Mozilla Firefox < 52 Multiple Vulnerabilities

critical Nessus Network Monitor Plugin ID 9986
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote host has a web browser installed that is vulnerable to multiple attack vectors.

Description

Versions of Mozilla Firefox prior to 52 are unpatched for the following vulnerabilities :

- A flaw exists that is triggered when using a JIT-spray targeting 'asm.js' in conjunction with a heap spray that may allow a context-dependent attacker to bypass the Data Execution Protection (DEP) and Address Space Layout Randomization (ASLR) protection mechanisms.
- A flaw exists in the 'txMozillaXMLOutput::createResultDocument()' function in 'dom/xslt/xslt/txMozillaXMLOutput.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists in 'dom/network/UDPSocketParent.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists in 'js/src/jit/arm/MacroAssembler-arm.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'nsDocShell::CreateAboutBlankContentViewer()' function in 'docshell/base/nsDocShell.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated when handling SMIL RAII objects. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated when handling accessibles. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'trace()' function in 'xpcom/base/CycleCollectedJSContext.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An integer underflow condition exists in the 'apply_lookup()' function in 'hb-ot-layout-gsubgpos-private.hh' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and crash a process linked against the library or potentially execute arbitrary code.
- A flaw exists in the 'nsWebBrowser::RemoveWebBrowserListener()' function in 'embedding/browser/nsWebBrowser.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists in 'dom/u2f/U2F.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'Element::DescribeAttribute()' function in 'dom/base/Element.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in 'xpcom/ds/nsSupportsArray.cpp' that is triggered when handling 'nsISupportsArrays'. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists in 'dom/workers/ServiceWorkerPrivate.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists in 'layout/printing/nsPrintEngine.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in 'netwerk/cache2/CacheIndex.cpp' that is triggered when handling cache index serialization. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists in 'media/webrtc/trunk/webrtc/modules/video_coding/rtt_filter.cc' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists related to the camera system service that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in 'js/src/jsgc.cpp' that is triggered as certain input is not properly validated when handling zone groups. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists in 'netwerk/streamconv/converters/nsMultiMixedConv.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in 'netwerk/cache/nsDiskCacheDeviceSQL.cpp' that is triggered when handling cache eviction. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A use-after-free condition exists that is triggered when handling NPAPI plugin references. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A flaw exists in 'dom/base/nsDocument.cpp' that is triggered when handling frame request callbacks rescheduling. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'js::array_sort()' function in 'js/src/jsarray.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'cairo_cff_font_write_cid_fontdict()' function in 'cairo-cff-subset.c' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and crash a process linked against the library or potentially execute arbitrary code.
- A use-after-free error exists that is triggered when using addRange to add the range to an incorrect root object. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists in the 'FontFaceSet' class in 'layout/style/FontFaceSet.cpp' that is triggered when handling events for FontFace objects. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A flaw exists in the JavaScript Garbage Collection mechanism that is triggered during incremental sweeping on memory cleanups. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in 'dom/bindings/ErrorResult.h' that is triggered when handling 'ErrorResult' references. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A use-after-free error exists that is triggered when handling ranges in selections with one node inside and one node outside of a native anonymous tree. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- An out-of-bounds read flaw exists that is triggered when handling SVG filter color value operations. This may allow a context-dependent attacker to potentially disclose sensitive memory contents.
- A flaw exists in the 'HTMLTrackElement::LoadResource()' function in 'dom/html/HTMLTrackElement.cpp' that is triggered as CORS headers are not checked when loading video captions. This may allow a context-dependent attacker to disclose video captions.
- A path truncation flaw exist in the 'NS_main()' function in 'toolkit/mozapps/update/updater/updater.cpp' that is triggered when passing callback parameters through the Mozilla Maintenance Service. This may allow a local attacker to delete arbitrary files with elevated privileges.
- A flaw exists in the 'FilterNodeLightingSoftware::SetAttribute()' function template in 'gfx/2d/FilterNodeSoftware.cpp' that is triggered when handling subnormal surfaceScale values. With a specially crafted SVG filter, a context-dependent attacker can perform a side-channel attack, potentially resulting in disclosure of history information or text values across domains.
- An out-of-bounds access flaw exists that is triggered when handling bidirectional layout operations. This may allow a context-dependent attacker to have an unspecified impact. No further details have been provided by the vendor.
- A flaw exists in the 'Location' class in 'dom/base/Location.cpp' that is triggered when using a Blob URL. This may allow a context-dependent attacker to spoof the address bar.
- A flaw exists in the 'HTMLInputElement' class in 'dom/html/HTMLInputElement.cpp' that is triggered when handling the local default directory for a file picker dialog. This may allow a context-dependent attacker to disclose information e.g. about the operating system or the local account name.

Solution

Upgrade to Firefox version 52 or later.

See Also

https://www.mozilla.org/en-US/security/advisories/mfsa2017-05

https://www.mozilla.org/en-US/security/advisories/mfsa2017-06

Plugin Details

Severity: Critical

ID: 9986

Family: Web Clients

Published: 3/8/2017

Updated: 3/6/2019

Dependencies: 9131

Risk Information

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*

Patch Publication Date: 3/7/2016

Vulnerability Publication Date: 3/7/2017

Reference Information

CVE: CVE-2017-5398, CVE-2017-5400, CVE-2017-5401, CVE-2017-5402, CVE-2017-5404, CVE-2017-5407, CVE-2017-5408, CVE-2017-5409, CVE-2017-5410, CVE-2017-5399, CVE-2017-5403, CVE-2017-5412, CVE-2017-5413, CVE-2017-5414, CVE-2017-5415

BID: 96664, 96693, 96651, 96654, 96691