101832

1039803

https://bugzilla.mozilla.org/show_bug.cgi?id=1399540

https://www.mozilla.org/security/advisories/mfsa2017-24/

Versions of Mozilla Firefox earlier than 57 are unpatched for the following vulnerabilities :

 - A race condition exists in 'dom/media/systemservices/MediaParent.cpp' that is triggered when getting deviceId keys. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in 'js/src/proxy/DeadObjectProxy.cpp' that is triggered when handling object proxies. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists in 'xpcom/threads/SystemGroup.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An overflow condition exists in the 'nr_transport_addr_fmt_ifname_addr_string()' function in 'media/mtransport/third_party/nICEr/src/net/transport_addr.c' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to cause a stack-based buffer overflow and potentially execute arbitrary code.
 - A flaw exists in the 'nsNodeUtils::CloneAndAdopt()' function in 'dom/base/nsNodeUtils.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'GPUProcessHost::OnChannelClosed()' function in 'gfx/ipc/GPUProcessHost.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists in 'gfx/layers/AtomicRefCountedWithFinalize.h' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'NewReactionRecord()' function in 'js/src/builtin/Promise.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'VerifyCMSDetachedSignatureIncludingCertificate()' function in 'security/manager/ssl/nsDataSignatureVerifier.cpp' that is triggered when handling PKCS#7 signedData content. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'ContainerLayerComposite::mPrepared()' function in 'gfx/layers/composite/ContainerLayerComposite.cpp' that is triggered when handling layers. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'MArgumentsLength::computeRange()' function in 'js/src/jit/RangeAnalysis.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A use-after-free error exists in 'widget/windows/AudioSession.cpp' that is triggered when handling AudioSession objects. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - An unspecified flaw exists that is triggered when handling WebGL texture images. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A use-after-free flaw exists in the 'nsDocShell::~nsDocShell()' function in 'docshell/base/nsDocShell.cpp' that is triggered when notifying observers. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - A flaw exists in the 'CleanupOSFileConstants()' function in 'dom/system/OSFileConstants.cpp' related to use of uninitialized memory. This may allow a context-dependent attacker to potentially execute arbitrary code.
 - A flaw exists in the 'ApplicationReputationService::~ApplicationReputationService()' function in 'toolkit/components/downloads/ApplicationReputation.cpp' that is triggered as certain pointers are not properly cleared. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'EnumerableOwnProperties()' function in 'js/src/builtin/Object.cpp' that is triggered when rooting objects. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A use-after-free flaw exists in the 'CompositorBridgeChild::RecvDidComposite()' function in 'gfx/layers/ipc/CompositorBridgeChild.cpp' that is triggered when handling texture pools. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - A flaw exists in the 'nsViewManager::~nsViewManager()' function in 'view/nsViewManager.cpp' that is triggered as the PresShell object is not properly handled. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'TLSFilterTransaction::Close()' function in 'netwerk/protocol/http/TunnelUtils.cpp' that is triggered as timers are not properly handled when a transaction is canceled. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'EventStateManager::DispatchCrossProcessEvent()' function in 'dom/events/EventStateManager.cpp' that is triggered when handling drag events. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'nsNodeUtils::CloneAndAdopt()' function in 'dom/base/nsNodeUtils.cpp' that is triggered when handling properties of adopted nodes. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A type confusion flaw exists in the 'PropertyReadNeedsTypeBarrier()' function in 'jit/MIR.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A logic flaw exists in the 'IsMarkedBlack()' function in 'js/src/gc/Barrier.cpp' that is triggered during gray marking asserts. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A use-after-free error exists that triggered when flushing and resizing the layout, which may cause the PressShell object to be freed while still in use. This may allow a context-dependent attacker to potentially execute arbitrary code.
 - A flaw exists in the 'HttpBaseChannel::GetPerformance()' function in 'netwerk/protocol/http/HttpBaseChannel.cpp' that is triggered as navigations in cross-origin iframes are revealed. Using the Resource Timing API, a context-dependent attacker to gain access to cross-origin URL information.
 - A flaw exists that is triggered as the security wrapper fails to deny access to certain exposed properties using the deprecated exposedProps mechanism on proxy objects. This may allow a context-dependent attacker to gain access to potentially sensitive information.
