Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2016.0096 Multiple vulnerabilities identified in Mozilla Firefox prior to version 49.0.2 24 October 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Mozilla Firefox Operating System: UNIX variants (UNIX, Linux, OSX) Android Windows Impact/Access: Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2016-5288 CVE-2016-5287 Member content until: Wednesday, November 23 2016 OVERVIEW Multiple vulnerabilities have been identified in Mozilla Firefox prior to version 49.0.2. [1] IMPACT The vendor has provided the following information regarding the vulnerabilities: "CVE-2016-5287: Crash in nsTArray_base<T>::SwapArrayElements REPORTER Philipp IMPACT HIGH Description A potentially exploitable use-after-free crash during actor destruction with service workers. This issue does not affect releases earlier than Firefox 49." [1] "CVE-2016-5288: Web content can read cache entries REPORTER Developers at Cliqz.com IMPACT HIGH Description A Cliqz.com developer demonstrated that web content could access information in the HTTP cache if e10s is disabled. This can reveal some visited URLs and the contents of those pages. This issue affects Firefox 48 and 49." [1] MITIGATION The vendor recommends upgrading to the latest version. [1] REFERENCES [1] Mozilla Foundation Security Advisory 2016-87 https://www.mozilla.org/en-US/security/advisories/mfsa2016-87/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWA2I2Ix+lLeg9Ub1AQiloRAAlxGze6XcIJ9iW2zK7aGy2uS9yufZ+MCX ik8YJEgfNXucK8UzkDZg6n7Qu1ldhOiTnG+U7O85LXq2mMbw/kH+P/MQwn4hFjX3 xZ66zFoGT1Qkvdk9AVQSPQT0Iqis2ZZ5TWWHUtLTZYqCmucrOG2ZxHieWhV2F5h+ nkR/RTTzNHw/LhykCHbbg/kH6vzEPZrCxUxZruYXbYwwWP2qgxQ/ftRhvpQMWz4q 8uPGVGT+5QmwjOTv0SPSa32mT0Xd2oRhvbvy2URl81nfBLAAUz8W4CFyiNbxXzI2 SiWOxC0z5wdIMYX0i76B0Xwox6d6HeWdYAOgkk8lp5XxbFv06HremsTlmRH11ACC wC6Yh2bmGkHJdIY+Buf2yV0Kz2moyjuAfa0SM0R+P6KPOsaiNHuzUefpFQ2VXjED 5F9Ibgo0ZHgdKL+Uh08daCPzwE+lN9h40QobhVT95fZFHhrkKXQEHCKaZ9LQgjQI hZrRK8UBt+YuIZNys0KES5i0kwBrraNzThgZJFLiLYoThi2Z0vO5JDLpLMf3FaF4 uQBKd1y+0DgnGGodwrkE966HN2ZP+Mn2B7HA9bWjIp8BcavAhZxJ4/N/9b7tihyb jX0kSGGnbablnOgKZwQDsTc+umoe2Gb1k7t2vK74KTeRBY6yFWjbkD+S2OkyXGGM z3qpC6DKclY= =yweH -----END PGP SIGNATURE-----