IonBuilder::buildInline()' functions in 'js/src/jit/IonBuilder.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'nsContentUtils::ConvertStringFromEncoding()' function in 'dom/base/nsContentUtils.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'jit::JitActivation::getRematerializedFrame()' function in 'js/src/vm/Stack.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A use-after-free error exists in the 'nsMIMEHeaderParamImpl::DecodeRFC5987Param()' function in 'netwerk/mime/nsMIMEHeaderParamImpl.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - A flaw exists in the 'nsWindow::SetParent()' function in 'widget/windows/nsWindow.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A race condition exists in 'media/webrtc/trunk/webrtc/modules/desktop_capture/screen_capturer_mac.mm' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists related to missing thread safety that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'NotifyTrackRemoved()' function in 'dom/media/MediaRecorder.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'InitGlobalLexicalOperation()' function in 'js/src/vm/Interpreter-inl.h' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'js::FinishCompilation()' function in 'js/src/vm/TypeInference.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'TypedArrayObjectTemplate::makeTemplateObject()' function in 'js/src/vm/TypedArrayObject.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'DocAccessible::DoARIAOwnsRelocation()' function in 'accessible/generic/DocAccessible.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'nsFTPDirListingConv::DigestBufferLines()' function in 'netwerk/streamconv/converters/nsFTPDirListingConv.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'TraceSelf()' function in 'dom/bindings/TypedArray.h' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'WebSocket::Send()' function in 'dom/base/WebSocket.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'ExpressionDecompiler::decompilePC()' function in 'js/src/jsopcode.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'IonBuilder::addOsrValueTypeBarrier()' function in 'js/src/jit/IonBuilder.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists related to response header name interning not having same-origin protections. This may allow a context-dependent attacker to disclose stored header names.
 - A flaw exists in the Developer Tools feature that is triggered as web page source code is not properly validated. This may allow a context-dependent attacker to inject and execute arbitrary XUL code.
 - A use-after-free error exists in the 'WebSocketImpl::Disconnect()' function in 'dom/base/WebSocket.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code.
 - A use-after-free error exists that is triggered when re-computing the layout for marquee elements during window resizing. With a specially crafted web page, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code.
 - A use-after-free error exists that is triggered when deleting attached editor DOM nodes. With a specially crafted web page, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code.
 - A use-after-free error exists in the 'nsImageLoadingContent::Notify()' function in 'dom/base/nsImageLoadingContent.cpp' that is triggered when reading image observers during frame reconstruction. With a specially crafted web page, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code.
 - A use-after-free error exists that is triggered when resizing image elements. With a specially crafted web page, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code.
 - An overflow condition exists that is triggered as certain input is not properly validated when manipulation Accessible Rich Internet Applications (ARIA) attributes. This may allow a context-dependent attacker to cause a buffer overflow and potentially execute arbitrary code.
 - An overflow condition exists that is triggered as certain input is not properly validated when painting non-displayable SVG elements. This may allow a context-dependent attacker to cause a buffer overflow and potentially execute arbitrary code.
 - A use-after-free error exists that is triggered when handling the layer manager while rendering SVG content. This may allow a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code.
 - An out-of-bounds read flaw exists that is triggered when handling cached style data and pseudo-elements. This may allow a context-dependent attacker to potentially disclose sensitive memory contents.
 - A flaw exists in the 'nsDocShell::OnNewURI()' function in 'docshell/base/nsDocShell.cpp' that is triggered when handling pages with embedded iframes during page reloads. With a specially crafted web page, a context-dependent attacker can bypass the same-origin policy.
 - A flaw exists in the AppCache feature related to handling of websites under a subdirectory adding fallback pages. With a specially crafted website, a context-dependent attacker can hijack a domain.
 - A flaw exists in the 'openTabPrompt()' and 'openRemotePrompt()' functions in 'toolkit/components/prompts/src/nsPrompter.js' that is triggered when handling page navigations with data: protocols and modal alerts. This may allow a context-dependent attacker to conduct spoofing attacks.
 - A flaw exists in 'xpcom/build/nsWindowsDllInterceptor.h' that is triggered as WindowsDllDetourPatcher may allocate memory with RWX permissions. This may allow a context-dependent attacker to bypass intended DEP protection and more easily exploit another vulnerability that allows code execution.
 - A flaw exists in the 'AllowOpen()' function in 'security/sandbox/linux/broker/SandboxBroker.cpp'. This may allow a context-dependent attacker to bypass the sandbox restrictions and truncate files on the system.
 - A flaw exists in the elliptic curve point addition algorithm that is triggered when using mixed Jacobian-affine coordinates. This may allow an attacker with the ability to intercept network traffic '(e.g'. MitM, DNS cache poisoning) to interfere with a connection and cause the calculation of an incorrect shared secret.
 - A flaw exists that is triggered when handling frame-ancestors directives containing origins with paths. This may allow a context-dependent attacker to bypass the content security policy (CSP).
 - A sandbox directive. This may result in other directives being ignored and incorrect enforcement of the content security policy (CSP).
 - A flaw exists in the 'ExecuteServiceCommand()' function in 'toolkit/components/maintenanceservice/workmonitor.cpp' that is triggered when handling patch directory paths. Combined with another local vulnerability this may allow an attacker to have the Windows updater delete any file named 'update.log'.
 - A flaw exists in 'toolkit/content/aboutwebrtc/aboutWebrtc.js' that is triggered as certain input to about:webrtc is not properly validated. This may allow an attacker to create a specially crafted request that executes arbitrary script code in a user's browser session within the trust relationship between their browser and the server or inject XUL code.
 - A flaw exists in the 'nsHttpChannelAuthProvider::ConfirmAuth()' function in 'netwerk/protocol/http/nsHttpChannelAuthProvider.cpp' that is triggered when handling long usernames in URLs. This may allow a context-dependent attacker to cause a denial of service.
 - A flaw exists in 'toolkit/crashreporter/client/crashreporter_win.cpp' that is triggered as the Windows crash reporter may read extra memory for certain non-null-terminated registry values. This may allow an attacker to disclose potentially sensitive memory contents.
 - A flaw exists in 'xpcom/build/nsWindowsDllInterceptor.h' that is triggered as the WindowsDllDetourPatcher class destructor may be re-purposed by malicious code. This may allow a context-dependent attacker to bypass memory protections.
 - A flaw exists that is triggered as sandboxed about:srcdoc iframes do not inherit content security policy (CSP) directives. This may allow a context-dependent attacker to bypass the content security policy (CSP).
 - An overflow condition exists in 'security/manager/ssl/nsNSSCertHelper.cpp' that is triggered when viewing certificates with overly long OIDs. This may allow a context-dependent attacker to cause a buffer overflow and potentially execute arbitrary code.