 - A flaw exists in the 'nsIDNService::isLabelSafe()' function in 'netwerk/dns/nsIDNService.cpp' that is triggered during the handling of the combined, single character, version of the letter 'i' with any of the potential accents in unicode, such as acute or grave. This combinations do not display properly in punycode. With a specially crafted domain including a dotless version of  'i', a context-dependent attacker can spoof a domain.
 - A flaw exists in the 'nsIDNService::isLabelSafe()' function in 'netwerk/dns/nsIDNService.cpp' that is triggered during the handling of Arabic and Indic vowel marker characters that are combined with Latin characters in a domain name, which can cause the non-latin characters to be eclipsed in the address bar. This may allow a context-dependent attacker to spoof a domain.
 - A flaw exists that is triggered as data: URLs loaded into new tabs do not properly inherit the Content Security Policy (CSP) of the original page. This may allow a context-dependent attacker to bypass protection mechanisms.
 - A flaw exists in the 'nsMixedContentBlocker::AsyncOnChannelRedirect()' function in 'dom/security/nsMixedContentBlocker.cpp' that is triggered as mixed content blocking was not properly applied to resources when being redirected from an HTTPS environment to an HTTP environment. This may allow a context-dependent attacker to bypass restricts and load blocked content on pages.
 - A flaw exists in the 'CurlWrapper::Init()' function in 'toolkit/components/telemetry/pingsender/pingsender_unix_common.cpp' that is triggered as it fails to validate the libcurl library before loading it. This may allow a local attacker to replace libcurl files and gain elevated privileges.
 - A flaw exists in the 'nsContentSink::ProcessMETATag()' function in 'dom/base/nsContentSink.cpp' that is triggered during the handling of <meta> tags in SVG passed via <img> tags. This may allow a context-dependent attacker to set cookies for a page.
 - A flaw exists in 'netwerk/dns/nsIDNService.cpp' that is triggered as Punycode format text is not properly displayed in international domain names when triggered by a sub-domain. This may allow a context-dependent attacker to conduct a limited spoofing attack.
 - A flaw exists in the 'stripUnsafeProtocolOnPaste()' function in 'base/content/browser.js' that is triggered during the handling of control characters before javascript: URLs. This may allow a context-dependent attacker to bypass self-XSS protection mechanisms.
 - A flaw exists in the '_writeItem()' function in 'toolkit/components/places/BookmarkHTMLUtils.jsm' that allows a cross-site scripting (self-XSS) attack. This flaw exists exists because the program does not validate input to exported bookmarks before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in their own browser.
 - A flaw exists that is triggered as the referrer policy is not always honored when handling <link> elements. This may allow a context-dependent attacker to bypass the referrer policy.
 - A flaw exists in the 'PerDocumentStyleDataImpl::visited_styles_enabled()' function in 'servo/components/style/gecko/data.rs'. The issue is triggered when handling the CSS ':visited' selector for a document being used as an SVG image. With a specially crafted web page, a context-dependent attacker disclose visited history information.
 - A flaw exists in the 'FactoryOp::CheckPermission()' function in 'dom/indexedDB/ActorsParent.cpp' that is triggered as a web worker in Private Browsing mode can write to IndexedDB. With a specially crafted web page, a context-dependent attacker can uniquely fingerprint a user even when browsing in Private Browsing mode.
 - An overflow condition exists that is triggered as certain input is not properly validated when drawing and validating elements using Direct 3D 9 with the ANGLE graphics library. This may allow a context-dependent attacker to cause a buffer overflow and potentially execute arbitrary code.
 - A flaw exists related to speculative execution, which is used as a performance feature to speed up operations. This optimization can result in memory being cached during conditional branches handling out-of-bounds checks. Using a vulnerable code pattern, or a JIT engine or interpreter to generate such a pattern, an attacker can perform a Flush+Reload or Evict+Reload side-channel attack on the cache and disclose parts of the privileged kernel memory.
 - A flaw exists in the fundamental design related to out-of-order process execution, which is used as a performance feature to speed up operations. This optimization can result in memory being cached before exceptions are raised for restricted memory access. Using transient instructions in combination with a Flush+Reload side-channel attack a local attacker can disclose parts of the privileged kernel memory.
 - A flaw exists related to speculative execution, which is used as a performance feature to speed up operations. This optimization can result in memory being cached during indirect branch prediction. This may allow a local attacker to train the Branch Target Buffer (BTB) to trigger a false prediction to a specially crafted memory location, causing a speculative execution of a crafted gadget and the caching of arbitrary memory. Using a side-channel attack on the cache the attacker can disclose parts of the privileged kernel memory.

