Mozilla Firefox ESR < 52.3 Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 700183

Synopsis

The remote host has a web browser installed that is vulnerable to multiple attack vectors.

Description

Versions of Mozilla Firefox ESR earlier than 52.3 are unpatched for the following vulnerabilities :

- A flaw exists in the 'Accessible::RemoveChild()' function in 'accessible/generic/Accessible.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 162908)
- A use-after-free error exists in the 'nsMIMEHeaderParamImpl::DecodeRFC5987Param()' function in 'netwerk/mime/nsMIMEHeaderParamImpl.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (OSVDB 162912)
- A flaw exists in the 'nsWindow::SetParent()' function in 'widget/windows/nsWindow.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 162913)
- A race condition exists in 'media/webrtc/trunk/webrtc/modules/desktop_capture/screen_capturer_mac.mm' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 162914)
- An unspecified flaw exists related to missing thread safety that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 162915)
- A flaw exists in the 'NotifyTrackRemoved()' function in 'dom/media/MediaRecorder.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 162916)
- A flaw exists in the 'InitGlobalLexicalOperation()' function in 'js/src/vm/Interpreter-inl.h' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 162917)
- A flaw exists in the 'js::FinishCompilation()' function in 'js/src/vm/TypeInference.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 162918)
- A flaw exists in the 'TypedArrayObjectTemplate::makeTemplateObject()' function in 'js/src/vm/TypedArrayObject.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 162919)
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. No further details have been provided by the vendor. (OSVDB 162920)
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. No further details have been provided by the vendor. (OSVDB 162921)
- A flaw exists in the 'DocAccessible::DoARIAOwnsRelocation()' function in 'accessible/generic/DocAccessible.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 162922)
- A flaw exists in the 'nsFTPDirListingConv::DigestBufferLines()' function in 'netwerk/streamconv/converters/nsFTPDirListingConv.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 162924)
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. No further details have been provided by the vendor. (OSVDB 162925)
- A flaw exists in the 'TraceSelf()' function in 'dom/bindings/TypedArray.h' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 162926)
- A flaw exists in the 'WebSocket::Send()' function in 'dom/base/WebSocket.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 162927)
- A flaw exists in the 'ExpressionDecompiler::decompilePC()' function in 'js/src/jsopcode.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 162928)
- A flaw exists in the 'IonBuilder::addOsrValueTypeBarrier()' function in 'js/src/jit/IonBuilder.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 162929)
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. No further details have been provided by the vendor. (OSVDB 162930)
- A flaw exists in the Developer Tools feature that is triggered as web page source code is not properly validated. This may allow a context-dependent attacker to inject and execute arbitrary XUL code. (OSVDB 162932)
- A use-after-free error exists in the 'WebSocketImpl::Disconnect()' function in 'dom/base/WebSocket.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code. (OSVDB 162933)
- A use-after-free error exists that is triggered when re-computing the layout for marquee elements during window resizing. With a specially crafted web page, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code. (OSVDB 162934)
- A use-after-free error exists that is triggered when deleting attached editor DOM nodes. With a specially crafted web page, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code. (OSVDB 162935)
- A use-after-free error exists in the 'nsImageLoadingContent::Notify()' function in 'dom/base/nsImageLoadingContent.cpp' that is triggered when reading image observers during frame reconstruction. With a specially crafted web page, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code. (OSVDB 162936)
- A use-after-free error exists that is triggered when resizing image elements. With a specially crafted web page, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code. (OSVDB 162937)
- An overflow condition exists that is triggered as certain input is not properly validated when manipulation Accessible Rich Internet Applications (ARIA) attributes. This may allow a context-dependent attacker to cause a buffer overflow and potentially execute arbitrary code. (OSVDB 162938)
- An overflow condition exists that is triggered as certain input is not properly validated when painting non-displayable SVG elements. This may allow a context-dependent attacker to cause a buffer overflow and potentially execute arbitrary code. (OSVDB 162939)
- An out-of-bounds read flaw exists that is triggered when handling cached style data and pseudo-elements. This may allow a context-dependent attacker to potentially disclose sensitive memory contents. (OSVDB 162941)
- A flaw exists in the 'nsDocShell::OnNewURI()' function in 'docshell/base/nsDocShell.cpp' that is triggered when handling pages with embedded iframes during page reloads. With a specially crafted web page, a context-dependent attacker can bypass the same-origin policy. (OSVDB 162942)
- A flaw exists in the AppCache feature related to handling of websites under a subdirectory adding fallback pages. With a specially crafted website, a context-dependent attacker can hijack a domain. (OSVDB 162944)
- A flaw exists in the 'openTabPrompt()' and 'openRemotePrompt()' functions in 'toolkit/components/prompts/src/nsPrompter.js' that is triggered when handling page navigations with data: protocols and modal alerts. This may allow a context-dependent attacker to conduct spoofing attacks. (OSVDB 162945)
- A flaw exists in 'xpcom/build/nsWindowsDllInterceptor.h' that is triggered as WindowsDllDetourPatcher may allocate memory with RWX permissions. This may allow a context-dependent attacker to bypass intended DEP protection and more easily exploit another vulnerability that allows code execution. (OSVDB 162946)
- A sandbox directive. This may result in other directives being ignored and incorrect enforcement of the content security policy (CSP). (OSVDB 162951)
- A flaw exists in 'xpcom/build/nsWindowsDllInterceptor.h' that is triggered as the WindowsDllDetourPatcher class destructor may be re-purposed by malicious code. This may allow a context-dependent attacker to bypass memory protections. (OSVDB 162956)
- An overflow condition exists in 'security/manager/ssl/nsNSSCertHelper.cpp' that is triggered when viewing certificates with overly long OIDs. This may allow a context-dependent attacker to cause a buffer overflow and potentially execute arbitrary code. (OSVDB 162958)

Solution

Upgrade to Firefox version 52.3 or later.

See Also

https://www.mozilla.org/en-US/security/advisories/mfsa2017-18

https://www.mozilla.org/en-US/security/advisories/mfsa2017-19

http://www.nessus.org/u?72a63c9b

Plugin Details

Severity: High

ID: 700183

File Name: 700183.prm

Family: Web Clients

Published: 2017/08/21

Modified: 2017/08/21

Dependencies: 9131

Nessus ID: 102358

Risk Information

Risk Factor: High

CVSSv2

Base Score: 9.3

Temporal Score: 8.1

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSSv3

Base Score: 7.5

Temporal Score: 7.1

Vector: CVSS3#AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS3#E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mozilla:firefox

Patch Publication Date: 2016/08/08

Vulnerability Publication Date: 2017/08/08

Reference Information

CVE: CVE-2017-7753, CVE-2017-7779, CVE-2017-7782, CVE-2017-7784, CVE-2017-7785, CVE-2017-7786, CVE-2017-7787, CVE-2017-7791, CVE-2017-7792, CVE-2017-7798, CVE-2017-7800, CVE-2017-7801, CVE-2017-7802, CVE-2017-7803, CVE-2017-7804, CVE-2017-7807, CVE-2017-7809

BID: 100196, 100197, 100198, 100201, 100202, 100203, 100206, 100206, 100206, 100234, 100234, 100234, 100240, 100242, 100243, 100315