Mozilla Firefox 48.x / 49.x < 49.0.2 Multiple Vulnerabilities

This script is Copyright (C) 2016 Tenable Network Security, Inc.


Synopsis :

The remote Windows host contains a web browser that is affected by
multiple vulnerabilities.

Description :

The version of Mozilla Firefox installed on the remote Windows host is
48.x or 49.x prior to 49.0.2. It is, therefore, affected by multiple
vulnerabilities :

- A use-after-free error exists in the
nsTArray_base<T>::SwapArrayElements() function during
actor destruction with service workers. An
unauthenticated, remote attacker can exploit this to
dereference already freed memory, resulting in the
execution of arbitrary code. Note that this
vulnerability only affects version 49.x prior to
49.0.2. (CVE-2016-5287)

- An information disclosure vulnerability exists due to an
unspecified flaw when e10s is disabled. An
unauthenticated, remote attacker can exploit this, via
specially crafted web content, to disclose sensitive
information in the HTTP cache regarding visited URLs and
their content. Note that this vulnerability only affects
version 48.x or 49.x prior to 49.0.2. (CVE-2016-5288)

See also :

https://www.mozilla.org/en-US/security/advisories/mfsa2016-87/

Solution :

Upgrade to Mozilla Firefox version 49.0.2 or later.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 6.9
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: Windows

Nessus Plugin ID: 94232 ()

Bugtraq ID: 93810
93811

CVE ID: CVE-2016-5287
CVE-2016-5288

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now