08 March 2017
Protect yourself against future threats.
Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.
Subscribe for updates.
-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT Security Bulletin
Mozilla Foundation Security Advisories March 7, 2017
8 March 2017
AusCERT Security Bulletin Summary
Product: Mozilla Firefox
Mozilla Firefox ESR
Operating System: UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Delete Arbitrary Files -- Existing Account
Access Confidential Data -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
CVE Names: CVE-2017-5410 CVE-2017-5408 CVE-2017-5407
CVE-2017-5405 CVE-2017-5404 CVE-2017-5402
CVE-2017-5401 CVE-2017-5400 CVE-2017-5398
Member content until: Friday, April 7 2017
Critical vulnerabilities have been identified in Mozilla Firefox
prior to version 52, Firefox ESR 45.8 and Thunderbird 45.8. [1 -3]
The vendor has provided the following details regarding the
"CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP
JIT-spray targeting asm.js combined with a heap spray allows for a
bypass of ASLR and DEP protections leading to potential memory
#CVE-2017-5401: Memory Corruption when handling ErrorResult
A crash triggerable by web content in which an ErrorResult
references unassigned memory due to a logic error. The resulting
crash may be exploitable.
#CVE-2017-5402: Use-after-free working with events in FontFace
A use-after-free can occur when events are fired for a FontFace
object after the object has been already been destroyed while
working with fonts. This results in a potentially exploitable crash.
#CVE-2017-5404: Use-after-free working with ranges in selections
A use-after-free error can occur when manipulating ranges in
selections with one node inside a native anonymous tree and one node
outside of it. This results in a potentially exploitable crash.
#CVE-2017-5407: Pixel and history stealing via floating-point timing
side channel with SVG filters
Using SVG filters that don't use the fixed point math implementation
on a target iframe, a malicious page can extract pixel values from a
targeted user. This can be used to extract history information and
read text values across domains. This violates same-origin policy
and leads to information disclosure.
collection incremental sweeping
Memory corruption resulting in a potentially exploitable crash
incremental sweeping is managed for memory cleanup.
#CVE-2017-5408: Cross-origin reading of video captions in violation
Video files loaded video captions cross-origin without checking for
the presence of CORS headers permitting such cross-origin use,
leading to potential information disclosure for video captions.
#CVE-2017-5405: FTP response codes can cause use of uninitialized
values for ports
Certain response codes in FTP connections can result in the use of
uninitialized values for ports in FTP operations.
#CVE-2017-5398: Memory safety bugs fixed in Thunderbird 45.8
Mozilla developers and community members Boris Zbarsky, Christian
Holler, Honza Bambas, Jon Coppeard, Randell Jesup, AndrÃ© Bargull,
Kan-Ru Chen, and Nathan Froyd reported memory safety bugs present in
Thunderbird 45.7. Some of these bugs showed evidence of memory
corruption and we presume that with enough effort that some of these
could be exploited to run arbitrary code." [1 - 3]
Mozilla advises upgrading to the latest version to address this
issues. [1 - 3]
 Mozilla Foundation Security Advisory 2017-05
 Mozilla Foundation Security Advisory 2017-06
 Mozilla Foundation Security Advisory 2017-07
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----