Mozilla Firefox < 53 Multiple Vulnerabilities

high Nessus Network Monitor Plugin ID 700065

Synopsis

The remote host has a web browser installed that is vulnerable to multiple attack vectors.

Description

Versions of Mozilla Firefox prior to 53 are unpatched for the following vulnerabilities :

- A use-after-free error exists that is related to certain text input selections. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2017-5432)
- A use-after-free error exists in the SMIL animation functions. The issue is triggered when handling animation elements. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2017-5433)
- A use-after-free error exists that is triggered when redirecting focus handling. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2017-5434)
- A use-after-free error exists that is triggered when processing transactions in the editor during design mode interactions. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2017-5435)
- A use-after-free error exists in the 'nsAutoPtr()' function that is triggered during XSLT processing. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2017-5438)
- A use-after-free error exists in the 'Length()' function in 'nsTArray' that is triggered when handling template parameters during XSLT processing. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2017-5439)
- A use-after-free error exists in the 'txExecutionState' destructor that is triggered during the processing of XSLT content. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2017-5440)
- A use-after-free error exists that is triggered when holding a selection during scroll events. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2017-5441)
- A use-after-free error exists that is triggered when changing styles in DOM elements. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2017-5442)
- An out-of-bounds write flaw exists that is triggered during the decoding of improperly formed BinHex format archives. This may allow a context-dependent attacker to potentially execute arbitrary code. (CVE-2017-5443)
- An overflow condition exists that is triggered as certain input is not properly validated when parsing 'application/http-index-format' content. This may allow a context-dependent attacker to cause a buffer overflow, potentially allowing the execution of arbitrary code. (CVE-2017-5444)
- A flaw exists in 'nsDirIndexParser.cpp' related to the use of uninitialized data. The issue is triggered when parsing 'application/http-index-format' content. This may allow a context-dependent attacker to disclose memory contents. (CVE-2017-5445)
- An out-of-bounds read flaw exists that is triggered when handling HTTP/2 DATA connections that send DATA frames with incorrect data content. This may allow a context-dependent attacker to potentially disclose memory contents. (CVE-2017-5446)
- An out-of-bounds read flaw exists that is triggered when processing glyph widths during text layouts. This may allow a context-dependent attacker to potentially disclose memory contents. (CVE-2017-5447)
- An out-of-bounds write flaw exists in the 'ClearKeyDecryptor::Decrypt()' function in 'ClearKeyDecryptionManager.cpp' that is triggered when decrypting Clearkey-encrypted media content. This may allow a context-dependent attacker to potentially execute arbitrary code. (CVE-2017-5448)
- A flaw exists that is triggered during the handling of bidirectional unicode text with CSS animations. This may allow a context-dependent attacker to potentially execute arbitrary code. (CVE-2017-5449)
- A flaw exists that is triggered during the parsing of base domains that contain 'javascript: URI'. This may allow a context-dependent attacker to spoof a valid address bar. (CVE-2017-5450)
- A flaw exists that is triggered during the handling of a specially crafted 'onblur' event. This may allow a context-dependent attacker to spoof a valid address bar. (CVE-2017-5451)
- A flaw exists that is triggered when selecting an HTML editable page element while the existing location bar has been scrolled out of view. This may allow a context-dependent attacker to spoof a valid address bar. (CVE-2017-5452)
- A flaw exists in the RSS reader preview page that is triggered as input supplied via URL parameters is not properly sanitized. This may allow a context-dependent attacker to spoof the 'TITLE' element. (CVE-2017-5453)
- A flaw exists in the 'FileSystemSecurity::Forget()' function in 'FileSystemSecurity.cpp'. The issue is triggered as input containing path traversal style sequences (e.g. '../') is not properly sanitized when using the File Picker. This may allow a context-dependent attacker to bypass file system access protections and read arbitrary files from the local file system. (CVE-2017-5454)
- An unspecified flaw exists in the internal feed reader APIs that is triggered when handling messages. This may allow a context-dependent attacker to bypass the sandbox. (CVE-2017-5455)
- A flaw exists in the Entries API that is triggered when using a file system request constructor through an IPC message. This may allow a context-dependent attacker to bypass the file system access protections and gain read and write access to the local file system. (CVE-2017-5456)
- A flaw exists that allows a reflected XSS attack. This flaw exists because the program does not validate input when dragging and dropping a 'javascript: URL' into the address bar. This may allow a context-dependent attacker to create a specially crafted request that will execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. (CVE-2017-5458)
- An overflow condition exists in WebGL. The issue is triggered as certain input is not properly validated when handling web content. This may allow a context-dependent attacker to cause a buffer overflow, potentially allowing the execution of arbitrary code. (CVE-2017-5459)
- A use-after-free error exists in frame selection that is triggered when handling a combination of malicious script content and key presses. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2017-5460)
- An overflow condition exists in Base64 decoding. The issue is triggered as certain input is not properly validated. This may allow a context-dependent attacker to cause a buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. (CVE-2017-5461)
- A flaw exists in the DRBG number generation that is triggered as internal state V does not correctly carry bits over. This may result in potentially predictable random number generation. (CVE-2017-5462)
- A flaw exists that is triggered during the handling of a specially crafted URL with android intents. This may allow a context-dependent attacker to spoof a valid address bar. (CVE-2017-5463)
- A flaw exists that is triggered as certain input is not properly validated when making changes to DOM content in the accessibility tree. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2017-5464)
- An out-of-bounds read flaw exists in 'ConvolvePixel' that is triggered when processing specially crafted SVG content. This may allow a context-dependent attacker to potentially disclose memory contents. (CVE-2017-5465)
- A flaw exists that allows a cross-site scripting (XSS) attack. This flaw exists because the program does not validate input when handling 'data:text/html' URL redirects before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that will execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. (CVE-2017-5466)
- A flaw exists that is triggered as certain input is not properly validated when rendering Skia content outside of the bounds of a clipping region. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2017-5467)
- A flaw exists in developer tools that is triggered as ownership models are incorrectly applied. This may allow a context-dependent attacker to cause a crash. (CVE-2017-5468)
- Multiple overflow conditions exist in the FLEX generated code. The issue is triggered as certain input is not properly validated. This may allow a context-dependent attacker to cause a buffer overflow, potentially allowing the execution of arbitrary code. (CVE-2017-5469)
- Multiple unspecified flaws exist that are triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2017-5429 ,CVE-2017-5430)

