Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2015.0087 A number of vulnerabilities have been identified in Mozilla Firefox 28 August 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Mozilla Firefox Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2015-4498 CVE-2015-4497 Member content until: Sunday, September 27 2015 OVERVIEW A number of vulnerabilities have been identified in Mozilla Firefox prior to version Mozilla Firefox 40.0.3 and Mozilla Firefox ESR 38.2.1. [1] IMPACT The vendor has provided the following details regarding these issues: CVE-2015-4497: "Mozilla community member Jean-Max Reymond discovered a use-after-free vulnerability with a <canvas> element on a page. This occurs when a resize event is triggered in concert with style changes but the canvas references have been recreated in the meantime, destroying the originally referenced context. This results in an exploitable crash. Ucha Gobejishvili, working with HP's Zero Day Initiative, subsequently reported this same issue." [1] CVE-2015-4498: "Security researcher Bas Venis reported a mechanism where add-ons could be installed from a different source than user expectations. Normally, when a user enters the URL to an add-on directly in the addressbar, warning prompts are bypassed because it is the result of direct user action. He discovered that a data: URL could be manipulated on a loaded page to simulate this direct user input of the add-on's URL, which would result in a bypassing of the install permission prompt. He also reported that in the absence of the permission prompt, it is possible to cause the actual installation prompt to appear above another site's location by causing a page navigation immediately after triggering add-on installation. This could manipulate a user into falsely believing a trusted site (such as addons.mozilla.org) has initiated the installation. This could lead to users installing an add-on from a malicious source." [2] MITIGATION The vendor recommends updating to the latest versions of Mozilla Firefox to correct these issues. [1, 2] REFERENCES [1] Mozilla Foundation Security Advisory 2015-94 https://www.mozilla.org/en-US/security/advisories/mfsa2015-94/ [2] Mozilla Foundation Security Advisory 2015-95 https://www.mozilla.org/en-US/security/advisories/mfsa2015-95/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVd+rC36ZAP0PgtI9AQKB2w/6AlbFoqnMFGremoHRsDJooyi9I/85uMBQ Kmd1k/Xjhqv3GeiaqOzQG+OEz7x7sP/sysujvggX5vhQYLycOwZ5o1ojkVkhbGcO un5qLsSi3r7lbJH61Eg3NvdR4/DFFcaGF9C4afv4pXcwhoKl/SnexXzTujS6kA2m pOxWECiSA8HAm2aYxx5WUp8fIpQvKmZrN2/YJXRUvywoiEoBOD1bnJcsT8d871V9 WzY59hqcVAgyDdq7l/CRhSaTEGp1ByKSp93pfwZ/S1qXev+nwXLqdPrfZwIk8Tuv C4WvDEZpysF4k8EnoF05B6KNXml6oeIqHAYuQIgUdaFiggRRQGMwy8kynP0IyICI X5pzoISUe+T/gfaPPMNhVIZu3RLeL7r0SQjE/aiUo9Q8wdzk7d6os1yhFcPpQapd rHN95HDQNeTXr1gz9ILR6yGiFP4FRZ1C5QHXA9zrQrvxz7NjmeKWLbobtRNeBspt spzxiv8KPktDfKmvzGnbIZPw2qW7X1a+H42cqH7o9FVXcd6Wxvap/DZgPi+IfINz wgrUDn5T0znW9EUFgT04zOMQtaLbL0cOy5fO519LEJQ/DH1grtAd4Pgz5AysOakp skw2ah1r4Ro0wlh69cawmCEl/0sISalXSpu4L1MwpcHrCdeQQK7jy9PvJZZSLQcU 5MMjMr3x3jQ= =q7kc -----END PGP SIGNATURE-----