Mozilla Firefox ESR 45.x < 45.6 Multiple Vulnerabilities (macOS)

This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.


Synopsis :

The remote macOS or Mac OS X host contains a web browser that is
affected by multiple vulnerabilities.

Description :

The version of Mozilla Firefox ESR installed on the remote macOS or
Mac OS X host is 45.x prior to 45.6. It is, therefore, affected by
the following vulnerabilities :

- Multiple memory corruption issues exist, such as when
handling document state changes or HTML5 content, or
else due to dereferencing already freed memory or
improper validation of user-supplied input. An
unauthenticated, remote attacker can exploit these to
cause a denial of service condition or the execution of
arbitrary code. (CVE-2016-9893)

- A security bypass vulnerability exists due to event
handlers for marquee elements being executed despite a
Content Security Policy (CSP) that disallowed inline
JavaScript. An unauthenticated, remote attacker can
exploit this to impact integrity. (CVE-2016-9895)

- A memory corruption issue exists in libGLES when WebGL
functions use a vector constructor with a varying array
within libGLES. An unauthenticated, remote attacker can
exploit this to cause a denial of service condition or
the execution of arbitrary code. (CVE-2016-9897)

- A use-after-free error exists in Editor, specifically
within file editor/libeditor/HTMLEditor.cpp, when
handling DOM subtrees. An unauthenticated, remote
attacker can exploit this to cause a denial of service
condition or the execution of arbitrary code.
(CVE-2016-9898)

- A use-after-free error exists in the
nsNodeUtils::CloneAndAdopt() function within file
dom/base/nsNodeUtils.cpp, while manipulating DOM events
and removing audio elements, due to improper handling of
failing node adoption. An unauthenticated, remote
attacker can exploit this to cause a denial of service
condition or the execution of arbitrary code.
(CVE-2016-9899)

- A security bypass vulnerability exists in the
nsDataDocumentContentPolicy::ShouldLoad() function
within file dom/base/nsDataDocumentContentPolicy.cpp
that allows external resources to be inappropriately
loaded by SVG images by utilizing 'data:' URLs. An
unauthenticated, remote attacker can exploit this to
disclose sensitive cross-domain information.
(CVE-2016-9900)

- A flaw exists due to improper sanitization of HTML tags
received from the Pocket server. An unauthenticated,
remote attacker can exploit this to run JavaScript code
in the about:pocket-saved (unprivileged) page, giving it
access to Pocket's messaging API through HTML injection.
(CVE-2016-9901)

- A flaw exists in the Pocket toolbar button, specifically
in browser/extensions/pocket/content/main.js, due to
improper verification of the origin of events fired from
its own pages. An unauthenticated, remote attacker can
exploit this to inject content and commands from other
origins into the Pocket context. Note that this issue
does not affect users with e10s enabled. (CVE-2016-9902)

- An information disclosure vulnerability exists that
allows an unauthenticated, remote attacker to determine
whether an atom is used by another compartment or zone
in specific contexts, by utilizing a JavaScript Map/Set
timing attack. (CVE-2016-9904)

- A memory corruption issue exists in the
nsDocument::EnumerateSubDocuments() function within file
dom/base/nsDocument.cpp when adding and removing
sub-documents. An unauthenticated, remote attacker can
exploit this, via a specially crafted web page, to cause
a denial of service condition or the execution of
arbitrary code. (CVE-2016-9905)

See also :

https://www.mozilla.org/en-US/security/advisories/mfsa2016-95/

Solution :

Upgrade to Mozilla Firefox ESR version 45.6 or later.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.3
(CVSS2#E:POC/RL:OF/RC:ND)
Public Exploit Available : true

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now