Mozilla Firefox < 31.0 Multiple Vulnerabilities

high Nessus Network Monitor Plugin ID 8333

Synopsis

The remote host has a web browser installed that is vulnerable to multiple attack vectors.

Description

Versions of Mozilla Firefox earlier than 31.0 are unpatched for the following vulnerabilities :

- An exploitable crash when using the Cesium JavaScript library to generate WebGL content could be leveraged to execute arbitrary code (CVE-2014-1556)
- A potentially exploitable crash when scaling high quality images, due to image data being discarded while in use by the scaling operation (CVE-2014-1557)
- Use-after-free errors when handling certificates in the trusted cache, triggering a FireOnStateChang event in certain circumstances, when rendering MathML content in DirectWrite handling certain fonts, and buffering Web Audio playback can be leveraged to crash the application and, in some cases, execute arbitrary code (CVE-2014-1544, CVE-2014-1555, CVE-2014-1551, CVE-2014-1550)
- Bypass of the iframe element sandbox via network-level redirects, which can allow unauthorized access to content without explicit approval (CVE-2014-1552)
- Issues with parsing SSL certificates when non-standard characters are present, which can lead to a potential inability to use valid SSL certificates (CVE-2014-1558, CVE-2014-1559, CVE-2014-1560)
- Potentially exploitable buffer overflow when interacting with Web Audio buffer for playback, due to an error in the amount of memory allocated for buffers (CVE-2014-1549)
- Other miscellaneous memory issues that have since been fixed (CVE-2014-1547, CVE-2014-1548)

Solution

Upgrade to Firefox version 31.0, or later.

See Also

https://www.mozilla.org/security/announce/2014/mfsa2014-56.html

https://www.mozilla.org/security/announce/2014/mfsa2014-59.html

https://www.mozilla.org/security/announce/2014/mfsa2014-61.html

https://www.mozilla.org/security/announce/2014/mfsa2014-62.html

https://www.mozilla.org/security/announce/2014/mfsa2014-63.html

https://www.mozilla.org/security/announce/2014/mfsa2014-64.html

https://www.mozilla.org/security/announce/2014/mfsa2014-57.html

https://www.mozilla.org/security/announce/2014/mfsa2014-58.html

https://www.mozilla.org/security/announce/2014/mfsa2014-65.html

https://www.mozilla.org/security/announce/2014/mfsa2014-66.html

https://www.mozilla.org/security/announce/2014/mfsa2014-60.html

Plugin Details

Severity: High

ID: 8333

Family: Web Clients

Published: 7/25/2014

Updated: 11/6/2019

Nessus ID: 76759

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 8.1

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mozilla:firefox

Patch Publication Date: 7/22/2014

Vulnerability Publication Date: 7/22/2014

Reference Information

CVE: CVE-2014-1544, CVE-2014-1547, CVE-2014-1548, CVE-2014-1549, CVE-2014-1550, CVE-2014-1552, CVE-2014-1555, CVE-2014-1557, CVE-2014-1558, CVE-2014-1559, CVE-2014-1560, CVE-2014-1561

BID: 66821, 66813, 66815, 66810, 66811, 66812, 66814, 66816, 66817, 66818, 66820, 66822, 66824, 66826