Operating System:

[WIN][UNIX/Linux]

Published:

08 March 2017

Protect yourself against future threats.

//Service

Security Bulletins

Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.

Read more
Resources > Security Bulletins > ASB-2017.0019 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2017.0019
           Mozilla Foundation Security Advisories March 7, 2017
                               8 March 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Mozilla Firefox
                      Mozilla Firefox ESR
                      Mozilla Thunderbird
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
                      Delete Arbitrary Files          -- Existing Account            
                      Access Confidential Data        -- Remote with User Interaction
                      Provide Misleading Information  -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2017-5410 CVE-2017-5408 CVE-2017-5407
                      CVE-2017-5405 CVE-2017-5404 CVE-2017-5402
                      CVE-2017-5401 CVE-2017-5400 CVE-2017-5398
Member content until: Friday, April  7 2017

OVERVIEW

        Critical vulnerabilities have been identified in Mozilla Firefox 
        prior to version 52, Firefox ESR 45.8 and Thunderbird 45.8. [1 -3]


IMPACT

        The vendor has provided the following details regarding the 
        vulnerability:
        
        "CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP
        
        JIT-spray targeting asm.js combined with a heap spray allows for a 
        bypass of ASLR and DEP protections leading to potential memory 
        corruption attacks.
        
        #CVE-2017-5401: Memory Corruption when handling ErrorResult
        
        A crash triggerable by web content in which an ErrorResult 
        references unassigned memory due to a logic error. The resulting 
        crash may be exploitable.
        
        #CVE-2017-5402: Use-after-free working with events in FontFace 
        objects
        
        A use-after-free can occur when events are fired for a FontFace 
        object after the object has been already been destroyed while 
        working with fonts. This results in a potentially exploitable crash.
        
        #CVE-2017-5404: Use-after-free working with ranges in selections
        
        A use-after-free error can occur when manipulating ranges in 
        selections with one node inside a native anonymous tree and one node
        outside of it. This results in a potentially exploitable crash.
        
        #CVE-2017-5407: Pixel and history stealing via floating-point timing
        side channel with SVG filters
        
        Using SVG filters that don't use the fixed point math implementation
        on a target iframe, a malicious page can extract pixel values from a
        targeted user. This can be used to extract history information and 
        read text values across domains. This violates same-origin policy 
        and leads to information disclosure.
        
        #CVE-2017-5410: Memory corruption during JavaScript garbage 
        collection incremental sweeping
        
        Memory corruption resulting in a potentially exploitable crash 
        during garbage collection of JavaScript due errors in how 
        incremental sweeping is managed for memory cleanup.
        
        #CVE-2017-5408: Cross-origin reading of video captions in violation
        of CORS
        
        Video files loaded video captions cross-origin without checking for
        the presence of CORS headers permitting such cross-origin use, 
        leading to potential information disclosure for video captions.
        
        #CVE-2017-5405: FTP response codes can cause use of uninitialized 
        values for ports
        
        Certain response codes in FTP connections can result in the use of 
        uninitialized values for ports in FTP operations.
        
        #CVE-2017-5398: Memory safety bugs fixed in Thunderbird 45.8
        
        Mozilla developers and community members Boris Zbarsky, Christian 
        Holler, Honza Bambas, Jon Coppeard, Randell Jesup, André Bargull, 
        Kan-Ru Chen, and Nathan Froyd reported memory safety bugs present in
        Thunderbird 45.7. Some of these bugs showed evidence of memory 
        corruption and we presume that with enough effort that some of these
        could be exploited to run arbitrary code." [1 - 3]


MITIGATION

        Mozilla advises upgrading to the latest version to address this 
        issues. [1 - 3]


REFERENCES

        [1] Mozilla Foundation Security Advisory 2017-05
            https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/

        [2] Mozilla Foundation Security Advisory 2017-06
            https://www.mozilla.org/en-US/security/advisories/mfsa2017-06/

        [3] Mozilla Foundation Security Advisory 2017-07
            https://www.mozilla.org/en-US/security/advisories/mfsa2017-07/

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWL+WH4x+lLeg9Ub1AQiCzQ//RF6Q9roubv28ftWfy/DhUXF6x++bwWOf
w60cjyQ0EGrYJpjyIjczwyvqbOWmkQmA2FKIcFfHPi2hC+qlHJIabzMnYuHewHHd
JGD1zWrzuoBRNTS7hAwhNV7dBbgEGjbHXmRQYr+htbDhyIw8twIC/6WMLhn7/aKw
Zur6s/RjDxZsRE9WzRX1UDnsZlc2nBGXXyQDRpqsdJS4Beaqr9PfdYiOyFcCHtlQ
AF5JL9TX+p9CHuPmfpTEeA9e+Y2kRitwfRs2n4HSykLy5QF2Qo+VijlQf0EFe/Rm
CHLYLjLZ0i45WtNadMfQtCpUZZ34p9pSdmA+Pz6Camwe39ZvdIEVHt1EVi5JUMgC
6b4OzXmGmxBIfyI0niwMiY/aTIGhNbTj2DkmJeiVlpStmiY9R0Qz3LNT7ztsQQrg
wkkwauWiHSZ/sjH8PmjRtkPjfIAScBVpDLTyS9tdWcNB/jFApPEPBk44LDqbi+MI
pfT4shA0liHmGL8DqjDMldrjNuT3gMK0GRnvc+QDbyXc4lUAozPpSIlRtS+PNPA/
la61PJFHeI0Te5LrGWYBJIGnQNzpr62Nx6ci34nPHnVRjySLXqwefg2NlRMiDLob
8cK9VPDHEGw8aFPGTqTHbd14U60ApAG7jPKMWCJqUyO5efusjv37FzHTn6w27j8S
GpwfVGvyuw4=
=P0sQ
-----END PGP SIGNATURE-----