USN-3477-1 fixed vulnerabilities in Firefox. The update introduced a crash reporting issue where background tab crash reports were sent to Mozilla without user opt-in. This update fixes the problem.

We apologize for the inconvenience.

Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, read uninitialized memory, obtain sensitive information, bypass same-origin restrictions, bypass CSP protections, bypass mixed content blocking, spoof the addressbar, or execute arbitrary code. (CVE-2017-7826, CVE-2017-7827, CVE-2017-7828, CVE-2017-7830, CVE-2017-7831, CVE-2017-7832, CVE-2017-7833, CVE-2017-7834, CVE-2017-7835, CVE-2017-7837, CVE-2017-7838, CVE-2017-7842)

It was discovered that javascript: URLs pasted in to the addressbar would be executed instead of being blocked in some circumstances. If a user were tricked in to copying a specially crafted URL in to the addressbar, an attacker could potentially exploit this to conduct cross-site scripting (XSS) attacks. (CVE-2017-7839)

It was discovered that exported bookmarks do not strip script elements from user-supplied tags. If a user were tricked in to adding specially crafted tags to bookmarks, exporting them and then opening the resulting HTML file, an attacker could potentially exploit this to conduct cross-site scripting (XSS) attacks. (CVE-2017-7840).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3477-1 fixed vulnerabilities in Firefox. The update introduced various minor regressions. This update fixes the problems.

We apologize for the inconvenience.

Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, read uninitialized memory, obtain sensitive information, bypass same-origin restrictions, bypass CSP protections, bypass mixed content blocking, spoof the addressbar, or execute arbitrary code. (CVE-2017-7826, CVE-2017-7827, CVE-2017-7828, CVE-2017-7830, CVE-2017-7831, CVE-2017-7832, CVE-2017-7833, CVE-2017-7834, CVE-2017-7835, CVE-2017-7837, CVE-2017-7838, CVE-2017-7842)

It was discovered that javascript: URLs pasted in to the addressbar would be executed instead of being blocked in some circumstances. If a user were tricked in to copying a specially crafted URL in to the addressbar, an attacker could potentially exploit this to conduct cross-site scripting (XSS) attacks. (CVE-2017-7839)

It was discovered that exported bookmarks do not strip script elements from user-supplied tags. If a user were tricked in to adding specially crafted tags to bookmarks, exporting them and then opening the resulting HTML file, an attacker could potentially exploit this to conduct cross-site scripting (XSS) attacks. (CVE-2017-7840).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3477-1 fixed vulnerabilities in Firefox. The update caused search suggestions to not be displayed when performing Google searches from the search bar. This update fixes the problem.

We apologize for the inconvenience.

Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, read uninitialized memory, obtain sensitive information, bypass same-origin restrictions, bypass CSP protections, bypass mixed content blocking, spoof the addressbar, or execute arbitrary code. (CVE-2017-7826, CVE-2017-7827, CVE-2017-7828, CVE-2017-7830, CVE-2017-7831, CVE-2017-7832, CVE-2017-7833, CVE-2017-7834, CVE-2017-7835, CVE-2017-7837, CVE-2017-7838, CVE-2017-7842)

It was discovered that javascript: URLs pasted in to the addressbar would be executed instead of being blocked in some circumstances. If a user were tricked in to copying a specially crafted URL in to the addressbar, an attacker could potentially exploit this to conduct cross-site scripting (XSS) attacks. (CVE-2017-7839)

It was discovered that exported bookmarks do not strip script elements from user-supplied tags. If a user were tricked in to adding specially crafted tags to bookmarks, exporting them and then opening the resulting HTML file, an attacker could potentially exploit this to conduct cross-site scripting (XSS) attacks. (CVE-2017-7840).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, read uninitialized memory, obtain sensitive information, bypass same-origin restrictions, bypass CSP protections, bypass mixed content blocking, spoof the addressbar, or execute arbitrary code. (CVE-2017-7826, CVE-2017-7827, CVE-2017-7828, CVE-2017-7830, CVE-2017-7831, CVE-2017-7832, CVE-2017-7833, CVE-2017-7834, CVE-2017-7835, CVE-2017-7837, CVE-2017-7838, CVE-2017-7842)

