Mozilla Firefox < 48.0 Multiple Vulnerabilities

medium Nessus Network Monitor Plugin ID 9484
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote host has a web browser installed that is vulnerable to multiple attack vectors.

Description

Versions of Mozilla Firefox prior to 48.0 are unpatched for the following vulnerabilities :

- A flaw is triggered as certain input is not properly validated when handling the 'BitmapInfoHeader' in icons. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in 'js/src/frontend/Parser.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'js::array_splice_impl()' function in 'js/src/jsarray.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw is triggered as certain unspecified user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'OSXNotificationCenter::ShowAlertWithIconData()' function in 'widget/cocoa/OSXNotificationCenter.mm' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'Http2Session::TransactionHasDataToWrite()' function in 'netwerk/protocol/http/Http2Session.cpp' and 'SpdySession31::TransactionHasDataToWrite()' function in 'netwerk/protocol/http/SpdySession31.cpp'. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'Assembler::bind()' function in 'js/src/jit/arm/Assembler-arm.cpp' that is triggered when handling certain labels. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'CodeGeneratorShared::assignBailoutId()' function in 'js/src/jit/shared/CodeGenerator-shared.cpp' that is triggered when handling allocation errors. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An overflow condition exists in 'woff2_dec.cc' that is triggered as certain input is not properly validated when decompressing files. This may allow a context-dependent attacker to cause a buffer overflow and potentially execute arbitrary code.
- A flaw exists in the 'SetPaintPattern()' function in 'gfx/2d/DrawTargetSkia.cpp' that is triggered when handling gradients with non-finite endpoints. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'PeerConnectionMedia::ProtocolProxyQueryHandler::OnProxyAvailable()' function in 'media/webrtc/signaling/src/peerconnection/PeerConnectionMedia.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in 'media/mtransport/nr_timer.cpp' that is triggered when handling timers. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A race condition exists in the 'MatchKeyHash()' function in 'security/pkix/lib/pkixocsp.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An overflow condition exists in the 'ClearKeyDecryptor::Decrypt()' function in 'media/gmp-clearkey/0.1/ClearKeyDecryptionManager.cpp' used by the Encrypted Media Extensions (EME) API. The issue is triggered as user-supplied input is not properly validated when handling video files. This may allow a context-dependent attacker to cause a buffer overflow, potentially allowing the execution of arbitrary code.
- A flaw is triggered as file URIs dragged from a web page to a different piece of software failed to have the contents properly filtered. This may allow a context-dependent attacker to gain access to potentially sensitive information.
- A flaw is triggered when handling right-to-left character sets with left-to-right character sets. This may allow a context-dependent attacker to spoof the address bar.
- A flaw is triggered when handling certain specific 'about:' URLs. This may allow a context-dependent attacker to spoof the contents of system information or error messages.
- A flaw exists in the 'HttpBaseChannel::GetPerformance()' function in 'netwerk/protocol/http/HttpBaseChannel.cpp' due to the program leaking potentially sensitive resources of URLs through the Resource Timing API during page navigation. This may allow a context-dependent attacker to potentially disclose sensitive information.
- An integer overflow condition exists in the 'WebSocketChannel::ProcessInput()' function in 'netwerk/protocol/websocket/WebSocketChannel.cpp'. The issue is triggered as user-supplied input is not properly validated when handling specially crafted 'WebSocketChannel' packets. This may allow a context-dependent attacker to potentially execute arbitrary code.
- A use-after-free error exists in the 'nsNodeUtils::NativeAnonymousChildListChange()' function. The issue is triggered when applying effects to SVG element. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists in the 'js::PreliminaryObjectArray::sweep()' function in JavaScript. The issue is triggered when handling objects and pointers during incremental garbage collection. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists in 'WebRTC'. The issue is triggered when handling DTLS objects. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A flaw exists in the r'estorableFormNodes()' function in 'toolkit/modules/sessionstore/XPathGenerator.jsm' that is due to the program persistently storing passwords in in plaintext in session restore data. This may allow a context-dependent attacker to potentially gain access to password information.
- A use-after-free error exists in the 'WorkerPrivate::DestroySyncLoop()' function in 'dom/workers/WorkerPrivate.cpp'. The issue is triggered when handling nested sync event loops in Service Workers. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A type confusion flaw exists in the 'nsDisplayList::HitTest()' function in 'layout/base/nsDisplayList.cpp' that is triggered during the handling of display transformations. This may allow a context-dependent attacker to potentially execute arbitrary code.
- A flaw exists in the 'nsBaseChannel::Redirect()' function in 'netwerk/base/nsBaseChannel.cpp' that is triggered when a malicious shortcut is called from the same directory as a local HTML file. This may allow a local attacker to bypass the same-origin policy.
- An underflow condition exists in the 'mozilla::gfx::BasePoint4d()' function in 'gfx/2d/Matrix.h'. The issue is triggered as user-supplied input is not properly validated when calculating clipping regions in 2D graphics. This may allow a context-dependent attacker to cause a stack buffer underflow, potentially allowing the execution of arbitrary code.
- An overflow condition exists in the 'nsBidi::BracketData::ProcessPDI()' function in 'layout/base/nsBidi.cpp'. The issue is triggered as user-supplied input is not properly validated when rendering SVG format graphics with directional content. This may allow a context-dependent attacker to cause a heap-based buffer overflow, potentially allowing the execution of arbitrary code.
- A flaw exists in the 'Cairo' graphics layer that is triggered when allocating the 'LibAV' header during video decoding. This may allow a context-dependent attacker to crash the Cairo graphics layer.
- A flaw is due to event handler attributes on a 'marquee' tag being executed inside a sandboxed iframe that does not have the allow-scripts flag set. This may allow a context-dependent attacker to bypass XSS protection mechanisms.
- A flaw is due to the program failing to close connections after requesting favicons. This may allow a context-dependent attacker to continue to send requests to the user's browser and gain access to potentially sensitive information.
- A use-after-free error exists in the 'nsXULPopupManager::KeyDown()' function in 'layout/xul/nsXULPopupManager.cpp'. The issue is triggered when using the alt key in conjunction with top level menu items in Firefox. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A flaw is triggered when decoding url-encoded values in 'data:' URLs. This may allow a context-dependent attacker to use non-ASCII or emoji characters to spoof the address bar.
- A flaw exists in 'toolkit/mozapps/update/updater/updater.cpp' that is due to the 'Updater', when opened using the callback application path parameter, creating a copy of a user specified file as a callback file with a locked hardlink. This may allow a local attacker to run the target file and gain elevated privileges.
- An unspecified flaw exists that is triggered during the handling of TTC detection. This may allow a context-dependent attacker to have an unspecified impact. No further details have been provided.
- An out-of-bounds access flaw exists in the 'ReconstructTransformedHmtx()' function in 'woff2_dec.cc' that may allow a context-dependent attacker to have an unspecified impact.
- An unspecified flaw exists in 'woff2_dec.cc' that may allow a context-dependent attacker to have an unspecified impact.
- An unspecified flaw exists in 'woff2_dec.cc' that is triggered during memory allocation, which may allow a context-dependent attacker to crash a process linked against the library.

