Mozilla Firefox < 55 Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 700182

Synopsis

The remote host has a web browser installed that is vulnerable to multiple attack vectors.

Description

Versions of Mozilla Firefox prior to 55 are unpatched for the following vulnerabilities :

- A flaw exists that is triggered as the HTTP Strict-Transport-Security (HSTS) header is ignored when processing a response containing multiple HSTS headers. This may allow an attacker with the ability to intercept network traffic (e.g. MitM, DNS cache poisoning) to bypass HSTS protection and downgrade the HTTP communication. (OSVDB 160997)
- A flaw exists in the 'Key::EncodeAsString()' function in 'dom/indexedDB/Key.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 162894)
- A flaw exists in the 'SelectionManager::SetControlSelectionListener()' and 'SelectionManager::ClearControlSelectionListener()' functions in 'accessible/base/SelectionManager.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 162895)
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. No further details have been provided by the vendor. (OSVDB 162896, OSVDB 162898, OSVDB 162901, OSVDB 162902, OSVDB 162904, OSVDB 162920, OSVDB 162921, OSVDB 162923, OSVDB 162925, OSVDB 162930)
- A flaw exists in the 'DocAccessible::MoveChild()' function in 'accessible/generic/DocAccessible.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 162897)
- A use-after-free error exists in 'xpcom/threads/MozPromise.h' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (OSVDB 162899)
- A use-after-free error exists that is triggered when handling edit transactions. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (OSVDB 162900)
- A flaw exists related to the Android UI thread. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 162903)
- A flaw exists in the 'CanonicalizeLanguageTag()' function in 'js/src/builtin/Intl.js' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 162905)
- A flaw exists that is triggered as certain input is not properly validated when handling freezing of dense elements. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 162906)
- A flaw exists in the 'Module::instantiate()' function in 'js/src/wasm/WasmModule.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 162907)
- A flaw exists in the 'Accessible::RemoveChild()' function in 'accessible/generic/Accessible.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 162908)
- A flaw exists in the 'IonBuilder::build()' and 'IonBuilder::buildInline()' functions in 'js/src/jit/IonBuilder.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 162909)
- A flaw exists in the 'nsContentUtils::ConvertStringFromEncoding()' function in 'dom/base/nsContentUtils.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 162910)
- A flaw exists in the 'jit::JitActivation::getRematerializedFrame()' function in 'js/src/vm/Stack.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 162911)
- A use-after-free error exists in the 'nsMIMEHeaderParamImpl::DecodeRFC5987Param()' function in 'netwerk/mime/nsMIMEHeaderParamImpl.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (OSVDB 162912)
- A flaw exists in the 'nsWindow::SetParent()' function in 'widget/windows/nsWindow.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 162913)
- A race condition exists in 'media/webrtc/trunk/webrtc/modules/desktop_capture/screen_capturer_mac.mm' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 162914)
- An unspecified flaw exists related to missing thread safety that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 162915)
- A flaw exists in the 'NotifyTrackRemoved()' function in 'dom/media/MediaRecorder.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 162916)
- A flaw exists in the 'InitGlobalLexicalOperation()' function in 'js/src/vm/Interpreter-inl.h' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 162917)
- A flaw exists in the 'js::FinishCompilation()' function in 'js/src/vm/TypeInference.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 162918)
- A flaw exists in the 'TypedArrayObjectTemplate::makeTemplateObject()' function in 'js/src/vm/TypedArrayObject.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 162919)
- A flaw exists in the 'DocAccessible::DoARIAOwnsRelocation()' function in 'accessible/generic/DocAccessible.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 162922)
- A flaw exists in the 'nsFTPDirListingConv::DigestBufferLines()' function in 'netwerk/streamconv/converters/nsFTPDirListingConv.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 162924)
- A flaw exists in the 'TraceSelf()' function in 'dom/bindings/TypedArray.h' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 162926)
- A flaw exists in the 'WebSocket::Send()' function in 'dom/base/WebSocket.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 162927)
- A flaw exists in the 'ExpressionDecompiler::decompilePC()' function in 'js/src/jsopcode.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 162928)
- A flaw exists in the 'IonBuilder::addOsrValueTypeBarrier()' function in 'js/src/jit/IonBuilder.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 162929)
- A flaw exists related to response header name interning not having same-origin protections. This may allow a context-dependent attacker to disclose stored header names. (OSVDB 162931)
- A flaw exists in the Developer Tools feature that is triggered as web page source code is not properly validated. This may allow a context-dependent attacker to inject and execute arbitrary XUL code. (OSVDB 162932)
- A use-after-free error exists in the 'WebSocketImpl::Disconnect()' function in 'dom/base/WebSocket.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code. (OSVDB 162933)
