Firefox ESR 45.x < 45.3 Multiple Vulnerabilities (Mac OS X)

This script is Copyright (C) 2016 Tenable Network Security, Inc.


Synopsis :

The remote Mac OS X host contains a web browser that is affected by
multiple vulnerabilities.

Description :

The version of Firefox ESR installed on the remote Mac OS X host is
45.x prior to 45.3. It is, therefore, affected by multiple
vulnerabilities :

- An information disclosure vulnerability exists due to a
failure to close connections after requesting favicons.
An attacker can exploit this to continue to send
requests to the user's browser and disclose sensitive
information.(CVE-2016-2830)

- Multiple memory corruption issues exist due to improper
validation of user-supplied input. An attacker can
exploit these issues to cause a denial of service
condition or the execution of arbitrary code.
(CVE-2016-2835, CVE-2016-2836)

- An overflow condition exists in the ClearKey Content
Decryption Module (CDM) used by the Encrypted Media
Extensions (EME) API due to improper validation of
user-supplied input. An attacker can exploit this to
cause a buffer overflow, resulting in a denial of
service condition or the execution of arbitrary code.
(CVE-2016-2837)

- An overflow condition exists in the ProcessPDI()
function in layout/base/nsBidi.cpp due to improper
validation of user-supplied input. An attacker can
exploit this to cause a heap-based buffer overflow,
resulting in a denial of service condition or the
execution of arbitrary code. (CVE-2016-2838)

- An underflow condition exists in the BasePoint4d()
function in gfx/2d/Matrix.h due to improper validation
of user-supplied input when calculating clipping regions
in 2D graphics. A remote attacker can exploit this to
cause a stack-based buffer underflow, resulting in a
denial of service condition or the execution of
arbitrary code. (CVE-2016-5252)

- A use-after-free error exists in the KeyDown() function
in layout/xul/nsXULPopupManager.cpp when using the alt
key in conjunction with top level menu items. An
attacker can exploit this to dereference already freed
memory, resulting in a denial of service condition or
the execution of arbitrary code. (CVE-2016-5254)

- A use-after-free error exists in WebRTC that is
triggered when handling DTLS objects. An attacker can
exploit this to dereference already freed memory,
resulting in a denial of service condition or the
execution of arbitrary code. (CVE-2016-5258)

- A use-after-free error exists in the DestroySyncLoop()
function in dom/workers/WorkerPrivate.cpp that is
triggered when handling nested sync event loops in
Service Workers. An attacker can exploit this to
dereference already freed memory, resulting in a denial
of service condition or the execution of arbitrary code.
(CVE-2016-5259)

- A security bypass vulnerability exists due to event
handler attributes on a <marquee> tag being executed
inside a sandboxed iframe that does not have the
allow-scripts flag set. An attacker can exploit this to
bypass cross-site scripting protection mechanisms.
(CVE-2016-5262)

- A type confusion flaw exists in the HitTest() function
in nsDisplayList.cpp when handling display
transformations. An attacker can exploit this to execute
arbitrary code. (CVE-2016-5263)

- A use-after-free error exists in the
NativeAnonymousChildListChange() function when applying
effects to SVG elements. An attacker can exploit this to
dereference already freed memory, resulting in a denial
of service condition or the execution of arbitrary code.
(CVE-2016-5264)

- A flaw exists in the Redirect() function in
nsBaseChannel.cpp that is triggered when a malicious
shortcut is called from the same directory as a local
HTML file. An attacker can exploit this to bypass the
same-origin policy. (CVE-2016-5265)

See also :

https://www.mozilla.org/en-US/security/advisories/mfsa2016-62/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-63/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-64/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-67/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-68/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-70/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-72/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-73/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-76/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-77/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-78/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-79/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-80/

Solution :

Upgrade to Firefox ESR version 45.3 or later.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.3
(CVSS2#E:POC/RL:OF/RC:ND)
Public Exploit Available : true

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now