Mozilla Firefox < 43.0 Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 9058

Synopsis

The remote host has a web browser installed that is vulnerable to multiple attack vectors.

Description

The version of Firefox is prior to 43.0 and is affected by multiple vulnerabilities :

- Multiple unspecified memory corruption issues exist due to improper validation of user-supplied input. A remote attacker can exploit these issues by convincing a user to visit a specially crafted web page, resulting in the execution of arbitrary code. (CVE-2015-7201)
- Multiple unspecified memory corruption issues exist due to improper validation of user-supplied input. A remote attacker can exploit these issues by convincing a user to visit a specially crafted web page, resulting in the execution of arbitrary code. (CVE-2015-7202)
- An overflow condition exists in the 'LoadFontFamilyData()' function due to improper validation of user-supplied input. A remote attacker can exploit this to cause a buffer overflow, resulting in the execution of arbitrary code. (CVE-2015-7203)
- A flaw exists in the 'PropertyWriteNeedsTypeBarrier()' function due to improper handling of unboxed objects during JavaScript variable assignments. A remote attacker can exploit this to execute arbitrary code. (CVE-2015-7204)
- A flaw exists in the 'RtpHeaderParser::Parse()' function due to improper handling of RTP headers. An unauthenticated, remote attacker can exploit this, via specially crafted RTP headers, to execute arbitrary code. (CVE-2015-7205)
- A same-origin bypass vulnerability exists that is triggered after a redirect when the function is used alongside an iframe to host a page. An attacker can exploit this to gain access to cross-origin URL information. (CVE-2015-7207)
- The 'SetCookieInternal()' function improperly allows control characters (e.g. ASCII code 11) to be inserted into cookies. An attacker can exploit this to inject cookies. (CVE-2015-7208)
- A use-after-free error exists due to improper prevention of datachannel operations on closed PeerConnections. An attacker can exploit this to dereference already freed memory, resulting in the execution of arbitrary code. (CVE-2015-7210)
- A flaw exists in the 'ParseURI()' function due to improper handling of a hash (#) character in the 'data:' URI. An attacker can exploit this to spoof the URL bar. (CVE-2015-7211)
- An overflow condition exists in the 'AllocateForSurface()' function due to improper validation of user-supplied input when handling texture allocation in graphics operations. An attacker can exploit this to execute arbitrary code. (CVE-2015-7212)
- An integer overflow condition exists in the 'readMetaData()' function due to improper validation of user-supplied input when handling a specially crafted MP4 file. An attacker can exploit this to execute arbitrary code. (CVE-2015-7213)
- A same-origin bypass vulnerability exists due to improper handling of 'data:' and 'view-source:' URIs. An attacker can exploit this to read data from cross-site URLs and local files. (CVE-2015-7214)
- An information disclosure vulnerability exists due to improper handling of error events in web workers. An attacker can exploit this to gain access to sensitive cross-origin information. (CVE-2015-7215)
- The gdk-pixbuf configuration on Linux GNOME platforms incorrectly enables the JasPer decoder, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted JPEG 2000 image. (CVE-2015-7216)
- The gdk-pixbuf configuration on Linux GNOME platforms incorrectly enables the TGA decoder, which allows remote attackers to cause a denial of service (heap-based buffer overflow) via a crafted Truevision TGA image. (CVE-2015-7217)
- Multiple integer underflow conditions exist due to improper validation of user-supplied input when handling HTTP2 frames. An attacker can exploit these to crash the application, resulting in a denial of service. (CVE-2015-7218, CVE-2015-7219)
- An overflow condition exists in the 'XDRBuffer::grow()' function due to improper validation of user-supplied input. An attacker can exploit this to cause a buffer overflow, resulting in the execution of arbitrary code. (CVE-2015-7220)
- An overflow condition exists in the 'GrowCapacity()' function due to improper validation of user-supplied input. An attacker can exploit this to cause a buffer overflow, resulting in the execution of arbitrary code. (CVE-2015-7221)
- An integer underflow condition exists in the bundled version of libstagefright in the 'parseChunk()' function that is triggered when handling 'covr' chunks. An unauthenticated, remote attacker can exploit this, via specially crafted media content, to crash the application or execute arbitrary code. (CVE-2015-7222)
- A privilege escalation vulnerability exists in the Extension.jsm script due to a failure to restrict WebExtension APIs from being injected into documents without WebExtension principals. An attacker can exploit this to conduct a cross-site scripting attack, resulting in the execution of arbitrary script code in a user's browser session. (CVE-2015-7223)

Solution

Upgrade to Firefox 43 or later.

See Also

https://www.mozilla.org/en-US/security/advisories/mfsa2015-134

https://www.mozilla.org/en-US/security/advisories/mfsa2015-135

https://www.mozilla.org/en-US/security/advisories/mfsa2015-136

https://www.mozilla.org/en-US/security/advisories/mfsa2015-137

https://www.mozilla.org/en-US/security/advisories/mfsa2015-138

https://www.mozilla.org/en-US/security/advisories/mfsa2015-139

https://www.mozilla.org/en-US/security/advisories/mfsa2015-140

https://www.mozilla.org/en-US/security/advisories/mfsa2015-141

https://www.mozilla.org/en-US/security/advisories/mfsa2015-142

https://www.mozilla.org/en-US/security/advisories/mfsa2015-144

https://www.mozilla.org/en-US/security/advisories/mfsa2015-145

https://www.mozilla.org/en-US/security/advisories/mfsa2015-146

https://www.mozilla.org/en-US/security/advisories/mfsa2015-147

https://www.mozilla.org/en-US/security/advisories/mfsa2015-148

https://www.mozilla.org/en-US/security/advisories/mfsa2015-149

Plugin Details

Severity: High

ID: 9058

Family: Web Clients

Published: 2016/01/27

Modified: 2016/11/23

Dependencies: 9131

Nessus ID: 87476

Risk Information

Risk Factor: High

CVSSv2

Base Score: 9.3

Temporal Score: 6.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSSv3

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS3#AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS3#E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mozilla:firefox

Patch Publication Date: 2015/09/25

Vulnerability Publication Date: 2015/07/20

Reference Information

CVE: CVE-2015-7201, CVE-2015-7202, CVE-2015-7203, CVE-2015-7204, CVE-2015-7205, CVE-2015-7207, CVE-2015-7208, CVE-2015-7210, CVE-2015-7211, CVE-2015-7212, CVE-2015-7213, CVE-2015-7214, CVE-2015-7215, CVE-2015-7216, CVE-2015-7217, CVE-2015-7218, CVE-2015-7219, CVE-2015-7220, CVE-2015-7221, CVE-2015-7223

BID: 79278, 79279, 79280, 79283