Mozilla Firefox ESR < 52.2 Multiple Vulnerabilities (macOS)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

A web browser installed on the remote macOS or Mac OS X host is
affected by multiple vulnerabilities.

Description :

The version of Mozilla Firefox ESR installed on the remote macOS or
Mac OS X host is prior to 52.2. It is, therefore, affected by multiple
vulnerabilities :

- Multiple memory corruption issues exist that allow an
unauthenticated, remote attacker to execute arbitrary
code by convincing a user to visit a specially crafted
website. (CVE-2017-5470)

- A use-after-free error exists in the EndUpdate()
function in nsCSSFrameConstructor.cpp that is triggered
when reconstructing trees during regeneration of CSS
layouts. An unauthenticated, remote attacker can exploit
this, by convincing a user to visit a specially crafted
website, to cause a denial of service condition or the
execution of arbitrary code. (CVE-2017-5472)

- A use-after-free error exists in the Reload() function
in nsDocShell.cpp that is triggered when using an
incorrect URL during the reload of a docshell. An
unauthenticated, remote attacker can exploit this to
cause a denial of service condition or the execution of
arbitrary code. (CVE-2017-7749)

- A use-after-free error exists in the Hide() function in
nsDocumentViewer.cpp that is triggered when handling
track elements. An unauthenticated, remote attacker can
exploit this to cause a denial of service condition or
the execution of arbitrary code. (CVE-2017-7750)

- A use-after-free error exists in the nsDocumentViewer
class in nsDocumentViewer.cpp that is triggered when
handling content viewer listeners. An unauthenticated,
remote attacker can exploit this to cause a denial of
service condition or the execution of arbitrary code.
(CVE-2017-7751)

- A use-after-free error exists that is triggered when
handling events while specific user interaction occurs
with the input method editor (IME). An unauthenticated,
remote attacker can exploit this to cause a denial of
service condition or the execution of arbitrary code.
(CVE-2017-7752)

- An out-of-bounds read error exists in the IsComplete()
function in WebGLTexture.cpp that is triggered when
handling textures. An unauthenticated, remote attacker
can exploit this to disclose memory contents.
(CVE-2017-7754)

- A privilege escalation vulnerability exists due to
improper loading of dynamic-link library (DLL) files. A
local attacker can exploit this, via a specially crafted
DLL file in the installation path, to inject and execute
arbitrary code. (CVE-2017-7755)

- A use-after-free error exists in the SetRequestHead()
function in XMLHttpRequestMainThread.cpp that is
triggered when logging XML HTTP Requests (XHR). An
unauthenticated, remote attacker can exploit this to
cause a denial of service condition or the execution of
arbitrary code. (CVE-2017-7756)

- A use-after-free error exists in ActorsParent.cpp due to
improper handling of objects in memory. An
unauthenticated, remote attacker can exploit this to
cause a denial of service condition or the execution of
arbitrary code. (CVE-2017-7757)

- An out-of-bounds read error exists in the
AppendAudioSegment() function in TrackEncoder.cpp that
is triggered when the number of channels in an audio
stream changes while the Opus encoder is in use. An
unauthenticated, remote attacker can exploit this to
disclose sensitive information. (CVE-2017-7758)

- A flaw exists in the NS_main() function in updater.cpp
due to improper validation of input when handling
callback file path parameters. A local attacker can
exploit this to manipulate files in the installation
directory. (CVE-2017-7760)

- A flaw exists in the Maintenance Service helper.exe
application that is triggered as permissions for a
temporary directory are set to writable by
non-privileged users. A local attacker can exploit this
to delete arbitrary files on the system. (CVE-2017-7761)

- A flaw exists in the ReadCMAP() function in
gfxMacPlatformFontList.mm that is triggered when
handling tibetan characters in combination with macOS
fonts. An unauthenticated, remote attacker can exploit
this, via a specially crafted IDN domain, to spoof a
valid URL. (CVE-2017-7763)

- A flaw exists in the isLabelSafe() function in
nsIDNService.cpp that is triggered when handling
characters from different unicode blocks. An
unauthenticated, remote attacker can exploit this, via a
specially crafted IDN domain, to spoof a valid URL and
conduct phishing attacks. (CVE-2017-7764)

- Multiple integer overflow conditions exist in the
Graphite component in the decompress() function in
Decompressor.cpp due to improper validation of
user-supplied input. An unauthenticated, remote attacker
can exploit this to cause a denial of service condition
or the execution of arbitrary code. (CVE-2017-7772,
CVE-2017-7773, CVE-2017-7778)

- An out-of-bounds read error exists in the Graphite
component in the readGraphite() function in Silf.cpp. An
unauthenticated, remote attacker can exploit this to
cause a denial of service condition or disclose memory
contents. (CVE-2017-7774)

- An assertion flaw exists in the Graphite component when
handling zero value sizes. An unauthenticated, remote
attacker can exploit this to cause a denial of service
condition. (CVE-2017-7775)

- An out-of-bounds read error exists in the Graphite
component in getClassGlyph() function in Silf.cpp due to
improper validation of user-supplied input. An
unauthenticated, remote attacker can exploit this to
cause a denial of service condition. (CVE-2017-7776)

- A flaw exists in the Graphite component in the
read_glyph() function in GlyphCache.cpp related to use
of uninitialized memory. An unauthenticated, remote
attacker can exploit this to have an unspecified impact.
(CVE-2017-7777)

See also :

https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/

Solution :

Upgrade to Mozilla Firefox ESR version 52.2 or later.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 6.9
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false