Solution

Upgrade to Firefox version 48.0 or later.

See Also

https://www.mozilla.org/en-US/security/advisories/mfsa2016-62

https://www.mozilla.org/en-US/security/advisories/mfsa2016-63

https://www.mozilla.org/en-US/security/advisories/mfsa2016-64

https://www.mozilla.org/en-US/security/advisories/mfsa2016-67

https://www.mozilla.org/en-US/security/advisories/mfsa2016-68

https://www.mozilla.org/en-US/security/advisories/mfsa2016-70

https://www.mozilla.org/en-US/security/advisories/mfsa2016-72

https://www.mozilla.org/en-US/security/advisories/mfsa2016-73

https://www.mozilla.org/en-US/security/advisories/mfsa2016-76

https://www.mozilla.org/en-US/security/advisories/mfsa2016-77

https://www.mozilla.org/en-US/security/advisories/mfsa2016-78

https://www.mozilla.org/en-US/security/advisories/mfsa2016-79

https://www.mozilla.org/en-US/security/advisories/mfsa2016-80

https://www.mozilla.org/en-US/security/advisories/mfsa2016-66

https://www.mozilla.org/en-US/security/advisories/mfsa2016-69

https://www.mozilla.org/en-US/security/advisories/mfsa2016-71

https://www.mozilla.org/en-US/security/advisories/mfsa2016-74

https://www.mozilla.org/en-US/security/advisories/mfsa2016-75

https://www.mozilla.org/en-US/security/advisories/mfsa2016-81

https://www.mozilla.org/en-US/security/advisories/mfsa2016-83

https://www.mozilla.org/en-US/security/advisories/mfsa2016-84

Plugin Details

Severity: Medium

ID: 9484

Family: Web Clients

Published: 8/26/2016

Updated: 3/6/2019

Dependencies: 9131

Nessus ID: 92755

Risk Information

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSS v3

Risk Factor: Medium

Base Score: 6.3

Temporal Score: 6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*

Patch Publication Date: 8/2/2016

Vulnerability Publication Date: 7/21/2016

Reference Information

CVE: CVE-2016-2830, CVE-2016-2835, CVE-2016-2836, CVE-2016-2837, CVE-2016-2838, CVE-2016-2839, CVE-2016-5252, CVE-2016-5254, CVE-2016-5258, CVE-2016-5259, CVE-2016-5262, CVE-2016-5263, CVE-2016-5264, CVE-2016-5265, CVE-2016-5250, CVE-2016-5261, CVE-2016-5251, CVE-2016-5255, CVE-2016-5260, CVE-2016-5266, CVE-2016-5268, CVE-2016-5253, CVE-2016-5267

BID: 92258, 92261, 92260