Mozilla Firefox < 58 Multiple Vulnerabilities

critical Nessus Network Monitor Plugin ID 700326
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote host has a web browser installed that is vulnerable to multiple attack vectors.

Description

Versions of Mozilla Firefox earlier than 58 are unpatched for the following vulnerabilities :

- An out-of-bounds read flaw exists in the 'js::WasmTableObject::getImpl()' function. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents.
- An overflow condition exists in the 'ShiftFromList()' function in 'js/src/vm/List-inl.h' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to cause a heap-based buffer overflow and potentially execute arbitrary code.
- A flaw exists in 'gfx/2d/Filters.h' related to missing thread safety. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the JavaScript just-in-time (JIT) compiler that is triggered when handling call stacks. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated when handling TypeScripts. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'AppendToList()' function in 'js/src/vm/List-inl.h' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'CalcTableChecksum()' function in 'gfx/2d/ScaledFontMac.cpp' that is triggered when handling checksums that are not 4-byte aligned. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'HttpChannelChild::Release()' function in 'netwerk/protocol/http/HttpChannelChild.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'WebrtcVideoConduit::VideoStreamFactory::CreateEncoderStreams()' function in 'media/webrtc/signaling/src/media-conduit/VideoConduit.cpp' that is triggered as certain input is not properly validated when handling temporal layers for screencasts. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in 'dom/media/MediaDecoderStateMachine.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'ParseFTPList()' function in 'netwerk/streamconv/converters/ParseFTPList.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the accessibility component related to use of uninitialized memory. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists related to use of uninitialized memory when handling cocoa widgets. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the security manager component related to use of uninitialized memory. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An integer overflow that is triggered when allocating memory for edge builders. This may allow a context-dependent attacker to potentially execute arbitrary code.
- A use-after-free error exists that is triggered when the source document for XSL transformation is manipulated by script content during the transformation. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists in 'layout/forms/nsNumberControlFrame.cpp' that is triggered when handling form input elements. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists in the widget listener. The issue is triggered when holding strong references to browser objects. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists in the 'nsIDocument::IsPotentiallyScrollable()' function in 'dom/base/nsDocument.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists in the 'nsCSSFrameConstructor::CreateLetterFrame()' function in 'layout/base/nsCSSFrameConstructor.cpp' that is triggered when manipulating floating first-letter style elements. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists in 'dom/html/HTMLMediaElement.cpp' that is triggered when handling specially crafted HTML media elements. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists in the 'EventStateManager::DispatchMouseOrPointerEvent()' function in 'dom/events/EventStateManager.cpp' that is triggered when handling mouse events. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists that is triggered when handling font faces. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A flaw exists in WebExtensions that may allow a context-dependent attacker to bypass user prompts and save and execute downloaded files without user confirmation.
- A flaw exists that is triggered when a user selects error exists links when tools are open. This may allow a context-dependent attacker to cause style editor traffic in the Developer Tools to be routed through a service worker hosted on a third party website, potentially disclosing sensitive cross-origin information.
- A flaw exists as the printing process creates temporary files insecurely. It is possible for a local attacker to use a symlink attack against a file to cause the program to unexpectedly disclose arbitrary files.
- A flaw exists in 'dom/file/nsHostObjectProtocolHandler.cpp' that is triggered during the handling of certain manually entered blob URLs. This may allow a context-dependent attacker to gain access to potentially sensitive information from private browsing.
- A flaw exists in the 'MediaManager::GetUserMedia()' function in 'dom/media/MediaManager.cpp'. This may allow a context-dependent attacker to spoof the origin of audio prompts.
- A flaw exists that is triggered when cursor visibility is toggled back and forth from 'none' to an image via a script. This may allow a context-dependent attacker to cause the cursor to be rendered invisibly.
- A flaw exists that is triggered during the handling of a specially formatted URL that is dragged to the address bar from page content. This may allow a context-dependent attacker to spoof the URL bar.
- A flaw exists in the developement tool panels of an extension that may allow a context-dependent attacker to bypass restrictions and load non-relative URLS, which may potentially include privileged pages.
- A flaw exists in the 'browser.identity'.'launchWebAuthFlow()' function in WebExtensions that is triggered as HTTPS content loading restrictions are not properly honored. This may allow a context-dependent attacker to load content over an HTTP connection.
- A flaw exists that is triggered when changing a cookie to HttpOnly when a document is open. This can cause the cookie to remain accessible until the document is closed.
- A flaw exists that is due to program displaying HTTP authentication prompts from background pages over the currently loaded foreground page. This may allow a context-dependent attacker to potentially spoof the originating page of an authentication prompt.
- A flaw exists in WebExtensions with the ActiveTab permission that may allow a context-dependent attacker to inject frames from arbitrary origins into the loaded page and gain access to arbitrary frame content.
- A flaw exists in 'browser/base/content/browser.js' that is triggered when right-to-left text is used in the address bar with left-to-right alignment. This may allow a context-dependent attacker to spoof the URL bar.
- A flaw exists in the Activity Stream page that is triggered as it may improperly create images via the file: URL. This may allow a context-dependent attacker to gain access to potentially sensitive local information.
- A flaw exists in the reader view that can allow a context-dependent attacker to bypass CORS header restrictions and view cross-origin content that should be prohibited from loading.
- A flaw exists in 'browser/themes/osx/browser.css' that is triggered when rendering Tibetan characters in several unspecified fonts. This may allow a context-dependent attacker to spoof a valid domain name.
- An integer overflow in the 'DoCrypt()' function in 'dom/crypto/WebCryptoTask.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A use-after-free error exists that is triggered when WebRTC connections interact with DTMF timers. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists that is triggered when handling threads for web workers. This may allowa context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists that is triggered when editing events in form elements on a page. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A flaw exists in the 'JSStructuredCloneReader::readV1ArrayBuffer()' function in 'js/src/vm/StructuredClone.cpp' that is triggered when deserializing invalid typed arrays. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'nsCookieService::RemoveCookiesWithOriginAttributes()' function in 'netwerk/cookie/nsCookieService.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'WebrtcGmpVideoDecoder::ReleaseGmp()' function in 'media/webrtc/signaling/src/media-conduit/WebrtcGmpVideoCodec.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'nsCookieService::PurgeCookies()' function in 'netwerk/cookie/nsCookieService.cpp' that is triggered when handling cookie expiry. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified race condition exists in 'modules/libjar/nsJAR.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified race condition exists in 'netwerk/base/AutoClose.h' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the browser UI that is triggered when handling specially crafted HTML fragments. This may allow a context-dependent attacker to potentially execute arbitrary code.