- A use-after-free error exists that is triggered when re-computing the layout for marquee elements during window resizing. With a specially crafted web page, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code. (OSVDB 162934)
- A use-after-free error exists that is triggered when deleting attached editor DOM nodes. With a specially crafted web page, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code. (OSVDB 162935)
- A use-after-free error exists in the 'nsImageLoadingContent::Notify()' function in 'dom/base/nsImageLoadingContent.cpp' that is triggered when reading image observers during frame reconstruction. With a specially crafted web page, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code. (OSVDB 162936)
- A use-after-free error exists that is triggered when resizing image elements. With a specially crafted web page, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code. (OSVDB 162937)
- An overflow condition exists that is triggered as certain input is not properly validated when manipulation Accessible Rich Internet Applications (ARIA) attributes. This may allow a context-dependent attacker to cause a buffer overflow and potentially execute arbitrary code. (OSVDB 162938)
- An overflow condition exists that is triggered as certain input is not properly validated when painting non-displayable SVG elements. This may allow a context-dependent attacker to cause a buffer overflow and potentially execute arbitrary code. (OSVDB 162939)
- A use-after-free error exists that is triggered when handling the layer manager while rendering SVG content. This may allow a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code. (OSVDB 162940)
- An out-of-bounds read flaw exists that is triggered when handling cached style data and pseudo-elements. This may allow a context-dependent attacker to potentially disclose sensitive memory contents. (OSVDB 162941)
- A flaw exists in the 'nsDocShell::OnNewURI()' function in 'docshell/base/nsDocShell.cpp' that is triggered when handling pages with embedded iframes during page reloads. With a specially crafted web page, a context-dependent attacker can bypass the same-origin policy. (OSVDB 162942)
- A flaw exists in the AppCache feature related to handling of websites under a subdirectory adding fallback pages. With a specially crafted website, a context-dependent attacker can hijack a domain. (OSVDB 162944)
- A flaw exists in the 'openTabPrompt()' and 'openRemotePrompt()' functions in 'toolkit/components/prompts/src/nsPrompter.js' that is triggered when handling page navigations with data: protocols and modal alerts. This may allow a context-dependent attacker to conduct spoofing attacks. (OSVDB 162945)
- A flaw exists in 'xpcom/build/nsWindowsDllInterceptor.h' that is triggered as WindowsDllDetourPatcher may allocate memory with RWX permissions. This may allow a context-dependent attacker to bypass intended DEP protection and more easily exploit another vulnerability that allows code execution. (OSVDB 162946)
- A flaw exists in the 'AllowOpen()' function in 'security/sandbox/linux/broker/SandboxBroker.cpp'. This may allow a context-dependent attacker to bypass the sandbox restrictions and truncate files on the system. (OSVDB 162947)
- A flaw exists in the elliptic curve point addition algorithm that is triggered when using mixed Jacobian-affine coordinates. This may allow an attacker with the ability to intercept network traffic '(e.g'. MitM, DNS cache poisoning) to interfere with a connection and cause the calculation of an incorrect shared secret. (OSVDB 162948)
- A flaw exists that is triggered when handling frame-ancestors directives containing origins with paths. This may allow a context-dependent attacker to bypass the content security policy (CSP). (OSVDB 162950)
- A sandbox directive. This may result in other directives being ignored and incorrect enforcement of the content security policy (CSP). (OSVDB 162951)
- A flaw exists in the 'ExecuteServiceCommand()' function in 'toolkit/components/maintenanceservice/workmonitor.cpp' that is triggered when handling patch directory paths. Combined with another local vulnerability this may allow an attacker to have the Windows updater delete any file named 'update.log'. (OSVDB 162952)
- A flaw exists in 'toolkit/content/aboutwebrtc/aboutWebrtc.js' that is triggered as certain input to about:webrtc is not properly validated. This may allow an attacker to create a specially crafted request that executes arbitrary script code in a user's browser session within the trust relationship between their browser and the server or inject XUL code. (OSVDB 162953)
- A flaw exists in the 'nsHttpChannelAuthProvider::ConfirmAuth()' function in 'netwerk/protocol/http/nsHttpChannelAuthProvider.cpp' that is triggered when handling long usernames in URLs. This may allow a context-dependent attacker to cause a denial of service. (OSVDB 162954)
- A flaw exists in 'toolkit/crashreporter/client/crashreporter_win.cpp' that is triggered as the Windows crash reporter may read extra memory for certain non-null-terminated registry values. This may allow an attacker to disclose potentially sensitive memory contents. (OSVDB 162955)
- A flaw exists in 'xpcom/build/nsWindowsDllInterceptor.h' that is triggered as the WindowsDllDetourPatcher class destructor may be re-purposed by malicious code. This may allow a context-dependent attacker to bypass memory protections. (OSVDB 162956)
- A flaw exists that is triggered as sandboxed about:srcdoc iframes do not inherit content security policy (CSP) directives. This may allow a context-dependent attacker to bypass the content security policy (CSP). (OSVDB 162957)
- An overflow condition exists in 'security/manager/ssl/nsNSSCertHelper.cpp' that is triggered when viewing certificates with overly long OIDs. This may allow a context-dependent attacker to cause a buffer overflow and potentially execute arbitrary code. (OSVDB 162958)

