Mozilla Firefox < 49.0 Multiple Vulnerabilities

High Nessus Plugin ID 93662

Synopsis

The remote Windows host contains a web browser that is affected by multiple vulnerabilities.

Description

The version of Mozilla Firefox installed on the remote Windows host is prior to 49.0. It is, therefore, affected by multiple vulnerabilities :

- An out-of-bounds read error exists within file dom/security/nsCSPParser.cpp when handling content security policies (CSP) containing empty referrer directives. An unauthenticated, remote attacker can exploit this to cause a denial of service condition.
(CVE-2016-2827)

- Multiple memory safety issues exist that allow an unauthenticated, remote attacker to potentially execute arbitrary code. (CVE-2016-5256, CVE-2016-5257)

- A heap buffer overflow condition exists in the nsCaseTransformTextRunFactory::TransformString() function in layout/generic/nsTextRunTransformations.cpp when converting text containing certain Unicode characters. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-5270)

- An out-of-bounds read error exists in the nsCSSFrameConstructor::GetInsertionPrevSibling() function in file layout/base/nsCSSFrameConstructor.cpp when handling text runs. An unauthenticated, remote attacker can exploit this to disclose memory contents.
(CVE-2016-5271)

- A type confusion error exists within file layout/forms/nsRangeFrame.cpp when handling layout with input elements. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-5272)

- An unspecified flaw exists in the HyperTextAccessible::GetChildOffset() function that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2016-5273)

- A use-after-free error exists within file layout/style/nsRuleNode.cpp when handling web animations during restyling. An unauthenticated, remote attacker can exploit this to execute arbitrary code.
(CVE-2016-5274)

- A buffer overflow condition exists in the FilterSupport::ComputeSourceNeededRegions() function when handling empty filters during canvas rendering. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-5275)

- A use-after-free error exists in the DocAccessible::ProcessInvalidationList() function within file accessible/generic/DocAccessible.cpp when setting an aria-owns attribute. An unauthenticated, remote attacker can exploit this to execute arbitrary code.
(CVE-2016-5276)

- A use-after-free error exists in the nsRefreshDriver::Tick() function when handling web animations destroying a timeline. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-5277)

- A buffer overflow condition exists in the nsBMPEncoder::AddImageFrame() function within file dom/base/ImageEncoder.cpp when encoding image frames to images. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-5278)

- A flaw exists that is triggered when handling drag-and-drop events for files. An unauthenticated, remote attacker can exploit this disclose the full local file path. (CVE-2016-5279)

- A use-after-free error exists in the nsTextNodeDirectionalityMap::RemoveElementFromMap() function within file dom/base/DirectionalityUtils.cpp when handling changing of text direction. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-5280)

- A use-after-free error exists when handling SVG format content that is being manipulated through script code.
An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-5281)

- A flaw exists when handling content that requests favicons from non-whitelisted schemes that are using certain URI handlers. An unauthenticated, remote attacker can exploit this to bypass intended restrictions. (CVE-2016-5282)

- A flaw exists that is related to the handling of iframes that allow an unauthenticated, remote attacker to conduct an 'iframe src' fragment timing attack, resulting in disclosure of cross-origin data.
(CVE-2016-5283)

- A flaw exists due to the certificate pinning policy for built-in sites (e.g., addons.mozilla.org) not being honored when pins have expired. A man-in-the-middle (MitM) attacker can exploit this to generate a trusted certificate, which could be used to conduct spoofing attacks. (CVE-2016-5284)

Solution

Upgrade to Mozilla Firefox version 49.0 or later.

See Also

https://www.mozilla.org/en-US/security/advisories/mfsa2016-85/

Plugin Details

Severity: High

ID: 93662

File Name: mozilla_firefox_49.nasl

Version: 1.6

Type: local

Agent: windows

Family: Windows

Published: 2016/09/22

Updated: 2018/07/16

Dependencies: 20862

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 9.3

Temporal Score: 6.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSS v3.0

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mozilla:firefox

Required KB Items: Mozilla/Firefox/Version

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2016/09/20

Vulnerability Publication Date: 2016/04/29

Reference Information

CVE: CVE-2016-2827, CVE-2016-5256, CVE-2016-5257, CVE-2016-5270, CVE-2016-5271, CVE-2016-5272, CVE-2016-5273, CVE-2016-5274, CVE-2016-5275, CVE-2016-5276, CVE-2016-5277, CVE-2016-5278, CVE-2016-5279, CVE-2016-5280, CVE-2016-5281, CVE-2016-5282, CVE-2016-5283, CVE-2016-5284

BID: 93049, 93052

MFSA: 2016-85