Hash: SHA256

                         AUSCERT Security Bulletin

           Mozilla Foundation Security Advisories March 7, 2017
                               8 March 2017


        AusCERT Security Bulletin Summary

Product:              Mozilla Firefox
                      Mozilla Firefox ESR
                      Mozilla Thunderbird
Operating System:     UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
                      Delete Arbitrary Files          -- Existing Account            
                      Access Confidential Data        -- Remote with User Interaction
                      Provide Misleading Information  -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2017-5410 CVE-2017-5408 CVE-2017-5407
                      CVE-2017-5405 CVE-2017-5404 CVE-2017-5402
                      CVE-2017-5401 CVE-2017-5400 CVE-2017-5398
Member content until: Friday, April  7 2017


        Critical vulnerabilities have been identified in Mozilla Firefox 
        prior to version 52, Firefox ESR 45.8 and Thunderbird 45.8. [1 -3]


        The vendor has provided the following details regarding the 
        "CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP
        JIT-spray targeting asm.js combined with a heap spray allows for a 
        bypass of ASLR and DEP protections leading to potential memory 
        corruption attacks.
        #CVE-2017-5401: Memory Corruption when handling ErrorResult
        A crash triggerable by web content in which an ErrorResult 
        references unassigned memory due to a logic error. The resulting 
        crash may be exploitable.
        #CVE-2017-5402: Use-after-free working with events in FontFace 
        A use-after-free can occur when events are fired for a FontFace 
        object after the object has been already been destroyed while 
        working with fonts. This results in a potentially exploitable crash.
        #CVE-2017-5404: Use-after-free working with ranges in selections
        A use-after-free error can occur when manipulating ranges in 
        selections with one node inside a native anonymous tree and one node
        outside of it. This results in a potentially exploitable crash.
        #CVE-2017-5407: Pixel and history stealing via floating-point timing
        side channel with SVG filters
        Using SVG filters that don't use the fixed point math implementation
        on a target iframe, a malicious page can extract pixel values from a
        targeted user. This can be used to extract history information and 
        read text values across domains. This violates same-origin policy 
        and leads to information disclosure.
        #CVE-2017-5410: Memory corruption during JavaScript garbage 
        collection incremental sweeping
        Memory corruption resulting in a potentially exploitable crash 
        during garbage collection of JavaScript due errors in how 
        incremental sweeping is managed for memory cleanup.
        #CVE-2017-5408: Cross-origin reading of video captions in violation
        of CORS
        Video files loaded video captions cross-origin without checking for
        the presence of CORS headers permitting such cross-origin use, 
        leading to potential information disclosure for video captions.
        #CVE-2017-5405: FTP response codes can cause use of uninitialized 
        values for ports
        Certain response codes in FTP connections can result in the use of 
        uninitialized values for ports in FTP operations.
        #CVE-2017-5398: Memory safety bugs fixed in Thunderbird 45.8
        Mozilla developers and community members Boris Zbarsky, Christian 
        Holler, Honza Bambas, Jon Coppeard, Randell Jesup, André Bargull, 
        Kan-Ru Chen, and Nathan Froyd reported memory safety bugs present in
        Thunderbird 45.7. Some of these bugs showed evidence of memory 
        corruption and we presume that with enough effort that some of these
        could be exploited to run arbitrary code." [1 - 3]


        Mozilla advises upgrading to the latest version to address this 
        issues. [1 - 3]


        [1] Mozilla Foundation Security Advisory 2017-05

        [2] Mozilla Foundation Security Advisory 2017-06

        [3] Mozilla Foundation Security Advisory 2017-07

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967