Mozilla Firefox < 50.1 Multiple Vulnerabilities

This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.


Synopsis :

The remote Windows host contains a web browser that is affected by
multiple vulnerabilities.

Description :

The version of Mozilla Firefox installed on the remote Windows host
is prior to 50.1. It is, therefore, affected by the following
vulnerabilities :

- Multiple memory corruption issues exists when handling
style contexts, regular expressions, and clamped
gradients that allow an unauthenticated, remote attacker
to cause a denial of service condition or the execution
of arbitrary code. (CVE-2016-9080)

- Multiple memory corruption issues exists, such as when
handling document state changes or HTML5 content, or
else due to dereferencing already freed memory or
improper validation of user-supplied input. An
unauthenticated, remote attacker can exploit these to
cause a denial of service condition or the execution of
arbitrary code. (CVE-2016-9893)

- A buffer overflow condition exists in SkiaGl, within the
GrResourceProvider::createBuffer() function in file
gfx/skia/skia/src/gpu/GrResourceProvider.cpp, due to a
GrGLBuffer being truncated during allocation. An
unauthenticated, remote attacker can exploit this to
cause a denial of service condition or the execution of
arbitrary code. (CVE-2016-9894)

- A security bypass vulnerability exists due to event
handlers for marquee elements being executed despite a
Content Security Policy (CSP) that disallowed inline
JavaScript. An unauthenticated, remote attacker can
exploit this to impact integrity. (CVE-2016-9895)

- A use-after-free error exists within WebVR when handling
the navigator object. An unauthenticated, remote
attacker can exploit this to dereference already freed
memory, resulting in the execution of arbitrary code.
(CVE-2016-9896)

- A memory corruption issue exists in libGLES when WebGL
functions use a vector constructor with a varying array
within libGLES. An unauthenticated, remote attacker can
exploit this to cause a denial of service condition or
the execution of arbitrary code. (CVE-2016-9897)

- A use-after-free error exists in Editor, specifically
within file editor/libeditor/HTMLEditor.cpp, when
handling DOM subtrees. An unauthenticated, remote
attacker can exploit this to cause a denial of service
condition or the execution of arbitrary code.
(CVE-2016-9898)

- A use-after-free error exists in the
nsNodeUtils::CloneAndAdopt() function within file
dom/base/nsNodeUtils.cpp, while manipulating DOM events
and removing audio elements, due to improper handling of
failing node adoption. An unauthenticated, remote
attacker can exploit this to cause a denial of service
condition or the execution of arbitrary code.
(CVE-2016-9899)

- A security bypass vulnerability exists in the
nsDataDocumentContentPolicy::ShouldLoad() function
within file dom/base/nsDataDocumentContentPolicy.cpp
that allows external resources to be inappropriately
loaded by SVG images by utilizing 'data:' URLs. An
unauthenticated, remote attacker can exploit this to
disclose sensitive cross-domain information.
(CVE-2016-9900)

- A flaw exists due to improper sanitization of HTML tags
received from the Pocket server. An unauthenticated,
remote attacker can exploit this to run JavaScript code
in the about:pocket-saved (unprivileged) page, giving it
access to Pocket's messaging API through HTML injection.
(CVE-2016-9901)

- A flaw exists in the Pocket toolbar button, specifically
in browser/extensions/pocket/content/main.js, due to
improper verification of the origin of events fired from
its own pages. An unauthenticated, remote attacker can
exploit this to inject content and commands from other
origins into the Pocket context. Note that this issue
does not affect users with e10s enabled. (CVE-2016-9902)

- A universal cross-site scripting (XSS) vulnerability
exists in the Add-ons SDK, specifically within files
addon-sdk/source/lib/sdk/ui/frame/view.html and
addon-sdk/source/lib/sdk/ui/frame/view.js, due to
improper validation of input before returning it to
users. An unauthenticated, remote attacker can exploit
this, via a specially crafted request, to execute
arbitrary script code in a user's browser session.
(CVE-2016-9903)

- An information disclosure vulnerability exists that
allows an unauthenticated, remote attacker to determine
whether an atom is used by another compartment or zone
in specific contexts, by utilizing a JavaScript Map/Set
timing attack. (CVE-2016-9904)

See also :

https://www.mozilla.org/en-US/security/advisories/mfsa2016-94/

Solution :

Upgrade to Mozilla Firefox version 50.1 or later.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.3
(CVSS2#E:POC/RL:OF/RC:ND)
Public Exploit Available : true

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now