Mozilla Firefox < 48.0 Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 9484

Synopsis

The remote host has a web browser installed that is vulnerable to multiple attack vectors.

Description

Versions of Mozilla Firefox prior to 48.0 are unpatched for the following vulnerabilities :

- A flaw is triggered as certain input is not properly validated when handling the 'BitmapInfoHeader' in icons. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in 'js/src/frontend/Parser.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'js::array_splice_impl()' function in 'js/src/jsarray.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw is triggered as certain unspecified user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'OSXNotificationCenter::ShowAlertWithIconData()' function in 'widget/cocoa/OSXNotificationCenter.mm' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'Http2Session::TransactionHasDataToWrite()' function in 'netwerk/protocol/http/Http2Session.cpp' and 'SpdySession31::TransactionHasDataToWrite()' function in 'netwerk/protocol/http/SpdySession31.cpp'. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'Assembler::bind()' function in 'js/src/jit/arm/Assembler-arm.cpp' that is triggered when handling certain labels. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'CodeGeneratorShared::assignBailoutId()' function in 'js/src/jit/shared/CodeGenerator-shared.cpp' that is triggered when handling allocation errors. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An overflow condition exists in 'woff2_dec.cc' that is triggered as certain input is not properly validated when decompressing files. This may allow a context-dependent attacker to cause a buffer overflow and potentially execute arbitrary code.
- A flaw exists in the 'SetPaintPattern()' function in 'gfx/2d/DrawTargetSkia.cpp' that is triggered when handling gradients with non-finite endpoints. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'PeerConnectionMedia::ProtocolProxyQueryHandler::OnProxyAvailable()' function in 'media/webrtc/signaling/src/peerconnection/PeerConnectionMedia.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in 'media/mtransport/nr_timer.cpp' that is triggered when handling timers. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A race condition exists in the 'MatchKeyHash()' function in 'security/pkix/lib/pkixocsp.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An overflow condition exists in the 'ClearKeyDecryptor::Decrypt()' function in 'media/gmp-clearkey/0.1/ClearKeyDecryptionManager.cpp' used by the Encrypted Media Extensions (EME) API. The issue is triggered as user-supplied input is not properly validated when handling video files. This may allow a context-dependent attacker to cause a buffer overflow, potentially allowing the execution of arbitrary code.
- A flaw is triggered as file URIs dragged from a web page to a different piece of software failed to have the contents properly filtered. This may allow a context-dependent attacker to gain access to potentially sensitive information.
- A flaw is triggered when handling right-to-left character sets with left-to-right character sets. This may allow a context-dependent attacker to spoof the address bar.
- A flaw is triggered when handling certain specific 'about:' URLs. This may allow a context-dependent attacker to spoof the contents of system information or error messages.
- A flaw exists in the 'HttpBaseChannel::GetPerformance()' function in 'netwerk/protocol/http/HttpBaseChannel.cpp' due to the program leaking potentially sensitive resources of URLs through the Resource Timing API during page navigation. This may allow a context-dependent attacker to potentially disclose sensitive information.
- An integer overflow condition exists in the 'WebSocketChannel::ProcessInput()' function in 'netwerk/protocol/websocket/WebSocketChannel.cpp'. The issue is triggered as user-supplied input is not properly validated when handling specially crafted 'WebSocketChannel' packets. This may allow a context-dependent attacker to potentially execute arbitrary code.
- A use-after-free error exists in the 'nsNodeUtils::NativeAnonymousChildListChange()' function. The issue is triggered when applying effects to SVG element. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists in the 'js::PreliminaryObjectArray::sweep()' function in JavaScript. The issue is triggered when handling objects and pointers during incremental garbage collection. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists in 'WebRTC'. The issue is triggered when handling DTLS objects. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A flaw exists in the r'estorableFormNodes()' function in 'toolkit/modules/sessionstore/XPathGenerator.jsm' that is due to the program persistently storing passwords in in plaintext in session restore data. This may allow a context-dependent attacker to potentially gain access to password information.
- A use-after-free error exists in the 'WorkerPrivate::DestroySyncLoop()' function in 'dom/workers/WorkerPrivate.cpp'. The issue is triggered when handling nested sync event loops in Service Workers. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A type confusion flaw exists in the 'nsDisplayList::HitTest()' function in 'layout/base/nsDisplayList.cpp' that is triggered during the handling of display transformations. This may allow a context-dependent attacker to potentially execute arbitrary code.
- A flaw exists in the 'nsBaseChannel::Redirect()' function in 'netwerk/base/nsBaseChannel.cpp' that is triggered when a malicious shortcut is called from the same directory as a local HTML file. This may allow a local attacker to bypass the same-origin policy.
- An underflow condition exists in the 'mozilla::gfx::BasePoint4d()' function in 'gfx/2d/Matrix.h'. The issue is triggered as user-supplied input is not properly validated when calculating clipping regions in 2D graphics. This may allow a context-dependent attacker to cause a stack buffer underflow, potentially allowing the execution of arbitrary code.
- An overflow condition exists in the 'nsBidi::BracketData::ProcessPDI()' function in 'layout/base/nsBidi.cpp'. The issue is triggered as user-supplied input is not properly validated when rendering SVG format graphics with directional content. This may allow a context-dependent attacker to cause a heap-based buffer overflow, potentially allowing the execution of arbitrary code.
- A flaw exists in the 'Cairo' graphics layer that is triggered when allocating the 'LibAV' header during video decoding. This may allow a context-dependent attacker to crash the Cairo graphics layer.
- A flaw is due to event handler attributes on a 'marquee' tag being executed inside a sandboxed iframe that does not have the allow-scripts flag set. This may allow a context-dependent attacker to bypass XSS protection mechanisms.
- A flaw is due to the program failing to close connections after requesting favicons. This may allow a context-dependent attacker to continue to send requests to the user's browser and gain access to potentially sensitive information.
- A use-after-free error exists in the 'nsXULPopupManager::KeyDown()' function in 'layout/xul/nsXULPopupManager.cpp'. The issue is triggered when using the alt key in conjunction with top level menu items in Firefox. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A flaw is triggered when decoding url-encoded values in 'data:' URLs. This may allow a context-dependent attacker to use non-ASCII or emoji characters to spoof the address bar.
- A flaw exists in 'toolkit/mozapps/update/updater/updater.cpp' that is due to the 'Updater', when opened using the callback application path parameter, creating a copy of a user specified file as a callback file with a locked hardlink. This may allow a local attacker to run the target file and gain elevated privileges.
- An unspecified flaw exists that is triggered during the handling of TTC detection. This may allow a context-dependent attacker to have an unspecified impact. No further details have been provided.
- An out-of-bounds access flaw exists in the 'ReconstructTransformedHmtx()' function in 'woff2_dec.cc' that may allow a context-dependent attacker to have an unspecified impact.
- An unspecified flaw exists in 'woff2_dec.cc' that may allow a context-dependent attacker to have an unspecified impact.
- An unspecified flaw exists in 'woff2_dec.cc' that is triggered during memory allocation, which may allow a context-dependent attacker to crash a process linked against the library.

