Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2016.0063 A number of vulnerabilities have been identified in Mozilla Firefox 8 June 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Mozilla Firefox Operating System: UNIX variants (UNIX, Linux, OSX) Windows Android Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Increased Privileges -- Remote with User Interaction Overwrite Arbitrary Files -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Denial of Service -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2016-2834 CVE-2016-2833 CVE-2016-2832 CVE-2016-2831 CVE-2016-2829 CVE-2016-2828 CVE-2016-2826 CVE-2016-2825 CVE-2016-2824 CVE-2016-2822 CVE-2016-2821 CVE-2016-2819 CVE-2016-2818 CVE-2016-2815 Member content until: Friday, July 8 2016 OVERVIEW A number of vulnerabilities have been identified in Mozilla Firefox prior to version 47. [1-13] IMPACT The vendor has provided the following information: CVE-2016-2815, CVE-2016-2818: "Mozilla developers and community members reported several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code." [1] CVE-2016-2819: "Security researcher firehack reported a buffer overflow when parsing HTML5 fragments in a foreign context such as under an <svg> node. This results in a potentially exploitable crash when inserting an HTML fragment into an existing document." [2] CVE-2016-2821: "Security researcher firehack used the Address Sanitizer tool to discover a use-after-free in contenteditable mode. This occurs when deleting document object model (DOM) table elements created within the editor and results in a potentially exploitable crash." [3] CVE-2016-2822: "Security researcher Jordi Chancel reported a method to spoof the contents of the addressbar. This uses a persistent menu within a <select> element, which acts as a container for HTML content and can be placed in an arbitrary location. When placed over the addressbar, this can mask the true site URL, allowing for spoofing by a malicious site." [4] CVE-2016-2824: "Security researcher Aral reported an out-of-bounds write when using the ANGLE graphics library, which is used for WebGL content on Windows systems. This crash occurs due to improper size checking while writing to an array during some WebGL shader operations." [5] CVE-2016-2825: "Security researcher Armin Razmdjou reported that the location.host property can be set to an arbitrary string after creating an invalid data: URI. This allows for a bypass of some same-origin policy protections. This issue is mitigated by the data: URI in use and any same-origin checks for http: or https: are still enforced correctly. As a result cookie stealing and other common same-origin bypass attacks are not possible." [6] CVE-2016-2826: "Security researcher Frederic Hoguin reported a mechanism where the Mozilla Windows updater could be used to overwrite arbitrary files. He found that files extracted by the updater from a MAR archive are not locked for writing and can be overwritten by other processes while the updater is running. A malicious local program could invoke the updater and then interfere with the extracted files, replacing them with its own. This vulnerability could be used for privilege escalation if these overwritten files were later invoked by other Windows components that had higher privileges." [7] CVE-2016-2828: "Mozilla community member jomo reported a use-after-free crash when processing WebGL content. This issue was caused by the use of a texture after its recycle pool has been destroyed during WebGL operations, which frees the memory associated with the texture. This results in a potentially exploitable crash when the texture is later called." [8] CVE-2016-2829: "Security researcher Tim McCormack reported that when a page requests a series of permissions in a short timespan, the resulting permission notifications can show the icon for the wrong permission request. This can lead to user confusion and inadvertent consent given when a user is prompted by web