Mozilla Firefox ESR < 45.6 Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 9853

Synopsis

The remote host has a web browser installed that is vulnerable to multiple attack vectors.

Description

Versions of Mozilla Firefox ESR earlier than 45.6 are unpatched for the following vulnerabilities :

- A flaw exists in the 'GetNPObjectWrapper()' function in 'dom/plugins/base/nsJSNPRuntime.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 148666)
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 148667)
- A flaw exists in the 'ObjectGroup::defaultNewGroup()' function in 'js/src/vm/ObjectGroup.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 148668)
- A flaw exists that is triggered as certain input is not properly validated when handling HTML5 content. With a specially crafted web page, a context-dependent attacker can corrupt memory and potentially execute arbitrary code. (OSVDB 148693)
- An unspecified flaw exists in the 'nsDocShell::RestoreFromHistory()' function in 'docshell/base/nsDocShell.cpp'. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 148695)
- An unspecified flaw exists in the 'Factory::CreateDrawTargetForData()' function in 'gfx/2d/Factory.cpp'. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 148696)
- A flaw exists in 'dom/media/MediaRecorder.cpp' that is triggered when handling a document's activity state changes. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 148697)
- A flaw exists in the 'nsHttpChunkedDecoder::ParseChunkRemaining()' function in 'netwerk/protocol/http/nsHttpChunkedDecoder.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 148698)
- A use-after-free error exists that is triggered when handling media content. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (OSVDB 148699)
- A flaw exists in the 'nsDocument::EnumerateSubDocuments()' function in 'dom/base/nsDocument.cpp' that is triggered when adding and removing sub-documents. With a specially crafted web page, a context-dependent attacker can corrupt memory and potentially execute arbitrary code. (OSVDB 148700)
- A flaw exists in 'dom/bindings/BindingUtils.h' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 148701)
- A use-after-free error exists in 'editor/libeditor/HTMLEditor.cpp' that is triggered when handling DOM subtrees. With a specially crafted web page, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code. (OSVDB 148704)
- A flaw exists in the 'VaryingPacking::packVarying()' function in 'libANGLE/renderer/d3d/hlsl/VaryingPacking.cpp'. This may allow a context-dependent attacker to corrupt memory and crash a process linked against the library or potentially execute arbitrary code. (OSVDB 148705)
- A use-after-free error exists in the 'nsNodeUtils::CloneAndAdopt()' function in 'dom/base/nsNodeUtils.cpp' that is triggered when handling failing node adoption. With a specially crafted web page, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code. (OSVDB 148706)
- A flaw exists that is triggered as event handlers for marquee elements are executed despite restrictions against inline JavaScript. This may allow a context-dependent attacker to bypass the Content Security Policy (CSP). (OSVDB 148707)
- A flaw exists in the 'nsDataDocumentContentPolicy::ShouldLoad()' function in 'dom/base/nsDataDocumentContentPolicy.cpp', as external resources may be inappropriately loaded by SVG images by utilizing 'data: URLs'. This may allow a context-dependent attacker to disclose potentially sensitive cross-domain information. (OSVDB 148708)
- A flaw exists that is triggered as HTML tags from the Pocket server are not properly sanitized before use. This may allow a context-dependent attacker to inject content and gain access to the Pocket Messaging API. (OSVDB 148709)
- A flaw exists in 'browser/extensions/pocket/content/main.js' related to the Pocket toolbar button, as it fails to properly verify the origin of events. This may potentially allow a context-dependent attacker to execute commands from other contexts. (OSVDB 148710)
- A flaw exists that is triggered as atom information may be exposed. This may allow a context-dependent attacker to use a JavaScript Map/Set timing attack to determine if atoms are used by other compartments or zones, potentially disclosing cross-domain information. (OSVDB 148711)

Solution

Upgrade to Firefox version 45.6 or later.

See Also

https://www.mozilla.org/en-US/security/advisories/mfsa2016-94

https://www.mozilla.org/en-US/security/advisories/mfsa2016-95

https://www.mozilla.org/en-US/security/advisories/mfsa2016-96

Plugin Details

Severity: High

ID: 9853

File Name: 9853.prm

Family: Web Clients

Published: 2017/01/05

Modified: 2017/01/05

Dependencies: 9131

Risk Information

Risk Factor: High

CVSSv2

Base Score: 9.3

Temporal Score: 8.1

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSSv3

Base Score: 8.1

Temporal Score: 7.7

Vector: CVSS3#AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS3#E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mozilla:firefox

Patch Publication Date: 2016/12/13

Vulnerability Publication Date: 2016/11/29

Reference Information

CVE: CVE-2016-9893, CVE-2016-9895, CVE-2016-9897, CVE-2016-9898, CVE-2016-9899, CVE-2016-9900, CVE-2016-9901, CVE-2016-9902, CVE-2016-9904, CVE-2016-9905

BID: 94885