Kaspersky ID:
KLA10765
Detect Date:
03/08/2016
Updated:
01/22/2024

Description

Multiple serious vulnerabilities have been found in Mozilla Firefox. Malicious users can exploit these vulnerabilities to cause denial of service, bypass security restrictions, obtain sensitive information, execute arbitrary code, spoof user interface, gain privileges and write local files.

Below is a complete list of vulnerabilities

  1. Multiple memory safety bugs at browser engine can be exploited remotely to cause denial of service and possibly execute arbitrary code;
  2. Lack of report URI restrictions at Content Security Policy (CSP) violation reports can be exploited remotely via a specially designed page to overwrite arbitrary file;
  3. Lack of specification restrictions implementation at CSP violation reports can be exploited remotely to obtain sensitive information;
  4. Improper memory handling can be exploited remotely via a specially designed WebGL operations to cause denial of service; (Linux)
  5. Memory leak at libstagefright can be exploited remotely via a specially designed MPEG4 video;
  6. An unknown vulnerability can be exploited remotely via a specially designed JavaScript to spoof user interface;
  7. An unknown vulnerability at Clients API in Service Workers can be exploited to cause denial of service or possibly execute arbitrary code;
  8. Use-after-free vulnerability at HTML5 string parser can be exploited remotely via a specially designed content to cause denial of service or possibly execute arbitrary code;
  9. Use-after-free vulnerability at HTMLDocument can be exploited remotely via a specially designed content to cause denial of service or execute arbitrary code;
  10. Use-after-free vulnerability at WebRTC can be exploited remotely to cause denial of service or execute arbitrary code;
  11. An unknown vulnerability at FileReader API can be exploited locally via files manipulation to cause denial of service or gain privileges;
  12. Use-after-free vulnerability at XML transformation can be exploited remotely via a specially designed web content;
  13. An unknown vulnerability can be exploited remotely via sites navigation manipulations to spoof user interface;
  14. An unknown vulnerability can be exploited remotely via a specially designed redirect to bypass security restrictions;
  15. Pointer underflow at Brotli can be exploited remotely to cause denial of service or execute arbitrary code;
  16. An improper pointer dereference at NPAPI can be exploited remotely via a specially designed plugin in concert with specially designed web content to cause denial of service or execute arbitrary code;
  17. An integer underflow at WebRTC possibly can be exploited remotely via a specially designed web content to cause denial of service or execute arbitrary code;
  18. Missing status check at WebRTC potentially can be exploited remotely via a specially designed web content to cause denial of service or execute arbitrary code; (Windows)
  19. Multiple race conditions at WebRTC potentially can be exploited remotely via a specially designed web content to cause denial of service or execute arbitrary code;
  20. Deleted pointers usage at WebRTC potentially can be exploited remotely via a specially designed web content to cause denial of service or execute arbitrary code;
  21. A race condition at LibVPX potentially can be exploited remotely via a specially designed web content to cause denial of service or execute arbitrary code;
  22. Use-after-free vulnerability at WebRTC can be exploited remotely via a specially designed web content to cause denial of service or possibly execute arbitrary code;
  23. Out-of-bounds vulnerability at HTML parser can be exploited remotely via a specially unicode strings or XML and SVG content to cause denial of service or possibly execute arbitrary code;
  24. Buffer overflow at obsolete version of Network Security Service (NSS) can be exploited remotely via a specially designed certificate to cause denial of service or execute arbitrary code;
  25. Use-after-free vulnerability at obsolete version of NSS can be exploited remotely via a specially designed key to cause denial of service;
  26. Multiple uninitialized memory usages, out-of-bounds read, out-of-bounds write and other unknown vulnerabilities can be exploited remotely to cause denial of service or possibly execute arbitrary code.

Technical details

Vulnerability (1) related to js/src/jit/arm/Assembler-arm.cpp and other unknown vectors.

Vulnerability (2) related to nsCSPContext::SendReports function in dom/security/nsCSPContext.cpp which does not prevent non-HTTP report-URI for a CSP violation report. This vulnerability can be triggered if user has disabled add-on signing and has installed unpacked add-on.

Vulnerability (3) caused by storing full path information for cross-origin iframe navigations.

Vulnerability (4) can be exploited via performing WebGL operations in a canvas requiring an unusually large amount buffer to be allocated. This vulnerability can be exploited on Linux with Intel video driver used. If vulnerability exploited successfully it will be required to reboot computer to return functionality.

Vulnerability (5) can be exploited via video which triggers a delete operation on an array.

Vulnerability (6) related to browser/base/content/browser.js which allows spoof address bar via jsvscropt: URL.

