Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2016.0063
A number of vulnerabilities have been identified in Mozilla Firefox
8 June 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Mozilla Firefox
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Android
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Increased Privileges -- Remote with User Interaction
Overwrite Arbitrary Files -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2016-2834 CVE-2016-2833 CVE-2016-2832
CVE-2016-2831 CVE-2016-2829 CVE-2016-2828
CVE-2016-2826 CVE-2016-2825 CVE-2016-2824
CVE-2016-2822 CVE-2016-2821 CVE-2016-2819
CVE-2016-2818 CVE-2016-2815
Member content until: Friday, July 8 2016
OVERVIEW
A number of vulnerabilities have been identified in Mozilla Firefox
prior to version 47. [1-13]
IMPACT
The vendor has provided the following information:
CVE-2016-2815, CVE-2016-2818: "Mozilla developers and community
members reported several memory safety bugs in the browser engine
used in Firefox and other Mozilla-based products. Some of these bugs
showed evidence of memory corruption under certain circumstances,
and we presume that with enough effort at least some of these could
be exploited to run arbitrary code." [1]
CVE-2016-2819: "Security researcher firehack reported a buffer
overflow when parsing HTML5 fragments in a foreign context such as
under an <svg> node. This results in a potentially exploitable crash
when inserting an HTML fragment into an existing document." [2]
CVE-2016-2821: "Security researcher firehack used the Address
Sanitizer tool to discover a use-after-free in contenteditable mode.
This occurs when deleting document object model (DOM) table elements
created within the editor and results in a potentially exploitable
crash." [3]
CVE-2016-2822: "Security researcher Jordi Chancel reported a method
to spoof the contents of the addressbar. This uses a persistent menu
within a <select> element, which acts as a container for HTML
content and can be placed in an arbitrary location. When placed over
the addressbar, this can mask the true site URL, allowing for
spoofing by a malicious site." [4]
CVE-2016-2824: "Security researcher Aral reported an out-of-bounds
write when using the ANGLE graphics library, which is used for WebGL
content on Windows systems. This crash occurs due to improper size
checking while writing to an array during some WebGL shader
operations." [5]
CVE-2016-2825: "Security researcher Armin Razmdjou reported that the
location.host property can be set to an arbitrary string after
creating an invalid data: URI. This allows for a bypass of some
same-origin policy protections. This issue is mitigated by the data:
URI in use and any same-origin checks for http: or https: are still
enforced correctly. As a result cookie stealing and other common
same-origin bypass attacks are not possible." [6]
CVE-2016-2826: "Security researcher Frederic Hoguin reported a
mechanism where the Mozilla Windows updater could be used to
overwrite arbitrary files. He found that files extracted by the
updater from a MAR archive are not locked for writing and can be
overwritten by other processes while the updater is running. A
malicious local program could invoke the updater and then interfere
with the extracted files, replacing them with its own. This
vulnerability could be used for privilege escalation if these
overwritten files were later invoked by other Windows components
that had higher privileges." [7]
CVE-2016-2828: "Mozilla community member jomo reported a
use-after-free crash when processing WebGL content. This issue was
caused by the use of a texture after its recycle pool has been
destroyed during WebGL operations, which frees the memory associated
with the texture. This results in a potentially exploitable crash
when the texture is later called." [8]
CVE-2016-2829: "Security researcher Tim McCormack reported that when
a page requests a series of permissions in a short timespan, the
resulting permission notifications can show the icon for the wrong
permission request. This can lead to user confusion and inadvertent
consent given when a user is prompted by web content to give
permissions, such as for geolocation or microphone access." [9]
CVE-2016-2831: "Security researcher sushi Anton Larsson reported
that when paired fullscreen and pointerlock requests are done in
combination with closing windows, a pointerlock can be created
within a fullscreen window without user permission. This pointerlock
cannot then be cancelled without terminating the browser, resulting
in a persistent denial of service attack. This can also be used for
spoofing and clickjacking attacks against the browser UI." [10]
CVE-2016-2832: "Mozilla developer John Schoenick reported that CSS
pseudo-classes can be used by web content to leak information on
plugins that are installed but disabled. This can be used for
information disclosure through a fingerprinting attack that lists
all of the plugins installed by a user on a system, even when they
are disabled." [11]
CVE-2016-2833: "Mozilla engineer Matt Wobensmith reported that
Content Security Policy (CSP) does not block the loading of
cross-domain Java applets when specified by policy. This is because
the Java applet is loaded by the Java plugin, which then mediates
all network requests without checking against CSP. This could allow
a malicious site to manipulate content through a Java applet to
bypass CSP protections, allowing for possible cross-site scripting
(XSS) attacks." [12]
CVE-2016-2834: "Mozilla has updated the version of Network Security
Services (NSS) library used in Firefox to NSS 3.23. This addresses
four moderate rated networking security issues reported by Mozilla
engineers Tyson Smith and Jed Davis." [13]
MITIGATION
The vendor recommends updating to the latest version of Firefox to
address these issues. [1-13]
REFERENCES
[1] Mozilla Foundation Security Advisory 2016-49
https://www.mozilla.org/en-US/security/advisories/mfsa2016-49/
[2] Mozilla Foundation Security Advisory 2016-50
https://www.mozilla.org/en-US/security/advisories/mfsa2016-50/
[3] Mozilla Foundation Security Advisory 2016-51
https://www.mozilla.org/en-US/security/advisories/mfsa2016-51/
[4] Mozilla Foundation Security Advisory 2016-52
https://www.mozilla.org/en-US/security/advisories/mfsa2016-52/
[5] Mozilla Foundation Security Advisory 2016-53
https://www.mozilla.org/en-US/security/advisories/mfsa2016-53/
[6] Mozilla Foundation Security Advisory 2016-54
https://www.mozilla.org/en-US/security/advisories/mfsa2016-54/
[7] Mozilla Foundation Security Advisory 2016-55
https://www.mozilla.org/en-US/security/advisories/mfsa2016-55/
[8] Mozilla Foundation Security Advisory 2016-56
https://www.mozilla.org/en-US/security/advisories/mfsa2016-56/
[9] Mozilla Foundation Security Advisory 2016-57
https://www.mozilla.org/en-US/security/advisories/mfsa2016-57/
[10] Mozilla Foundation Security Advisory 2016-58
https://www.mozilla.org/en-US/security/advisories/mfsa2016-58/
[11] Mozilla Foundation Security Advisory 2016-59
https://www.mozilla.org/en-US/security/advisories/mfsa2016-59/
[12] Mozilla Foundation Security Advisory 2016-60
https://www.mozilla.org/en-US/security/advisories/mfsa2016-60/
[13] Mozilla Foundation Security Advisory 2016-61
https://www.mozilla.org/en-US/security/advisories/mfsa2016-61/
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBV1eeE4x+lLeg9Ub1AQjiaA//fnIQyuEZ7F+gwGJ9W48PMFcIDngh8Yuc
vWl9o5LlZVvv1drW6nX34g9b8J4m8fW4wt64lTT7lTTv8gVpnMSgwciL0HFl+aop
yUAksmfXvHK+4Xfb8a4bM9qf2b8vFvrHFUGX6OpcOWt2ccPZ0c47lP07CdO6PZzk
GpJo+Nq4tM1vhgWTXgnlvXoSVUu5VI4itoQplnQy/JefDPDFTKBnUUElmsEs97Cv
G49lXuSFptPhWjjypYj5Uj+2Tdh8uPMnaq0lYlmadMAQviMchKhTCqmpgBIm1z5w
oxhX26GUJuww4TSV84XhLbjLxpGEoyWdIngFz/eZLflZWQBfOgB2kWQuHMBVa3sP
QisYEyCr7SMw+2z1a9tTru8c8ipI/41c2AcaqfW51V50tCu0pTgBMYX7YP6a72mS
aV+PbfEBEZvzajgScFgzDneJubUpM/BjsBSza7zsnMc9GLTe/crXZ10rtUnzxGXB
8zb48O/mZ53BY7cd7gIP7ZhsOx1J8t4XNhdyiPd2PVh6oJmQh3M/JyzJANzrVyBO
8p7ABPNDTsLeECE/ScRWRM17S/jI6kUVuG10VyG+MGS6cdyRJfhIOEirYcSS4vV5
LHb8+54jAFrYn8ettx/Qeynao3vpr/zx0gtin2TIVzFLOXM0QUse2pGquy3E4kuB
9A+qN36kdgk=
=P7BQ
-----END PGP SIGNATURE-----