KLA10643
Multiple vulnerabilities in Mozilla Firefox and Firefox ESR

Multiple serious vulnerabilities have been found in Mozilla Firefox. Malicious users can exploit these vulnerabilities to cause denial of service, bypass security restrictions, conduct CSS attack, gain privileges or execute arbitrary code.

Below is a complete list of vulnerabilities

1. Several memory safety bugs can be exploited remotely via an unknown vectors to cause denial of service or execute arbitrary code;
2. Out-of-bounds reading error can be exploited remotely via a specially designed MP3 file to cause denial of service or execute arbitrary code;
3. Use-after-free vulnerability at Web Audio API can be exploited remotely via an unknown vectors to cause denial of service or execute arbitrary code;
4. An unknown vulnerability can be exploited via specially designed JSON to bypass intended restrictions;
5. Multiple overflows can be exploited remotely via a specially designed MPEG4 video to cause denial of service or execute arbitrary code;
6. Race condition at Mozilla Maintenance Service can be exploited locally (Microsoft Windows only) to execute arbitrary code or gain privileges;
7. Improper files handling at Updater can be exploited locally via a specially designed MAR file to cause denial of service or execute arbitrary code;
8. An unknown vulnerability can be exploited remotely via address manipulation to conduct man-in-the-middle attack and bypass intended restrictions;
9. An unknown vulnerability at JavaScript can be exploited remotely via a specially designed views to cause denial of service;
10. Heap overflow can be exploited remotely via a specially designed bitmap (for Linux with Gnome only) to cause denial of service or execute arbitrary code;
11. Buffer overflows can be exploited remotely via a specially designed WebM file to cause denial of service or execute arbitrary code;
12. Multiple memory vulnerabilities can be exploited via an unknown vectors to cause denial of service;
13. Improper implementation of security policies can be exploited remotely via a specially design URLs to conduct cross-site-scripting attack;
14. Use-after-free vulnerability can be exploited remotely via an unknown vectors to cause denial of service.

Technical details

Bugs named in (1) are unexploitable at all. But some can be exploited under certain circumstances and some of exploitable can cause code execution.

(2) to exploit this vulnerability malicious can design MP3 file which switches sample formats.

(3) occurs at interaction of MediaStream with Web Audio API.

Some non-configurable properties on JS objects can be changed while JSON interaction. Which cause same-origin bypass (4).

MPEG4 can be used to exploit (5) via malicious ‘saio’ chunk, invalid size parameter in ESDS chunk or artlessly corrupt file.

Usage of a hard link by means of race condition at Mozilla Maintenance Service on Windows can write log file into restricted location. If someone can run privileged program which used overwrote file (6) can be triggered.

(7) can be exploited by specially designed name of MAR (Mozilla ARchive) file. Also to exploit this vulnerability malicious user must create such named file and let Updater use it.

Opening target page prefixed by feed: using POST disabling mixed content blocker for that page (8).

(9) caused by a crash, occurs when JavaScript when using shared memory, does not properly gate access to Atomics or SharedArrayBuffer views.

Heap overflow in gdk-pixbuf causes (10), which can be triggered by bitmap scaling.

(11) caused by buffer overflows in Libvpx used for WebN video decoding.

(12) explored through code inspection and doesn’t have clear exploit mechanism. But vulnerable if mechanism would be found.

CSP implementation in Firefox does not match specification. By specification states that blob, data and filesystem URLs should be excluded when matching wildcard. But current culnerable implementation allows these URLs in case of asterisk (*) wildcard (13).

(14) can be triggered by recursive calling .open() on an XMLHttpRequest in a SharedWorker.

Mozilla Firefox versions earlier than 40.0
Mozilla Firefox ESR versions earlier than 38.2

Update to the latest version
Get Firefox ESR
Get Firefox

Public exploits exist for this vulnerability.