Описание
Multiple serious vulnerabilities have been found in Mozilla Firefox. Malicious users can exploit these vulnerabilities to cause denial of service, bypass security restrictions, obtain sensitive information, execute arbitrary code, spoof user interface, gain privileges and write local files.
Below is a complete list of vulnerabilities
- Multiple memory safety bugs at browser engine can be exploited remotely to cause denial of service and possibly execute arbitrary code;
- Lack of report URI restrictions at Content Security Policy (CSP) violation reports can be exploited remotely via a specially designed page to overwrite arbitrary file;
- Lack of specification restrictions implementation at CSP violation reports can be exploited remotely to obtain sensitive information;
- Improper memory handling can be exploited remotely via a specially designed WebGL operations to cause denial of service; (Linux)
- Memory leak at libstagefright can be exploited remotely via a specially designed MPEG4 video;
- An unknown vulnerability can be exploited remotely via a specially designed JavaScript to spoof user interface;
- An unknown vulnerability at Clients API in Service Workers can be exploited to cause denial of service or possibly execute arbitrary code;
- Use-after-free vulnerability at HTML5 string parser can be exploited remotely via a specially designed content to cause denial of service or possibly execute arbitrary code;
- Use-after-free vulnerability at HTMLDocument can be exploited remotely via a specially designed content to cause denial of service or execute arbitrary code;
- Use-after-free vulnerability at WebRTC can be exploited remotely to cause denial of service or execute arbitrary code;
- An unknown vulnerability at FileReader API can be exploited locally via files manipulation to cause denial of service or gain privileges;
- Use-after-free vulnerability at XML transformation can be exploited remotely via a specially designed web content;
- An unknown vulnerability can be exploited remotely via sites navigation manipulations to spoof user interface;
- An unknown vulnerability can be exploited remotely via a specially designed redirect to bypass security restrictions;
- Pointer underflow at Brotli can be exploited remotely to cause denial of service or execute arbitrary code;
- An improper pointer dereference at NPAPI can be exploited remotely via a specially designed plugin in concert with specially designed web content to cause denial of service or execute arbitrary code;
- An integer underflow at WebRTC possibly can be exploited remotely via a specially designed web content to cause denial of service or execute arbitrary code;
- Missing status check at WebRTC potentially can be exploited remotely via a specially designed web content to cause denial of service or execute arbitrary code; (Windows)
- Multiple race conditions at WebRTC potentially can be exploited remotely via a specially designed web content to cause denial of service or execute arbitrary code;
- Deleted pointers usage at WebRTC potentially can be exploited remotely via a specially designed web content to cause denial of service or execute arbitrary code;
- A race condition at LibVPX potentially can be exploited remotely via a specially designed web content to cause denial of service or execute arbitrary code;
- Use-after-free vulnerability at WebRTC can be exploited remotely via a specially designed web content to cause denial of service or possibly execute arbitrary code;
- Out-of-bounds vulnerability at HTML parser can be exploited remotely via a specially unicode strings or XML and SVG content to cause denial of service or possibly execute arbitrary code;
- Buffer overflow at obsolete version of Network Security Service (NSS) can be exploited remotely via a specially designed certificate to cause denial of service or execute arbitrary code;
- Use-after-free vulnerability at obsolete version of NSS can be exploited remotely via a specially designed key to cause denial of service;
- Multiple uninitialized memory usages, out-of-bounds read, out-of-bounds write and other unknown vulnerabilities can be exploited remotely to cause denial of service or possibly execute arbitrary code.
Technical details
Vulnerability (1) related to js/src/jit/arm/Assembler-arm.cpp and other unknown vectors.
Vulnerability (2) related to nsCSPContext::SendReports function in dom/security/nsCSPContext.cpp which does not prevent non-HTTP report-URI for a CSP violation report. This vulnerability can be triggered if user has disabled add-on signing and has installed unpacked add-on.
Vulnerability (3) caused by storing full path information for cross-origin iframe navigations.
Vulnerability (4) can be exploited via performing WebGL operations in a canvas requiring an unusually large amount buffer to be allocated. This vulnerability can be exploited on Linux with Intel video driver used. If vulnerability exploited successfully it will be required to reboot computer to return functionality.
Vulnerability (5) can be exploited via video which triggers a delete operation on an array.