Vulnerability (8) can be exploited via content triggers mishandling of end tags. This vulnerability related to nsHtml5TreeBuilder.

Vulnerability (9) can be exploited via content triggers mishandling of root element, This vulnerability related to nsHTMLDocument::SetBody function in dom/html/nsHTMLDocument.cpp

Vulnerability (10) can be exploited via leveraging mishandling of WebRTC data-channel connection.

Vulnerability (11) can be exploited via files modification during FileReader API read operation.

Vulnerability (12) related to AtomicBaseIncDec function.

Vulnerability (13) can be exploited via navigation sequences which involve returning back. If user returns to original page displayed URL will not reflect reloaded page location.

Vulnerability (14) related to already fixed bug CVE-2015-7207. It was discovered that history navigation in restored browser session still allow same attack.

Vulnerability (16) related to nsNPObjWrapper::GetNewOrUsed function in dom/plugins/base/nsJSNPRuntime.cpp

Vulnerability (17) related to srtp_unprotect function.

Vulnerability (18) related to I420VideoFrame::CreateFrame function on Windows.

Vulnerability (19) related to dom/media/systemservices/CamerasChild.cpp

Vulnerability (20) related to DesktopDisplayDevice class.

Vulnerability (22) related to GetStaticInstance function.

Vulnerability (23) related to nsScannerString::AppendUnicodeTo function which does not verify success of memory allocation.

Vulnerability (24) related to vulnerability in NSS versions earlier than 3.19.2.3 and 3.20 versions earlier than 3.21. This vulnerability can be exploited remotely via a specially designed ASN.1 data in X.509 certificate.

Vulnerability (25) related to PK11_ImportDERPrivateKeyInfoAndReturnKey function. This vulnerability can be exploited via a key with DER encoded data.

Vulnerability (26) related to multiple different vulnerabilities in code which corresponds vectors listed below:

  1. Machine::Code::decoder::analysis::set_ref function;
  2. graphite2::TtfUtil::GetTableInfo function;
  3. graphite2::GlyphCache::glyph function;
  4. graphite2::Slot::getAttr function in Slot.cpp;
  5. CachedCmap.cpp;
  6. graphite2::TtfUtil::CmapSubtable12NextCodepoint function;
  7. graphite2::FileFace::get_table_fn function;
  8. graphite2::vm::Machine::Code::Code function;
  9. graphite2::TtfUtil::CmapSubtable12Lookup function;
  10. graphite2::GlyphCache::Loader::Loader function;
  11. graphite2::Slot::setAttr function;
  12. graphite2::TtfUtil::CmapSubtable4NextCodepoint function;

Original advisories

Exploitation

Public exploits exist for this vulnerability.

Related products

CVE list

  • CVE-2016-2802
    high
  • CVE-2016-2801
    high
  • CVE-2016-2800
    high
  • CVE-2016-2799
    critical
  • CVE-2016-2798
    high
  • CVE-2016-2797
    high
  • CVE-2016-2796
    high
  • CVE-2016-2795
    high
  • CVE-2016-2794
    critical
  • CVE-2016-2793
    high
  • CVE-2016-2792
    high
  • CVE-2016-2791
    high
  • CVE-2016-2790
    high
  • CVE-2016-1979
    high
  • CVE-2016-1977
    high
  • CVE-2016-1976
    high
  • CVE-2016-1975
    high
  • CVE-2016-1974
    high
  • CVE-2016-1973
    high
  • CVE-2016-1972
    high
  • CVE-2016-1971
    high
  • CVE-2016-1970
    high
  • CVE-2016-1968
    high
  • CVE-2016-1967
    warning
  • CVE-2016-1966
    high
  • CVE-2016-1965
    warning
  • CVE-2016-1964
    high
  • CVE-2016-1950
    high
  • CVE-2016-1952
    high
  • CVE-2016-1953
    high
  • CVE-2016-1954
    high
  • CVE-2016-1955
    warning
  • CVE-2016-1956
    high
  • CVE-2016-1957
    warning
  • CVE-2016-1958
    warning
  • CVE-2016-1959
    high
  • CVE-2016-1960
    high
  • CVE-2016-1961
    high
  • CVE-2016-1962
    critical
  • CVE-2016-1963
    warning

Read more

Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com

Found an inaccuracy in the description of this vulnerability? Let us know!
Kaspersky Next
Let’s go Next: redefine your business’s cybersecurity
Learn more
New Kaspersky!
Your digital life deserves complete protection!
Learn more
Confirm changes?
Your message has been sent successfully.