USN-3391-1 fixed vulnerabilities in Firefox. The update introduced a performance regression with WebExtensions. This update fixes the problem.

We apologize for the inconvenience.

Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to conduct cross-site scripting (XSS) attacks, bypass sandbox restrictions, obtain sensitive information, spoof the origin of modal alerts, bypass same origin restrictions, read uninitialized memory, cause a denial of service via program crash or hang, or execute arbitrary code. (CVE-2017-7753, CVE-2017-7779, CVE-2017-7780, CVE-2017-7781, CVE-2017-7783, CVE-2017-7784, CVE-2017-7785, CVE-2017-7786, CVE-2017-7787, CVE-2017-7788, CVE-2017-7789, CVE-2017-7791, CVE-2017-7792, CVE-2017-7794, CVE-2017-7797, CVE-2017-7798, CVE-2017-7799, CVE-2017-7800, CVE-2017-7801, CVE-2017-7802, CVE-2017-7803, CVE-2017-7806, CVE-2017-7807, CVE-2017-7808, CVE-2017-7809).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3391-1 fixed vulnerabilities in Firefox. This update provides the corresponding update for Ubufox.

Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to conduct cross-site scripting (XSS) attacks, bypass sandbox restrictions, obtain sensitive information, spoof the origin of modal alerts, bypass same origin restrictions, read uninitialized memory, cause a denial of service via program crash or hang, or execute arbitrary code. (CVE-2017-7753, CVE-2017-7779, CVE-2017-7780, CVE-2017-7781, CVE-2017-7783, CVE-2017-7784, CVE-2017-7785, CVE-2017-7786, CVE-2017-7787, CVE-2017-7788, CVE-2017-7789, CVE-2017-7791, CVE-2017-7792, CVE-2017-7794, CVE-2017-7797, CVE-2017-7798, CVE-2017-7799, CVE-2017-7800, CVE-2017-7801, CVE-2017-7802, CVE-2017-7803, CVE-2017-7806, CVE-2017-7807, CVE-2017-7808, CVE-2017-7809).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to conduct cross-site scripting (XSS) attacks, bypass sandbox restrictions, obtain sensitive information, spoof the origin of modal alerts, bypass same origin restrictions, read uninitialized memory, cause a denial of service via program crash or hang, or execute arbitrary code. (CVE-2017-7753, CVE-2017-7779, CVE-2017-7780, CVE-2017-7781, CVE-2017-7783, CVE-2017-7784, CVE-2017-7785, CVE-2017-7786, CVE-2017-7787, CVE-2017-7788, CVE-2017-7789, CVE-2017-7791, CVE-2017-7792, CVE-2017-7794, CVE-2017-7797, CVE-2017-7798, CVE-2017-7799, CVE-2017-7800, CVE-2017-7801, CVE-2017-7802, CVE-2017-7803, CVE-2017-7806, CVE-2017-7807, CVE-2017-7808, CVE-2017-7809).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of Mozilla Firefox installed on the remote Windows host is prior to 55. It is, therefore, affected by multiple vulnerabilities, some of which allow code execution and potentially exploitable crashes.

The version of Mozilla Firefox installed on the remote macOS or Mac OS X host is prior to 55. It is, therefore, affected by multiple vulnerabilities, some of which allow code execution and potentially exploitable application crashes.

Mozilla Foundation reports :

Please reference CVE/URL list for details

ID	Name	Product	Family	Severity
700182	Mozilla Firefox < 55 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	high
102580	Ubuntu 14.04 LTS / 16.04 LTS / 17.04 : firefox regression (USN-3391-3)	Nessus	Ubuntu Local Security Checks	critical
102543	Ubuntu 14.04 LTS / 16.04 LTS / 17.04 : ubufox update (USN-3391-2)	Nessus	Ubuntu Local Security Checks	critical
102523	Ubuntu 14.04 LTS / 16.04 LTS / 17.04 : firefox vulnerabilities (USN-3391-1)	Nessus	Ubuntu Local Security Checks	critical
102359	Mozilla Firefox < 55 Multiple Vulnerabilities	Nessus	Windows	high
102357	Mozilla Firefox < 55 Multiple Vulnerabilities (macOS)	Nessus	MacOS X Local Security Checks	high
102278	FreeBSD : mozilla -- multiple vulnerabilities (555b244e-6b20-4546-851f-d8eb7d6c1ffa)	Nessus	FreeBSD Local Security Checks	critical

CVE-2017-7808

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins