Hash: SHA256

                         AUSCERT Security Bulletin

    A number of vulnerabilities have been identified in Mozilla Firefox
                                8 June 2016


        AusCERT Security Bulletin Summary

Product:              Mozilla Firefox
Operating System:     UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Increased Privileges            -- Remote with User Interaction
                      Overwrite Arbitrary Files       -- Remote with User Interaction
                      Cross-site Scripting            -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
                      Provide Misleading Information  -- Remote with User Interaction
                      Access Confidential Data        -- Remote with User Interaction
                      Reduced Security                -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2016-2834 CVE-2016-2833 CVE-2016-2832
                      CVE-2016-2831 CVE-2016-2829 CVE-2016-2828
                      CVE-2016-2826 CVE-2016-2825 CVE-2016-2824
                      CVE-2016-2822 CVE-2016-2821 CVE-2016-2819
                      CVE-2016-2818 CVE-2016-2815 
Member content until: Friday, July  8 2016


        A number of vulnerabilities have been identified in Mozilla Firefox
        prior to version 47. [1-13]


        The vendor has provided the following information:
        CVE-2016-2815, CVE-2016-2818: "Mozilla developers and community 
        members reported several memory safety bugs in the browser engine 
        used in Firefox and other Mozilla-based products. Some of these bugs
        showed evidence of memory corruption under certain circumstances, 
        and we presume that with enough effort at least some of these could
        be exploited to run arbitrary code." [1]
        CVE-2016-2819: "Security researcher firehack reported a buffer 
        overflow when parsing HTML5 fragments in a foreign context such as 
        under an <svg> node. This results in a potentially exploitable crash
        when inserting an HTML fragment into an existing document." [2]
        CVE-2016-2821: "Security researcher firehack used the Address 
        Sanitizer tool to discover a use-after-free in contenteditable mode.
        This occurs when deleting document object model (DOM) table elements
        created within the editor and results in a potentially exploitable 
        crash." [3]
        CVE-2016-2822: "Security researcher Jordi Chancel reported a method
        to spoof the contents of the addressbar. This uses a persistent menu
        within a <select> element, which acts as a container for HTML 
        content and can be placed in an arbitrary location. When placed over
        the addressbar, this can mask the true site URL, allowing for 
        spoofing by a malicious site." [4]
        CVE-2016-2824: "Security researcher Aral reported an out-of-bounds 
        write when using the ANGLE graphics library, which is used for WebGL
        content on Windows systems. This crash occurs due to improper size 
        checking while writing to an array during some WebGL shader 
        operations." [5]
        CVE-2016-2825: "Security researcher Armin Razmdjou reported that the
        location.host property can be set to an arbitrary string after 
        creating an invalid data: URI. This allows for a bypass of some 
        same-origin policy protections. This issue is mitigated by the data:
        URI in use and any same-origin checks for http: or https: are still
        enforced correctly. As a result cookie stealing and other common 
        same-origin bypass attacks are not possible." [6]
        CVE-2016-2826: "Security researcher Frederic Hoguin reported a 
        mechanism where the Mozilla Windows updater could be used to 
        overwrite arbitrary files. He found that files extracted by the 
        updater from a MAR archive are not locked for writing and can be 
        overwritten by other processes while the updater is running. A 
        malicious local program could invoke the updater and then interfere
        with the extracted files, replacing them with its own. This 
        vulnerability could be used for privilege escalation if these 
        overwritten files were later invoked by other Windows components 
        that had higher privileges." [7]
        CVE-2016-2828: "Mozilla community member jomo reported a 
        use-after-free crash when processing WebGL content. This issue was 
        caused by the use of a texture after its recycle pool has been 
        destroyed during WebGL operations, which frees the memory associated
        with the texture. This results in a potentially exploitable crash 
        when the texture is later called." [8]
        CVE-2016-2829: "Security researcher Tim McCormack reported that when
        a page requests a series of permissions in a short timespan, the 
        resulting permission notifications can show the icon for the wrong 
        permission request. This can lead to user confusion and inadvertent
        consent given when a user is prompted by web content to give 
        permissions, such as for geolocation or microphone access." [9]
        CVE-2016-2831: "Security researcher sushi Anton Larsson reported 
        that when paired fullscreen and pointerlock requests are done in 
        combination with closing windows, a pointerlock can be created 
        within a fullscreen window without user permission. This pointerlock
        cannot then be cancelled without terminating the browser, resulting
        in a persistent denial of service attack. This can also be used for
        spoofing and clickjacking attacks against the browser UI." [10]
        CVE-2016-2832: "Mozilla developer John Schoenick reported that CSS 
        pseudo-classes can be used by web content to leak information on 
        plugins that are installed but disabled. This can be used for 
        information disclosure through a fingerprinting attack that lists 
        all of the plugins installed by a user on a system, even when they 
        are disabled." [11]
        CVE-2016-2833: "Mozilla engineer Matt Wobensmith reported that 
        Content Security Policy (CSP) does not block the loading of 
        cross-domain Java applets when specified by policy. This is because
        the Java applet is loaded by the Java plugin, which then mediates 
        all network requests without checking against CSP. This could allow
        a malicious site to manipulate content through a Java applet to 
        bypass CSP protections, allowing for possible cross-site scripting 
        (XSS) attacks." [12]
        CVE-2016-2834: "Mozilla has updated the version of Network Security
        Services (NSS) library used in Firefox to NSS 3.23. This addresses 
        four moderate rated networking security issues reported by Mozilla 
        engineers Tyson Smith and Jed Davis." [13]


        The vendor recommends updating to the latest version of Firefox to 
        address these issues. [1-13]


        [1] Mozilla Foundation Security Advisory 2016-49

        [2] Mozilla Foundation Security Advisory 2016-50

        [3] Mozilla Foundation Security Advisory 2016-51

        [4] Mozilla Foundation Security Advisory 2016-52

        [5] Mozilla Foundation Security Advisory 2016-53

        [6] Mozilla Foundation Security Advisory 2016-54

        [7] Mozilla Foundation Security Advisory 2016-55

        [8] Mozilla Foundation Security Advisory 2016-56

        [9] Mozilla Foundation Security Advisory 2016-57

        [10] Mozilla Foundation Security Advisory 2016-58

        [11] Mozilla Foundation Security Advisory 2016-59

        [12] Mozilla Foundation Security Advisory 2016-60

        [13] Mozilla Foundation Security Advisory 2016-61

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967