It was discovered that javascript: URLs pasted in to the addressbar would be executed instead of being blocked in some circumstances. If a user were tricked in to copying a specially crafted URL in to the addressbar, an attacker could potentially exploit this to conduct cross-site scripting (XSS) attacks. (CVE-2017-7839)

It was discovered that exported bookmarks do not strip script elements from user-supplied tags. If a user were tricked in to adding specially crafted tags to bookmarks, exporting them and then opening the resulting HTML file, an attacker could potentially exploit this to conduct cross-site scripting (XSS) attacks. (CVE-2017-7840).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of Mozilla Firefox installed on the remote Windows host is prior to 57. It is, therefore, affected by multiple vulnerabilities, some of which allow code execution and potentially exploitable crashes.

The version of Mozilla Firefox ESR installed on the remote Windows host is prior to 52.5. It is, therefore, affected by multiple vulnerabilities, some of which allow code execution and potentially exploitable crashes.

The version of Mozilla Firefox installed on the remote macOS or Mac OS X host is prior to 57. It is, therefore, affected by multiple vulnerabilities, some of which allow code execution and potentially exploitable application crashes.

The version of Mozilla Firefox ESR installed on the remote macOS or Mac OS X host is prior to 52.5. It is, therefore, affected by multiple vulnerabilities, some of which allow code execution and potentially exploitable crashes.

Mozilla Foundation reports :

CVE-2017-7828: Use-after-free of PressShell while restyling layout

CVE-2017-7830: Cross-origin URL information leak through Resource Timing API

CVE-2017-7831: Information disclosure of exposed properties on JavaScript proxy objects

CVE-2017-7832: Domain spoofing through use of dotless 'i' character followed by accent markers

CVE-2017-7833: Domain spoofing with Arabic and Indic vowel marker characters

CVE-2017-7834: data: URLs opened in new tabs bypass CSP protections

CVE-2017-7835: Mixed content blocking incorrectly applies with redirects

CVE-2017-7836: Pingsender dynamically loads libcurl on Linux and OS X

CVE-2017-7837: SVG loaded as <img> can use meta tags to set cookies

CVE-2017-7838: Failure of individual decoding of labels in international domain names triggers punycode display of entire IDN

CVE-2017-7839: Control characters before javascript: URLs defeats self-XSS prevention mechanism

CVE-2017-7840: Exported bookmarks do not strip script elements from user-supplied tags

CVE-2017-7842: Referrer Policy is not always respected for <link> elements

CVE-2017-7827: Memory safety bugs fixed in Firefox 57

CVE-2017-7826: Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5

ID	Name	Product	Family	Severity
700322	Mozilla Firefox < 57 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	critical
105542	Ubuntu 14.04 LTS / 16.04 LTS / 17.04 / 17.10 : firefox regression (USN-3477-4)	Nessus	Ubuntu Local Security Checks	critical
104994	Ubuntu 14.04 LTS / 16.04 LTS / 17.04 / 17.10 : firefox regressions (USN-3477-3)	Nessus	Ubuntu Local Security Checks	critical
104807	Ubuntu 14.04 LTS / 16.04 LTS / 17.04 / 17.10 : firefox regression (USN-3477-2)	Nessus	Ubuntu Local Security Checks	critical
104652	Ubuntu 14.04 LTS / 16.04 LTS / 17.04 / 17.10 : firefox vulnerabilities (USN-3477-1)	Nessus	Ubuntu Local Security Checks	critical
104638	Mozilla Firefox < 57 Multiple Vulnerabilities	Nessus	Windows	high
104637	Mozilla Firefox ESR < 52.5 Multiple Vulnerabilities	Nessus	Windows	high
104636	Mozilla Firefox < 57 Multiple Vulnerabilities (macOS)	Nessus	MacOS X Local Security Checks	high
104635	Mozilla Firefox ESR < 52.5 Multiple Vulnerabilities (macOS)	Nessus	MacOS X Local Security Checks	high
104564	FreeBSD : mozilla -- multiple vulnerabilities (f78eac48-c3d1-4666-8de5-63ceea25a578)	Nessus	FreeBSD Local Security Checks	critical

CVE-2017-7838

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins