Mozilla Firefox ESR < 45.5 Multiple Vulnerabilities

high Nessus Network Monitor Plugin ID 9805

Synopsis

The remote host has a web browser installed that is vulnerable to multiple attack vectors.

Description

Versions of Mozilla Firefox ESR earlier than 45.5 are unpatched for the following vulnerabilities :

- An overflow condition exists in the 'RASTERIZE_EDGES()' function in 'gfx/cairo/libpixman/src/pixman-edge-imp.h'. The issue is triggered as certain input is not properly validated when handling SVG content. This may allow a context-dependent attacker to cause a heap-based overflow, potentially allowing the execution of arbitrary code.
- A flaw exists that is triggered when the Mozilla Updater is run with the updater's log file in the working directory pointing to a hardlink. This may allow a local attacker to append data to an arbitrary local file.
- A flaw exists in the Mozilla Updater that is triggered as it may select an arbitrary target working directory to output files from the update process. No further details have been provided by the vendor.
- A flaw exists that is triggered when length checking JavaScript arguments. This may allow a context-dependent attacker to have an unspecified impact.
- A flaw exists that is triggered as add-on update IDs are not properly validated. This may allow an attacker with the ability to intercept network traffic '(e.g'. MitM, DNS cache poisoning) to provide malicious add-on updates.
- An integer overflow condition exists in the 'nsScriptLoadHandler::TryDecodeRawData()' function in 'dom/base/nsScriptLoader.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to cause a buffer overflow, potentially allowing the execution of arbitrary code.
- A flaw exists in the 'nsBaseChannel::Redirect()' function in 'netwerk/base/nsBaseChannel.cpp'. The issue is triggered as local shortcut files may be used to bypass the same-origin policy and load local content from the disk.
- An unspecified flaw exists in 'divSpoiler' that may allow an attacker to conduct a side-channel attack. No further details have been provided by the vendor.
- A flaw exists that is triggered when handling DOM tree operations for 'insertBefore()' method calls. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists that is triggered when handling Ion-compiling of scripts with too many typesets. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists related to tracing of script pointers in off-thread compilation tasks. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists that is triggered when handling runtime checks for helper threads tracing. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'GlobalHelperThreadState::finishParseTask()' function in 'js/src/vm/HelperThreads.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated when handling frames. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists that is triggered as certain input is not properly validated when handling HTML5 tokenizing. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists in 'dom/events/IMEStateManager.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.

Solution

Upgrade to Firefox version 45.5 or later.

See Also

https://www.mozilla.org/en-US/security/advisories/mfsa2016-89

https://www.mozilla.org/en-US/security/advisories/mfsa2016-90

Plugin Details

Severity: High

ID: 9805

Family: Web Clients

Published: 12/2/2016

Updated: 11/6/2019

Nessus ID: 94959

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: High

Base Score: 7.3

Temporal Score: 7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mozilla:firefox_esr

Patch Publication Date: 11/15/2016

Vulnerability Publication Date: 10/3/2016

Reference Information

CVE: CVE-2016-5290, CVE-2016-5291, CVE-2016-5293, CVE-2016-5294, CVE-2016-5296, CVE-2016-5297, CVE-2016-9064, CVE-2016-9066, CVE-2016-9074

BID: 94335, 94336, 94339, 94341