Solution

Upgrade to Firefox version 55 or later.

See Also

https://www.mozilla.org/en-US/security/advisories/mfsa2017-18

https://www.mozilla.org/en-US/security/advisories/mfsa2017-19

http://www.nessus.org/u?72a63c9b

Plugin Details

Severity: High

ID: 700182

File Name: 700182.prm

Family: Web Clients

Published: 2017/08/21

Modified: 2017/08/21

Dependencies: 9131

Nessus ID: 102359

Risk Information

Risk Factor: High

CVSSv2

Base Score: 9.3

Temporal Score: 8.1

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSSv3

Base Score: 7.5

Temporal Score: 7.1

Vector: CVSS3#AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS3#E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mozilla:firefox

Patch Publication Date: 2016/08/08

Vulnerability Publication Date: 2017/08/08

Reference Information

CVE: CVE-2017-7753, CVE-2017-7779, CVE-2017-7780, CVE-2017-7781, CVE-2017-7782, CVE-2017-7783, CVE-2017-7784, CVE-2017-7785, CVE-2017-7786, CVE-2017-7787, CVE-2017-7788, CVE-2017-7789, CVE-2017-7790, CVE-2017-7791, CVE-2017-7792, CVE-2017-7794, CVE-2017-7796, CVE-2017-7797, CVE-2017-7798, CVE-2017-7799, CVE-2017-7800, CVE-2017-7801, CVE-2017-7802, CVE-2017-7803, CVE-2017-7804, CVE-2017-7806, CVE-2017-7807, CVE-2017-7808, CVE-2017-7809

BID: 100196, 100197, 100198, 100199, 100201, 100202, 100203, 100206, 100234, 100240, 100242, 100243, 100315, 100373, 100374, 100379, 100383, 100389, 100401