Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : firefox vulnerabilities (USN-3124-1)

Ubuntu Security Notice (C) 2016 Canonical, Inc. / NASL script (C) 2016 Tenable Network Security, Inc.


Synopsis :

The remote Ubuntu host is missing a security-related patch.

Description :

Christian Holler, Andrew McCreight, Dan Minor, Tyson Smith, Jon
Coppeard, Jan-Ivar Bruaroey, Jesse Ruderman, Markus Stange, Olli
Pettay, Ehsan Akhgari, Gary Kwong, Tooru Fujisawa, and Randell Jesup
discovered multiple memory safety issues in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service via application
crash, or execute arbitrary code. (CVE-2016-5289, CVE-2016-5290)

A same-origin policy bypass was discovered with local HTML files in
some circumstances. An attacker could potentially exploit this to
obtain sensitive information. (CVE-2016-5291)

A crash was discovered when parsing URLs in some circumstances. If a
user were tricked in to opening a specially crafted website, an
attacker could potentially exploit this to execute arbitrary code.
(CVE-2016-5292)

A heap buffer-overflow was discovered in Cairo when processing SVG
content. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial
of service via application crash, or execute arbitrary code.
(CVE-2016-5296)

An error was discovered in argument length checking in JavaScript. If
a user were tricked in to opening a specially crafted website, an
attacker could potentially exploit this to cause a denial of service
via application crash, or execute arbitrary code. (CVE-2016-5297)

An integer overflow was discovered in the Expat library. If a user
were tricked in to opening a specially crafted website, an attacker
could potentially exploit this to cause a denial of service via
application crash. (CVE-2016-9063)

It was discovered that addon updates failed to verify that the addon
ID inside the signed package matched the ID of the addon being
updated. An attacker that could perform a man-in-the-middle (MITM)
attack could potentially exploit this to provide malicious addon
updates. (CVE-2016-9064)

A buffer overflow was discovered in nsScriptLoadHandler. If a user
were tricked in to opening a specially crafted website, an attacker
could potentially exploit this to cause a denial of service via
application crash, or execute arbitrary code. (CVE-2016-9066)

2 use-after-free bugs were discovered during DOM operations in some
circumstances. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit these to cause
a denial of service via application crash, or execute arbitrary code.
(CVE-2016-9067, CVE-2016-9069)

A heap use-after-free was discovered during web animations in some
circumstances. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit this to cause a
denial of service via application crash, or execute arbitrary code.
(CVE-2016-9068)

It was discovered that a page loaded in to the sidebar through a
bookmark could reference a privileged chrome window. An attacker could
potentially exploit this to bypass same origin restrictions.
(CVE-2016-9070)

An issue was discovered with Content Security Policy (CSP) in
combination with HTTP to HTTPS redirection. An attacker could
potentially exploit this to verify whether a site is within the user's
browsing history. (CVE-2016-9071)

An issue was discovered with the windows.create() WebExtensions API.
If a user were tricked in to installing a malicious extension, an
attacker could potentially exploit this to escape the WebExtensions
sandbox. (CVE-2016-9073)

It was discovered that WebExtensions can use the mozAddonManager API.
An attacker could potentially exploit this to install additional
extensions without user permission. (CVE-2016-9075)

It was discovered that <select> element dropdown menus can cover
location bar content when e10s is enabled. An attacker could
potentially exploit this to conduct UI spoofing attacks.
(CVE-2016-9076)

It was discovered that canvas allows the use of the feDisplacementMap
filter on cross-origin images. An attacker could potentially exploit
this to conduct timing attacks. (CVE-2016-9077).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

Solution :

Update the affected firefox package.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.3
(CVSS2#E:POC/RL:OF/RC:ND)
Public Exploit Available : true

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now