Mozilla Firefox < 41.0 Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 8948

Synopsis

The remote host has a web browser installed that is vulnerable to multiple attack vectors.

Description

The version of Mozilla Firefox is prior to 41.0 and is affected by multiple vulnerabilities :

- A flaw exists in ReadbackResultWriterD3D11::Run(). The issue is triggered as user-supplied input is not properly validated when handling return statuses. This may potentially allow a context-dependent attacker to corrupt memory and have an unspecified impact. (CVE-2015-7180)
- A flaw exists in InitTextures(). The issue is triggered as user-supplied input is not properly validated. This may potentially allow a context-dependent attacker to corrupt memory and have an unspecified impact. (CVE-2015-7117)
- An overflow condition exists in AnimationThread(). The issue is triggered as user-supplied input is not properly validated when handling sscanf arguments. This may allow a context-dependent attacker to cause a stack overflow, resulting in an unspecified impact. (CVE-2015-7176)
- An overflow condition exists in XULContentSinkImpl::AddText(). The issue is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to cause a buffer overflow, resulting in an unspecified impact. (CVE-2015-7175)
- An overflow condition exists in the nsAttrAndChildArray::GrowBy() function in 'dom/base/nsAttrAndChildArray.cpp'. This may allow a context-dependent attacker to cause a buffer overflow and potentially execute arbitrary code. (CVE-2015-7174)
- An overflow condition exists in the nsUnicode*::GetMaxLength() functions that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to cause a buffer overflow and potentially execute arbitrary code. (CVE-2015-4522)
- A flaw exists in ConvertDialogOptions(). The issue is triggered as user-supplied input is not properly validated. This may potentially allow a context-dependent attacker to corrupt memory and have an unspecified impact. (CVE-2015-4521)
- A flaw exists in NetworkUtils.cpp. The issue is triggered as user-supplied input is not properly validated. This may potentially allow a context-dependent attacker to corrupt memory and have an unspecified impact. (CVE-2015-4517)
- An out-of-bounds read flaw exists in 'gfx/2d/DataSurfaceHelpers.cpp' that is triggered during the rendering of 2D canvases. This may allow a context-dependent attacker to potentially disclose sensitive memory contents. (CVE-2015-4512)
- A flaw exists that is triggered when identical cache keys may be generated for distinct preflight requests on a site. This may potentially allow a subsequent request to bypass intended cross-origin resource sharing (CORS) checks. (CVE-2015-4520)
- A flaw exists that is triggered when handling images that have been "dragged and dropped" after a redirect. The redirected URL of the image may be available to scripts, potentially allowing a context-dependent attacker to gain unauthorized access to it. (CVE-2015-4519)
- A use-after-free error exists in 'dom/html/HTMLMediaElement.cpp' that is triggered during the handling of HTML media elements. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2015-4509)
- nestegg contains an overflow condition. The issue is triggered as user-supplied input is not properly validated when decoding WebM videos. This may allow a context-dependent attacker to cause a buffer overflow, potentially allowing the execution of arbitrary code. (CVE-2015-4511)
- A flaw related to scratch register scope handling exists. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2015-4500)
- A flaw exists in the cloneLeftHandSide() function in 'frontend/ParseNode.cpp' that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2015-4500)
- A flaw exists that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2015-4500)
- A flaw exists in 'memory/mozjemalloc/jemalloc.c' that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2015-4500)
- A flaw exists in the stagefright component that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2015-4500)
- A flaw exists that is triggered when handling generator function groups, as they have an improper prototype. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2015-4500)
- A flaw exists in the nsXBLService::GetBinding() function in 'dom/xbl/nsXBLService.cpp' that is triggered when loading bindings. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2015-4500)
- A flaw exists in the IndexedDB component that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2015-4500)
- A use-after-free error exists in 'nsIPresShell' that is triggered when handling a restyling operation during the resizing of a canvas element. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2015-4497)
- A flaw exists that is triggered when handling add-on installation using 'data:' URLs. With a specially crafted web page, a context-dependent attacker can bypass the install permission prompt for add-ons and install add-ons from malicious sources. (CVE-2015-4498)

Solution

Upgrade to Firefox 41.0 or later.

See Also

https://www.mozilla.org/en-US/security/advisories/mfsa2015-94

https://www.mozilla.org/en-US/security/advisories/mfsa2015-95

https://www.mozilla.org/en-US/security/advisories/mfsa2015-96

https://www.mozilla.org/en-US/security/advisories/mfsa2015-97

https://www.mozilla.org/en-US/security/advisories/mfsa2015-98

https://www.mozilla.org/en-US/security/advisories/mfsa2015-100

https://www.mozilla.org/en-US/security/advisories/mfsa2015-101

https://www.mozilla.org/en-US/security/advisories/mfsa2015-102

https://www.mozilla.org/en-US/security/advisories/mfsa2015-103

https://www.mozilla.org/en-US/security/advisories/mfsa2015-104

https://www.mozilla.org/en-US/security/advisories/mfsa2015-105

https://www.mozilla.org/en-US/security/advisories/mfsa2015-106

https://www.mozilla.org/en-US/security/advisories/mfsa2015-107

https://www.mozilla.org/en-US/security/advisories/mfsa2015-108

https://www.mozilla.org/en-US/security/advisories/mfsa2015-109

https://www.mozilla.org/en-US/security/advisories/mfsa2015-110

https://www.mozilla.org/en-US/security/advisories/mfsa2015-111

https://www.mozilla.org/en-US/security/advisories/mfsa2015-112

https://www.mozilla.org/en-US/security/advisories/mfsa2015-113

https://www.mozilla.org/en-US/security/advisories/mfsa2015-114

Plugin Details

Severity: High

ID: 8948

Family: Web Clients

Published: 2015/09/29

Modified: 2016/03/07

Dependencies: 9131

Nessus ID: 86071, 86069

Risk Information

Risk Factor: High

CVSSv2

Base Score: 9.3

Temporal Score: 8.1

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSSv3

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS3#AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS3#E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mozilla:firefox

Patch Publication Date: 2015/09/22

Vulnerability Publication Date: 2015/09/22

Reference Information

CVE: CVE-2015-4497, CVE-2015-4498, CVE-2015-4500, CVE-2015-4501, CVE-2015-4502, CVE-2015-4503, CVE-2015-4504, CVE-2015-4505, CVE-2015-4506, CVE-2015-4507, CVE-2015-4508, CVE-2015-4509, CVE-2015-4510, CVE-2015-4511, CVE-2015-4512, CVE-2015-4516, CVE-2015-4517, CVE-2015-4519, CVE-2015-4520, CVE-2015-4521, CVE-2015-4522, CVE-2015-7174, CVE-2015-7175, CVE-2015-7176, CVE-2015-7177, CVE-2015-7178, CVE-2015-7179, CVE-2015-7180, CVE-2015-7327