Firefox < 48 Multiple Vulnerabilities (Mac OS X)

This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.


Synopsis :

The remote Mac OS X host contains a web browser that is affected by
multiple vulnerabilities.

Description :

The version of Firefox installed on the remote Mac OS X host is prior
to 48. It is, therefore, affected by multiple vulnerabilities :

- An overflow condition exists in the expat XML parser due
to improper validation of user-supplied input when
handling malformed input documents. An attacker can
exploit this to cause a buffer overflow, resulting in a
denial of service condition or the execution of
arbitrary code. (CVE-2016-0718)

- An information disclosure vulnerability exists due to a
failure to close connections after requesting favicons.
An attacker can exploit this to continue to send
requests to the user's browser and disclose sensitive
information.(CVE-2016-2830)

- Multiple memory corruption issues exist due to improper
validation of user-supplied input. An attacker can
exploit these issues to cause a denial of service
condition or the execution of arbitrary code.
(CVE-2016-2835, CVE-2016-2836)

- An overflow condition exists in the ClearKey Content
Decryption Module (CDM) used by the Encrypted Media
Extensions (EME) API due to improper validation of
user-supplied input. An attacker can exploit this to
cause a buffer overflow, resulting in a denial of
service condition or the execution of arbitrary code.
(CVE-2016-2837)

- An overflow condition exists in the ProcessPDI()
function in layout/base/nsBidi.cpp due to improper
validation of user-supplied input. An attacker can
exploit this to cause a heap-based buffer overflow,
resulting in a denial of service condition or the
execution of arbitrary code. (CVE-2016-2838)

- A flaw exists in the Resource Timing API during page
navigation. An attacker can exploit this to disclose
sensitive information. (CVE-2016-5250)

- A flaw exists that is triggered when decoding
url-encoded values in 'data:' URLs. An attacker can
exploit this, via non-ASCII or emoji characters, to
spoof the address in the address bar. (CVE-2016-5251)

- An underflow condition exists in the BasePoint4d()
function in gfx/2d/Matrix.h due to improper validation
of user-supplied input when calculating clipping regions
in 2D graphics. A remote attacker can exploit this to
cause a stack-based buffer underflow, resulting in a
denial of service condition or the execution of
arbitrary code. (CVE-2016-5252)

- A use-after-free error exists in the KeyDown() function
in layout/xul/nsXULPopupManager.cpp when using the alt
key in conjunction with top level menu items. An
attacker can exploit this to dereference already freed
memory, resulting in a denial of service condition or
the execution of arbitrary code. (CVE-2016-5254)

- A use-after-free error exists in the sweep() function
that is triggered when handling objects and pointers
during incremental garbage collection. An attacker can
exploit this to dereference already freed memory,
resulting in a denial of service condition or the
execution of arbitrary code. (CVE-2016-5255)

- A use-after-free error exists in WebRTC that is
triggered when handling DTLS objects. An attacker can
exploit this to dereference already freed memory,
resulting in a denial of service condition or the
execution of arbitrary code. (CVE-2016-5258)

- A use-after-free error exists in the DestroySyncLoop()
function in dom/workers/WorkerPrivate.cpp that is
triggered when handling nested sync event loops in
Service Workers. An attacker can exploit this to
dereference already freed memory, resulting in a denial
of service condition or the execution of arbitrary code.
(CVE-2016-5259)

- An information disclosure vulnerability exists in the
restorableFormNodes() function in XPathGenerator.jsm due
to persistently storing passwords in plaintext in
session restore data. An attacker can exploit this to
disclose password information. (CVE-2016-5260)

- An integer overflow condition exists in the
ProcessInput() function in WebSocketChannel.cpp due to
improper validation of user-supplied input when handling
specially crafted WebSocketChannel packets. An attacker
can exploit this to cause a denial of service condition
or the execution of arbitrary code. (CVE-2016-5261)

- A security bypass vulnerability exists due to event
handler attributes on a <marquee> tag being executed
inside a sandboxed iframe that does not have the
allow-scripts flag set. An attacker can exploit this to
bypass cross-site scripting protection mechanisms.
(CVE-2016-5262)

- A type confusion flaw exists in the HitTest() function
in nsDisplayList.cpp when handling display
transformations. An attacker can exploit this to execute
arbitrary code. (CVE-2016-5263)

- A use-after-free error exists in the
NativeAnonymousChildListChange() function when applying
effects to SVG elements. An attacker can exploit this to
dereference already freed memory, resulting in a denial
of service condition or the execution of arbitrary code.
(CVE-2016-5264)

- A flaw exists in the Redirect() function in
nsBaseChannel.cpp that is triggered when a malicious
shortcut is called from the same directory as a local
HTML file. An attacker can exploit this to bypass the
same-origin policy. (CVE-2016-5265)

- A flaw exists due to a failure to properly filter file
URIs dragged from a web page to a different piece of
software. An attacker can exploit this to disclose
sensitive information. (CVE-2016-5266)

- A flaw exists that is triggered when handling certain
specific 'about:' URLs that allows an attacker to spoof
the contents of system information or error messages
(CVE-2016-5268)

- A flaw exists that is triggered when handling certain
specific 'about:' URLs that allows an attacker to spoof
the contents of system information or error messages
(CVE-2016-5268)

- A flaw exists in woff2 that is triggered during the
handling of TTC detection. An attacker can exploit this
to have an unspecified impact. (VulnDB 142603)

- Multiple unspecified flaws exist in woff2 that allow an
attacker to cause a denial of service condition. (VulnDB
142607, 142608, and 142609)

See also :

https://www.mozilla.org/en-US/security/advisories/mfsa2016-62/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-63/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-64/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-66/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-67/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-68/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-70/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-71/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-72/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-73/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-74/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-75/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-76/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-77/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-78/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-79/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-80/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-81/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-83/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-84/

Solution :

Upgrade to Firefox version 48 or later.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.9
(CVSS2#E:U/RL:U/RC:C)
Public Exploit Available : false