Firefox < 8.0 Multiple Vulnerabilities (Mac OS X)

High Nessus Plugin ID 56756

Synopsis

The remote Mac OS X host contains a web browser that is potentially affected by multiple vulnerabilities.

Description

The installed version of Firefox is earlier than 8.0 and thus, is potentially affected by the following security issues :

- Certain invalid sequences are not handled properly in 'Shift-JIS' encoding, which can allow cross-site scripting attacks. (CVE-2011-3648)

- Profiling JavaScript files with many functions can cause the application to crash. It may be possible to trigger this behavior even when the debugging APIs are not being used. (CVE-2011-3650)

- Multiple memory safety issues exist. (CVE-2011-3651)

- An unchecked memory allocation failure can cause the application to crash. (CVE-2011-3652)

- An issue with WebGL graphics and GPU drivers can allow cross-origin image theft. (CVE-2011-3653)

- An error exists related to SVG 'mpath' linking to a non-SVG element, which can result in potentially exploitable application crashes. (CVE-2011-3654)

- An error in internal privilege checking can allow web content to obtain elevated privileges.
(CVE-2011-3655)

Solution

Upgrade to Firefox 8.0 or later.

See Also

https://www.mozilla.org/en-US/security/advisories/mfsa2011-47/

https://www.mozilla.org/en-US/security/advisories/mfsa2011-48/

https://www.mozilla.org/en-US/security/advisories/mfsa2011-49/

https://www.mozilla.org/en-US/security/advisories/mfsa2011-51/

https://www.mozilla.org/en-US/security/advisories/mfsa2011-52/

Plugin Details

Severity: High

ID: 56756

File Name: macosx_firefox_8_0.nasl

Version: 1.10

Type: local

Agent: macosx

Published: 2011/11/09

Updated: 2018/07/14

Dependencies: 55417

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 9.3

Temporal Score: 6.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:mozilla:firefox

Required KB Items: MacOSX/Firefox/Installed

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2011/11/08

Vulnerability Publication Date: 2011/11/08

Reference Information

CVE: CVE-2011-3648, CVE-2011-3650, CVE-2011-3651, CVE-2011-3652, CVE-2011-3653, CVE-2011-3654, CVE-2011-3655

BID: 50592, 50593, 50594, 50595, 50597, 50600, 50602

CWE: 20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990