Mozilla Firefox < 49.0 Multiple Vulnerabilities (Mac OS X)

This script is Copyright (C) 2016 Tenable Network Security, Inc.


Synopsis :

The remote Mac OS X host contains a web browser that is affected by
multiple vulnerabilities.

Description :

The version of Mozilla Firefox installed on the remote Mac OS X host
is prior to 49.0. It is, therefore, affected by multiple
vulnerabilities :

- An out-of-bounds read error exists within file
dom/security/nsCSPParser.cpp when handling content
security policies (CSP) containing empty referrer
directives. An unauthenticated, remote attacker can
exploit this to cause a denial of service condition.
(CVE-2016-2827)

- Multiple memory safety issues exist that allow an
unauthenticated, remote attacker to potentially execute
arbitrary code. (CVE-2016-5256, CVE-2016-5257)

- A heap buffer overflow condition exists in the
nsCaseTransformTextRunFactory::TransformString()
function in layout/generic/nsTextRunTransformations.cpp
when converting text containing certain Unicode
characters. An unauthenticated, remote attacker can
exploit this to execute arbitrary code. (CVE-2016-5270)

- An out-of-bounds read error exists in the
nsCSSFrameConstructor::GetInsertionPrevSibling()
function in file layout/base/nsCSSFrameConstructor.cpp
when handling text runs. An unauthenticated, remote
attacker can exploit this to disclose memory contents.
(CVE-2016-5271)

- A type confusion error exists within file
layout/forms/nsRangeFrame.cpp when handling layout with
input elements. An unauthenticated, remote attacker can
exploit this to execute arbitrary code. (CVE-2016-5272)

- An unspecified flaw exists in the
HyperTextAccessible::GetChildOffset() function that
allows an unauthenticated, remote attacker to execute
arbitrary code. (CVE-2016-5273)

- A use-after-free error exists within file
layout/style/nsRuleNode.cpp when handling web animations
during restyling. An unauthenticated, remote attacker
can exploit this to execute arbitrary code.
(CVE-2016-5274)

- A buffer overflow condition exists in the
FilterSupport::ComputeSourceNeededRegions() function
when handling empty filters during canvas rendering. An
unauthenticated, remote attacker can exploit this to
execute arbitrary code. (CVE-2016-5275)

- A use-after-free error exists in the
DocAccessible::ProcessInvalidationList() function within
file accessible/generic/DocAccessible.cpp when setting
an aria-owns attribute. An unauthenticated, remote
attacker can exploit this to execute arbitrary code.
(CVE-2016-5276)

- A use-after-free error exists in the
nsRefreshDriver::Tick() function when handling web
animations destroying a timeline. An unauthenticated,
remote attacker can exploit this to execute arbitrary
code. (CVE-2016-5277)

- A buffer overflow condition exists in the
nsBMPEncoder::AddImageFrame() function within file
dom/base/ImageEncoder.cpp when encoding image frames to
images. An unauthenticated, remote attacker can exploit
this to execute arbitrary code. (CVE-2016-5278)

- A flaw exists that is triggered when handling
drag-and-drop events for files. An unauthenticated,
remote attacker can exploit this disclose the full local
file path. (CVE-2016-5279)

- A use-after-free error exists in the
nsTextNodeDirectionalityMap::RemoveElementFromMap()
function within file dom/base/DirectionalityUtils.cpp
when handling changing of text direction. An
unauthenticated, remote attacker can exploit this to
execute arbitrary code. (CVE-2016-5280)

- A use-after-free error exists when handling SVG format
content that is being manipulated through script code.
An unauthenticated, remote attacker can exploit this to
execute arbitrary code. (CVE-2016-5281)

- A flaw exists when handling content that requests
favicons from non-whitelisted schemes that are using
certain URI handlers. An unauthenticated, remote
attacker can exploit this to bypass intended
restrictions. (CVE-2016-5282)

- A flaw exists that is related to the handling of iframes
that allow an unauthenticated, remote attacker to
conduct an 'iframe src' fragment timing attack,
resulting in disclosure of cross-origin data.
(CVE-2016-5283)

- A flaw exists due to the certificate pinning policy for
built-in sites (e.g., addons.mozilla.org) not being
honored when pins have expired. A man-in-the-middle
(MitM) attacker can exploit this to generate a trusted
certificate, which could be used to conduct spoofing
attacks. (CVE-2016-5284)

See also :

https://www.mozilla.org/en-US/security/advisories/mfsa2016-85/

Solution :

Upgrade to Mozilla Firefox version 49.0 or later.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 6.9
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now