Solution

Upgrade to Firefox version 53 or later.

See Also

https://www.mozilla.org/en-US/security/advisories/mfsa2017-10

https://www.mozilla.org/en-US/security/advisories/mfsa2017-11

https://www.mozilla.org/en-US/security/advisories/mfsa2017-12

Plugin Details

Severity: High

ID: 700065

Family: Web Clients

Published: 4/21/2017

Updated: 3/6/2019

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 8.1

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mozilla:firefox

Patch Publication Date: 4/19/2017

Vulnerability Publication Date: 4/19/2017

Reference Information

CVE: CVE-2017-5429, CVE-2017-5430, CVE-2017-5432, CVE-2017-5433, CVE-2017-5434, CVE-2017-5435, CVE-2017-5438, CVE-2017-5439, CVE-2017-5440, CVE-2017-5441, CVE-2017-5442, CVE-2017-5443, CVE-2017-5444, CVE-2017-5445, CVE-2017-5446, CVE-2017-5447, CVE-2017-5448, CVE-2017-5449, CVE-2017-5450, CVE-2017-5451, CVE-2017-5452, CVE-2017-5453, CVE-2017-5454, CVE-2017-5455, CVE-2017-5456, CVE-2017-5458, CVE-2017-5459, CVE-2017-5460, CVE-2017-5461, CVE-2017-5462, CVE-2017-5463, CVE-2017-5464, CVE-2017-5465, CVE-2017-5466, CVE-2017-5467, CVE-2017-5468, CVE-2017-5469

BID: 97940