Vulnerability (6) related to browser/base/content/browser.js which allows spoof address bar via jsvscropt: URL.
Vulnerability (8) can be exploited via content triggers mishandling of end tags. This vulnerability related to nsHtml5TreeBuilder.
Vulnerability (9) can be exploited via content triggers mishandling of root element, This vulnerability related to nsHTMLDocument::SetBody function in dom/html/nsHTMLDocument.cpp
Vulnerability (10) can be exploited via leveraging mishandling of WebRTC data-channel connection.
Vulnerability (11) can be exploited via files modification during FileReader API read operation.
Vulnerability (12) related to AtomicBaseIncDec function.
Vulnerability (13) can be exploited via navigation sequences which involve returning back. If user returns to original page displayed URL will not reflect reloaded page location.
Vulnerability (14) related to already fixed bug CVE-2015-7207. It was discovered that history navigation in restored browser session still allow same attack.
Vulnerability (16) related to nsNPObjWrapper::GetNewOrUsed function in dom/plugins/base/nsJSNPRuntime.cpp
Vulnerability (17) related to srtp_unprotect function.
Vulnerability (18) related to I420VideoFrame::CreateFrame function on Windows.
Vulnerability (19) related to dom/media/systemservices/CamerasChild.cpp
Vulnerability (20) related to DesktopDisplayDevice class.
Vulnerability (22) related to GetStaticInstance function.
Vulnerability (23) related to nsScannerString::AppendUnicodeTo function which does not verify success of memory allocation.
Vulnerability (24) related to vulnerability in NSS versions earlier than 3.19.2.3 and 3.20 versions earlier than 3.21. This vulnerability can be exploited remotely via a specially designed ASN.1 data in X.509 certificate.
Vulnerability (25) related to PK11_ImportDERPrivateKeyInfoAndReturnKey function. This vulnerability can be exploited via a key with DER encoded data.
Vulnerability (26) related to multiple different vulnerabilities in code which corresponds vectors listed below:
- Machine::Code::decoder::analysis::set_ref function;
- graphite2::TtfUtil::GetTableInfo function;
- graphite2::GlyphCache::glyph function;
- graphite2::Slot::getAttr function in Slot.cpp;
- CachedCmap.cpp;
- graphite2::TtfUtil::CmapSubtable12NextCodepoint function;
- graphite2::FileFace::get_table_fn function;
- graphite2::vm::Machine::Code::Code function;
- graphite2::TtfUtil::CmapSubtable12Lookup function;
- graphite2::GlyphCache::Loader::Loader function;
- graphite2::Slot::setAttr function;
- graphite2::TtfUtil::CmapSubtable4NextCodepoint function;
Первичный источник обнаружения
Эксплуатация
Public exploits exist for this vulnerability.
Связанные продукты
Список CVE
- CVE-2016-2802 high
- CVE-2016-2801 high
- CVE-2016-2800 high
- CVE-2016-2799 critical
- CVE-2016-2798 high
- CVE-2016-2797 high
- CVE-2016-2796 high
- CVE-2016-2795 high
- CVE-2016-2794 critical
- CVE-2016-2793 high
- CVE-2016-2792 high
- CVE-2016-2791 high
- CVE-2016-2790 high
- CVE-2016-1979 high
- CVE-2016-1977 high
- CVE-2016-1976 high
- CVE-2016-1975 high
- CVE-2016-1974 high
- CVE-2016-1973 high
- CVE-2016-1972 high
- CVE-2016-1971 high
- CVE-2016-1970 high
- CVE-2016-1968 high
- CVE-2016-1967 warning
- CVE-2016-1966 high
- CVE-2016-1965 warning
- CVE-2016-1964 high
- CVE-2016-1950 high
- CVE-2016-1952 high
- CVE-2016-1953 high
- CVE-2016-1954 high
- CVE-2016-1955 warning
- CVE-2016-1956 high
- CVE-2016-1957 warning
- CVE-2016-1958 warning
- CVE-2016-1959 high
- CVE-2016-1960 high
- CVE-2016-1961 high
- CVE-2016-1962 critical
- CVE-2016-1963 warning
Смотрите также
Узнай статистику распространения уязвимостей в своем регионе statistics.securelist.com