Kaspersky ID:
KLA10643
Detect Date:
08/11/2015
Updated:
09/26/2023

Description

Multiple serious vulnerabilities have been found in Mozilla Firefox. Malicious users can exploit these vulnerabilities to cause denial of service, bypass security restrictions, conduct CSS attack, gain privileges or execute arbitrary code.

Below is a complete list of vulnerabilities

  1. Several memory safety bugs can be exploited remotely via an unknown vectors to cause denial of service or execute arbitrary code;
  2. Out-of-bounds reading error can be exploited remotely via a specially designed MP3 file to cause denial of service or execute arbitrary code;
  3. Use-after-free vulnerability at Web Audio API can be exploited remotely via an unknown vectors to cause denial of service or execute arbitrary code;
  4. An unknown vulnerability can be exploited via specially designed JSON to bypass intended restrictions;
  5. Multiple overflows can be exploited remotely via a specially designed MPEG4 video to cause denial of service or execute arbitrary code;
  6. Race condition at Mozilla Maintenance Service can be exploited locally (Microsoft Windows only) to execute arbitrary code or gain privileges;
  7. Improper files handling at Updater can be exploited locally via a specially designed MAR file to cause denial of service or execute arbitrary code;
  8. An unknown vulnerability can be exploited remotely via address manipulation to conduct man-in-the-middle attack and bypass intended restrictions;
  9. An unknown vulnerability at JavaScript can be exploited remotely via a specially designed views to cause denial of service;
  10. Heap overflow can be exploited remotely via a specially designed bitmap (for Linux with Gnome only) to cause denial of service or execute arbitrary code;
  11. Buffer overflows can be exploited remotely via a specially designed WebM file to cause denial of service or execute arbitrary code;
  12. Multiple memory vulnerabilities can be exploited via an unknown vectors to cause denial of service;
  13. Improper implementation of security policies can be exploited remotely via a specially design URLs to conduct cross-site-scripting attack;
  14. Use-after-free vulnerability can be exploited remotely via an unknown vectors to cause denial of service.

Technical details

Bugs named in (1) are unexploitable at all. But some can be exploited under certain circumstances and some of exploitable can cause code execution.

(2) to exploit this vulnerability malicious can design MP3 file which switches sample formats.

(3) occurs at interaction of MediaStream with Web Audio API.

Some non-configurable properties on JS objects can be changed while JSON interaction. Which cause same-origin bypass (4).

MPEG4 can be used to exploit (5) via malicious ‘saio’ chunk, invalid size parameter in ESDS chunk or artlessly corrupt file.

Usage of a hard link by means of race condition at Mozilla Maintenance Service on Windows can write log file into restricted location. If someone can run privileged program which used overwrote file (6) can be triggered.

(7) can be exploited by specially designed name of MAR (Mozilla ARchive) file. Also to exploit this vulnerability malicious user must create such named file and let Updater use it.

Opening target page prefixed by feed: using POST disabling mixed content blocker for that page (8).

(9) caused by a crash, occurs when JavaScript when using shared memory, does not properly gate access to Atomics or SharedArrayBuffer views.

Heap overflow in gdk-pixbuf causes (10), which can be triggered by bitmap scaling.

(11) caused by buffer overflows in Libvpx used for WebN video decoding.

(12) explored through code inspection and doesn’t have clear exploit mechanism. But vulnerable if mechanism would be found.

CSP implementation in Firefox does not match specification. By specification states that blob, data and filesystem URLs should be excluded when matching wildcard. But current culnerable implementation allows these URLs in case of asterisk (*) wildcard (13).

(14) can be triggered by recursive calling .open() on an XMLHttpRequest in a SharedWorker.

Original advisories

Exploitation

Public exploits exist for this vulnerability.

Related products

CVE list

  • CVE-2015-4493
    critical
  • CVE-2015-4492
    critical
  • CVE-2015-4491
    high
  • CVE-2015-4490
    warning
  • CVE-2015-4489
    critical
  • CVE-2015-4488
    critical
  • CVE-2015-4487
    critical
  • CVE-2015-4486
    critical
  • CVE-2015-4485
    critical
  • CVE-2015-4484
    critical
  • CVE-2015-4483
    warning
  • CVE-2015-4482
    warning
  • CVE-2015-4481
    warning
  • CVE-2015-4480
    critical
  • CVE-2015-4479
    critical
  • CVE-2015-4478
    critical
  • CVE-2015-4477
    critical
  • CVE-2015-4475
    critical
  • CVE-2015-4474
    critical
  • CVE-2015-4473
    critical

Read more

Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com

Found an inaccuracy in the description of this vulnerability? Let us know!
Kaspersky Next
Let’s go Next: redefine your business’s cybersecurity
Learn more
New Kaspersky!
Your digital life deserves complete protection!
Learn more
Confirm changes?
Your message has been sent successfully.