Solution

Upgrade to Firefox version 48.0 or later.

See Also

https://www.mozilla.org/en-US/security/advisories/mfsa2016-62

https://www.mozilla.org/en-US/security/advisories/mfsa2016-63

https://www.mozilla.org/en-US/security/advisories/mfsa2016-64

https://www.mozilla.org/en-US/security/advisories/mfsa2016-66

https://www.mozilla.org/en-US/security/advisories/mfsa2016-67

https://www.mozilla.org/en-US/security/advisories/mfsa2016-68

https://www.mozilla.org/en-US/security/advisories/mfsa2016-69

https://www.mozilla.org/en-US/security/advisories/mfsa2016-70

https://www.mozilla.org/en-US/security/advisories/mfsa2016-71

https://www.mozilla.org/en-US/security/advisories/mfsa2016-72

https://www.mozilla.org/en-US/security/advisories/mfsa2016-73

https://www.mozilla.org/en-US/security/advisories/mfsa2016-74

https://www.mozilla.org/en-US/security/advisories/mfsa2016-75

https://www.mozilla.org/en-US/security/advisories/mfsa2016-76

https://www.mozilla.org/en-US/security/advisories/mfsa2016-77

https://www.mozilla.org/en-US/security/advisories/mfsa2016-78

https://www.mozilla.org/en-US/security/advisories/mfsa2016-79

https://www.mozilla.org/en-US/security/advisories/mfsa2016-80

https://www.mozilla.org/en-US/security/advisories/mfsa2016-81

https://www.mozilla.org/en-US/security/advisories/mfsa2016-83

https://www.mozilla.org/en-US/security/advisories/mfsa2016-84

Plugin Details

Severity: High

ID: 9484

Family: Web Clients

Published: 2016/08/26

Updated: 2019/03/06

Dependencies: 9131

Nessus ID: 92755

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSS v3.0

Base Score: 6.2

Temporal Score: 5.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mozilla:firefox

Patch Publication Date: 2016/08/02

Vulnerability Publication Date: 2016/07/21

Reference Information

CVE: CVE-2016-2830, CVE-2016-2835, CVE-2016-2836, CVE-2016-2837, CVE-2016-2838, CVE-2016-2839, CVE-2016-5250, CVE-2016-5251, CVE-2016-5252, CVE-2016-5253, CVE-2016-5254, CVE-2016-5255, CVE-2016-5258, CVE-2016-5259, CVE-2016-5260, CVE-2016-5261, CVE-2016-5262, CVE-2016-5263, CVE-2016-5264, CVE-2016-5265, CVE-2016-5266, CVE-2016-5267, CVE-2016-5268

BID: 92258, 92260, 92261