Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2017.0019 Mozilla Foundation Security Advisories March 7, 2017 8 March 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Mozilla Firefox Mozilla Firefox ESR Mozilla Thunderbird Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Delete Arbitrary Files -- Existing Account Access Confidential Data -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2017-5410 CVE-2017-5408 CVE-2017-5407 CVE-2017-5405 CVE-2017-5404 CVE-2017-5402 CVE-2017-5401 CVE-2017-5400 CVE-2017-5398 Member content until: Friday, April 7 2017 OVERVIEW Critical vulnerabilities have been identified in Mozilla Firefox prior to version 52, Firefox ESR 45.8 and Thunderbird 45.8. [1 -3] IMPACT The vendor has provided the following details regarding the vulnerability: "CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP JIT-spray targeting asm.js combined with a heap spray allows for a bypass of ASLR and DEP protections leading to potential memory corruption attacks. #CVE-2017-5401: Memory Corruption when handling ErrorResult A crash triggerable by web content in which an ErrorResult references unassigned memory due to a logic error. The resulting crash may be exploitable. #CVE-2017-5402: Use-after-free working with events in FontFace objects A use-after-free can occur when events are fired for a FontFace object after the object has been already been destroyed while working with fonts. This results in a potentially exploitable crash. #CVE-2017-5404: Use-after-free working with ranges in selections A use-after-free error can occur when manipulating ranges in selections with one node inside a native anonymous tree and one node outside of it. This results in a potentially exploitable crash. #CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters Using SVG filters that don't use the fixed point math implementation on a target iframe, a malicious page can extract pixel values from a targeted user. This can be used to extract history information and read text values across domains. This violates same-origin policy and leads to information disclosure. #CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping Memory corruption resulting in a potentially exploitable crash during garbage collection of JavaScript due errors in how incremental sweeping is managed for memory cleanup. #CVE-2017-5408: Cross-origin reading of video captions in violation of CORS Video files loaded video captions cross-origin without checking for the presence of CORS headers permitting such cross-origin use, leading to potential information disclosure for video captions. #CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports Certain response codes in FTP connections can result in the use of uninitialized values for ports in FTP operations. #CVE-2017-5398: Memory safety bugs fixed in Thunderbird 45.8 Mozilla developers and community members Boris Zbarsky, Christian Holler, Honza Bambas, Jon Coppeard, Randell Jesup, André Bargull, Kan-Ru Chen, and Nathan Froyd reported memory safety bugs present in Thunderbird 45.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code." [1 - 3] MITIGATION Mozilla advises upgrading to the latest version to address this issues. [1 - 3] REFERENCES [1] Mozilla Foundation Security Advisory 2017-05 https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/ [2] Mozilla Foundation Security Advisory 2017-06 https://www.mozilla.org/en-US/security/advisories/mfsa2017-06/ [3] Mozilla Foundation Security Advisory 2017-07 https://www.mozilla.org/en-US/security/advisories/mfsa2017-07/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWL+WH4x+lLeg9Ub1AQiCzQ//RF6Q9roubv28ftWfy/DhUXF6x++bwWOf w60cjyQ0EGrYJpjyIjczwyvqbOWmkQmA2FKIcFfHPi2hC+qlHJIabzMnYuHewHHd JGD1zWrzuoBRNTS7hAwhNV7dBbgEGjbHXmRQYr+htbDhyIw8twIC/6WMLhn7/aKw Zur6s/RjDxZsRE9WzRX1UDnsZlc2nBGXXyQDRpqsdJS4Beaqr9PfdYiOyFcCHtlQ AF5JL9TX+p9CHuPmfpTEeA9e+Y2kRitwfRs2n4HSykLy5QF2Qo+VijlQf0EFe/Rm CHLYLjLZ0i45WtNadMfQtCpUZZ34p9pSdmA+Pz6Camwe39ZvdIEVHt1EVi5JUMgC 6b4OzXmGmxBIfyI0niwMiY/aTIGhNbTj2DkmJeiVlpStmiY9R0Qz3LNT7ztsQQrg wkkwauWiHSZ/sjH8PmjRtkPjfIAScBVpDLTyS9tdWcNB/jFApPEPBk44LDqbi+MI pfT4shA0liHmGL8DqjDMldrjNuT3gMK0GRnvc+QDbyXc4lUAozPpSIlRtS+PNPA/ la61PJFHeI0Te5LrGWYBJIGnQNzpr62Nx6ci34nPHnVRjySLXqwefg2NlRMiDLob 8cK9VPDHEGw8aFPGTqTHbd14U60ApAG7jPKMWCJqUyO5efusjv37FzHTn6w27j8S GpwfVGvyuw4= =P0sQ -----END PGP SIGNATURE-----