- Mutliple vulnerabilities in the following may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code:
- 'media/webrtc/signaling/src/mediapipeline/MediaPipeline.cpp'
- 'gfx/thebes/gfxPlatformFontList.cpp'
- 'dom/media/systemservices/CamerasChild.cpp'
- 'dom/media/MediaDecoder.cpp'
- 'js/src/gc/Zone.h'
- 'js/src/jsfun.h'
- 'dom/plugins/ipc/PluginMessageUtils.cpp'
- 'ipc/glue/IPCMessageUtils.h'
- 'dom/media/webrtc/MediaEngineDefault.cpp'
- 'toolkit/components/places/History.cpp'
- 'startupcache/StartupCache.cpp'
- 'dom/media/GraphDriver.cpp'
- 'media/webrtc/signaling/src/media-conduit/WebrtcGmpVideoCodec.h'
- 'dom/base/DirectionalityUtils.cpp'
- 'media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp'
- 'js/src/vm/StructuredClone.cpp'

Solution

Upgrade to Firefox version 58 or later.

See Also

https://www.mozilla.org/en-US/security/advisories/mfsa2018-02

Plugin Details

Severity: Critical

ID: 700326

Family: Web Clients

Published: 8/21/2018

Updated: 3/6/2019

Dependencies: 9131

Nessus ID: 106303

Risk Information

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Patch Publication Date: 1/23/2018

Vulnerability Publication Date: 10/9/2017

Reference Information

CVE: CVE-2018-5089, CVE-2018-5091, CVE-2018-5095, CVE-2018-5096, CVE-2018-5097, CVE-2018-5098, CVE-2018-5099, CVE-2018-5102, CVE-2018-5103, CVE-2018-5104, CVE-2018-5117, CVE-2018-5090, CVE-2018-5092, CVE-2018-5093, CVE-2018-5094, CVE-2018-5100, CVE-2018-5101, CVE-2018-5105, CVE-2018-5106, CVE-2018-5107, CVE-2018-5108, CVE-2018-5109, CVE-2018-5111, CVE-2018-5112, CVE-2018-5113, CVE-2018-5114, CVE-2018-5115, CVE-2018-5116, CVE-2018-5118, CVE-2018-5119, CVE-2018-5122, CVE-2018-5124, CVE-2018-5013, CVE-2018-5110, CVE-2018-5121

BID: 102783