Firefox ESR 31.x < 31.2 Multiple Vulnerabilities (Mac OS X)

This script is Copyright (C) 2014-2016 Tenable Network Security, Inc.


Synopsis :

The remote Mac OS X host contains a web browser that is affected by
multiple vulnerabilities.

Description :

The version of Firefox ESR 31.x installed on the remote Mac OS X host
is prior to 31.2. It is, therefore, affected by the following
vulnerabilities :

- Multiple memory safety flaws exist within the browser
engine. Exploiting these, an attacker can cause a denial
of service or execute arbitrary code. (CVE-2014-1574,
CVE-2014-1575)

- A buffer overflow vulnerability exists when
capitalization style changes occur during CSS parsing.
(CVE-2014-1576)

- An out-of-bounds read error exists in the Web Audio
component when invalid values are used in custom
waveforms that leads to a denial of service or
information disclosure. (CVE-2014-1577)

- An out-of-bounds write error exists when processing
invalid tile sizes in 'WebM' format videos that result
in arbitrary code execution. (CVE-2014-1578)

- A use-after-free error exists in the
'DirectionalityUtils' component when text direction is
used in the text layout that results in arbitrary
code execution. (CVE-2014-1581)

- An error exists that could allow a malicious app to use
'AlarmAPI' to read cross-origin references and possibly
allow for the same-origin policy to be bypassed.
(CVE-2014-1583)

- Multiple issues exist in WebRTC when the session is
running within an 'iframe' element that will allow the
session to be accessible even when sharing is stopped
and when returning to the website. This could lead to
video inadvertently being shared. (CVE-2014-1585,
CVE-2014-1586)

See also :

https://www.mozilla.org/security/announce/2014/mfsa2014-74.html
https://www.mozilla.org/security/announce/2014/mfsa2014-75.html
https://www.mozilla.org/security/announce/2014/mfsa2014-76.html
https://www.mozilla.org/security/announce/2014/mfsa2014-77.html
https://www.mozilla.org/security/announce/2014/mfsa2014-79.html
https://www.mozilla.org/security/announce/2014/mfsa2014-81.html
https://www.mozilla.org/security/announce/2014/mfsa2014-82.html

Solution :

Upgrade to Firefox ESR 31.2 or later.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 6.9
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now