Mozilla Firefox < 27.0 / Firefox ESR 24.x < 24.3 Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 8098

Synopsis

The remote host has a web browser installed that is vulnerable to multiple attack vectors.

Description

Versions of Mozilla Firefox earlier than 27.0 (or ESR versions earlier than 24.3) are prone to the following vulnerabilities :

- Memory issues exist in the browser engine that could result in a denial of service or arbitrary code execution. (CVE-2014-1477, CVE-2014-1478)
- An error exists related to System Only Wrappers (SOW) and the XML Binding Language (XBL) that could allow XUL content to be disclosed. (CVE-2014-1479)
- An error exists related to the 'open file' dialog that could allow users to take unintended actions. (CVE-2014-1480)
- An error exists related to the JavaScript engine and 'window' object handling that has unspecified impact. (CVE-2014-1481)
- An error exists related to 'RasterImage' and image decoding that could allow application crashes and possibly arbitrary code execution. (CVE-2014-1482)
- Errors exist related to IFrames, 'document.caretPositionFromPoint' and 'document.elementFromPoint' that could allow cross-origin information disclosure. (CVE-2014-1483)
- An error exists related to the Content Security Policy (CSP) and XSLT stylesheets that could allow unintended script execution. (CVE-2014-1485)
- A use-after-free error exists related to image handling and 'imgRequestProxy' that could allow application crashes and possibly arbitrary code execution. (CVE-2014-1486)
- An error exists related to 'web workers' that could allow cross-origin information disclosure. (CVE-2014-1487)
- An error exists related to 'web workers' and 'asm.js' that could allow application crashes and possibly arbitrary code execution. (CVE-2014-1488)
- An error exists that could allow webpages to access activate content from the 'about:home' page that could lead to data loss. (CVE-2014-1489)
- Errors exist related to the included Network Security Services (NSS) libraries, 'NewSessionTicket' handshakes and public Diffie-Hellman values that could allow application crashes and possibly arbitrary code execution. (CVE-2014-1490, CVE-2014-1491)

Solution

Upgrade to Firefox 27.0 (or Firefox ESR versions 24.3, as appropriate), or later.

See Also

http://www.mozilla.org/security/announce/2014/mfsa2014-01.html

http://www.mozilla.org/security/announce/2014/mfsa2014-02.html

http://www.mozilla.org/security/announce/2014/mfsa2014-03.html

http://www.mozilla.org/security/announce/2014/mfsa2014-04.html

http://www.mozilla.org/security/announce/2014/mfsa2014-05.html

http://www.mozilla.org/security/announce/2014/mfsa2014-06.html

http://www.mozilla.org/security/announce/2014/mfsa2014-07.html

http://www.mozilla.org/security/announce/2014/mfsa2014-08.html

http://www.mozilla.org/security/announce/2014/mfsa2014-09.html

http://www.mozilla.org/security/announce/2014/mfsa2014-10.html

http://www.mozilla.org/security/announce/2014/mfsa2014-11.html

http://www.mozilla.org/security/announce/2014/mfsa2014-12.html

http://www.mozilla.org/security/announce/2014/mfsa2014-13.html

Plugin Details

Severity: High

ID: 8098

Family: Web Clients

Published: 2014/02/05

Updated: 2019/03/06

Dependencies: 9131

Nessus ID: 72331

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 9.3

Temporal Score: 8.1

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSS v3.0

Base Score: 8.1

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mozilla:firefox

Patch Publication Date: 2014/02/04

Vulnerability Publication Date: 2014/02/04

Reference Information

CVE: CVE-2014-1477, CVE-2014-1478, CVE-2014-1479, CVE-2014-1480, CVE-2014-1481, CVE-2014-1482, CVE-2014-1483, CVE-2014-1485, CVE-2014-1486, CVE-2014-1487, CVE-2014-1488, CVE-2014-1489, CVE-2014-1490, CVE-2014-1491

BID: 65316, 65317, 65320, 65321, 65322, 65324, 65326, 65328, 65329, 65330, 65331, 65332, 65334, 65335

IAVA: 2016-A-0293