content to give permissions, such as for geolocation or microphone access." [9] CVE-2016-2831: "Security researcher sushi Anton Larsson reported that when paired fullscreen and pointerlock requests are done in combination with closing windows, a pointerlock can be created within a fullscreen window without user permission. This pointerlock cannot then be cancelled without terminating the browser, resulting in a persistent denial of service attack. This can also be used for spoofing and clickjacking attacks against the browser UI." [10] CVE-2016-2832: "Mozilla developer John Schoenick reported that CSS pseudo-classes can be used by web content to leak information on plugins that are installed but disabled. This can be used for information disclosure through a fingerprinting attack that lists all of the plugins installed by a user on a system, even when they are disabled." [11] CVE-2016-2833: "Mozilla engineer Matt Wobensmith reported that Content Security Policy (CSP) does not block the loading of cross-domain Java applets when specified by policy. This is because the Java applet is loaded by the Java plugin, which then mediates all network requests without checking against CSP. This could allow a malicious site to manipulate content through a Java applet to bypass CSP protections, allowing for possible cross-site scripting (XSS) attacks." [12] CVE-2016-2834: "Mozilla has updated the version of Network Security Services (NSS) library used in Firefox to NSS 3.23. This addresses four moderate rated networking security issues reported by Mozilla engineers Tyson Smith and Jed Davis." [13] MITIGATION The vendor recommends updating to the latest version of Firefox to address these issues. [1-13] REFERENCES [1] Mozilla Foundation Security Advisory 2016-49 https://www.mozilla.org/en-US/security/advisories/mfsa2016-49/ [2] Mozilla Foundation Security Advisory 2016-50 https://www.mozilla.org/en-US/security/advisories/mfsa2016-50/ [3] Mozilla Foundation Security Advisory 2016-51 https://www.mozilla.org/en-US/security/advisories/mfsa2016-51/ [4] Mozilla Foundation Security Advisory 2016-52 https://www.mozilla.org/en-US/security/advisories/mfsa2016-52/ [5] Mozilla Foundation Security Advisory 2016-53 https://www.mozilla.org/en-US/security/advisories/mfsa2016-53/ [6] Mozilla Foundation Security Advisory 2016-54 https://www.mozilla.org/en-US/security/advisories/mfsa2016-54/ [7] Mozilla Foundation Security Advisory 2016-55 https://www.mozilla.org/en-US/security/advisories/mfsa2016-55/ [8] Mozilla Foundation Security Advisory 2016-56 https://www.mozilla.org/en-US/security/advisories/mfsa2016-56/ [9] Mozilla Foundation Security Advisory 2016-57 https://www.mozilla.org/en-US/security/advisories/mfsa2016-57/ [10] Mozilla Foundation Security Advisory 2016-58 https://www.mozilla.org/en-US/security/advisories/mfsa2016-58/ [11] Mozilla Foundation Security Advisory 2016-59 https://www.mozilla.org/en-US/security/advisories/mfsa2016-59/ [12] Mozilla Foundation Security Advisory 2016-60 https://www.mozilla.org/en-US/security/advisories/mfsa2016-60/ [13] Mozilla Foundation Security Advisory 2016-61 https://www.mozilla.org/en-US/security/advisories/mfsa2016-61/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBV1eeE4x+lLeg9Ub1AQjiaA//fnIQyuEZ7F+gwGJ9W48PMFcIDngh8Yuc vWl9o5LlZVvv1drW6nX34g9b8J4m8fW4wt64lTT7lTTv8gVpnMSgwciL0HFl+aop yUAksmfXvHK+4Xfb8a4bM9qf2b8vFvrHFUGX6OpcOWt2ccPZ0c47lP07CdO6PZzk GpJo+Nq4tM1vhgWTXgnlvXoSVUu5VI4itoQplnQy/JefDPDFTKBnUUElmsEs97Cv G49lXuSFptPhWjjypYj5Uj+2Tdh8uPMnaq0lYlmadMAQviMchKhTCqmpgBIm1z5w oxhX26GUJuww4TSV84XhLbjLxpGEoyWdIngFz/eZLflZWQBfOgB2kWQuHMBVa3sP QisYEyCr7SMw+2z1a9tTru8c8ipI/41c2AcaqfW51V50tCu0pTgBMYX7YP6a72mS aV+PbfEBEZvzajgScFgzDneJubUpM/BjsBSza7zsnMc9GLTe/crXZ10rtUnzxGXB 8zb48O/mZ53BY7cd7gIP7ZhsOx1J8t4XNhdyiPd2PVh6oJmQh3M/JyzJANzrVyBO 8p7ABPNDTsLeECE/ScRWRM17S/jI6kUVuG10VyG+MGS6cdyRJfhIOEirYcSS4vV5 LHb8+54jAFrYn8ettx/Qeynao3vpr/zx0gtin2TIVzFLOXM0QUse2pGquy3E4kuB 9A+qN36kdgk= =P7BQ -----END PGP SIGNATURE-----