KLA10765
Multiple vulnerabilities in Mozilla Firefox and Firefox ESR

Multiple serious vulnerabilities have been found in Mozilla Firefox. Malicious users can exploit these vulnerabilities to cause denial of service, bypass security restrictions, obtain sensitive information, execute arbitrary code, spoof user interface, gain privileges and write local files.

Below is a complete list of vulnerabilities

1. Multiple memory safety bugs at browser engine can be exploited remotely to cause denial of service and possibly execute arbitrary code;
2. Lack of report URI restrictions at Content Security Policy (CSP) violation reports can be exploited remotely via a specially designed page to overwrite arbitrary file;
3. Lack of specification restrictions implementation at CSP violation reports can be exploited remotely to obtain sensitive information;
4. Improper memory handling can be exploited remotely via a specially designed WebGL operations to cause denial of service; (Linux)
5. Memory leak at libstagefright can be exploited remotely via a specially designed MPEG4 video;
6. An unknown vulnerability can be exploited remotely via a specially designed JavaScript to spoof user interface;
7. An unknown vulnerability at Clients API in Service Workers can be exploited to cause denial of service or possibly execute arbitrary code;
8. Use-after-free vulnerability at HTML5 string parser can be exploited remotely via a specially designed content to cause denial of service or possibly execute arbitrary code;
9. Use-after-free vulnerability at HTMLDocument can be exploited remotely via a specially designed content to cause denial of service or execute arbitrary code;
10. Use-after-free vulnerability at WebRTC can be exploited remotely to cause denial of service or execute arbitrary code;
11. An unknown vulnerability at FileReader API can be exploited locally via files manipulation to cause denial of service or gain privileges;
12. Use-after-free vulnerability at XML transformation can be exploited remotely via a specially designed web content;
13. An unknown vulnerability can be exploited remotely via sites navigation manipulations to spoof user interface;
14. An unknown vulnerability can be exploited remotely via a specially designed redirect to bypass security restrictions;
15. Pointer underflow at Brotli can be exploited remotely to cause denial of service or execute arbitrary code;
16. An improper pointer dereference at NPAPI can be exploited remotely via a specially designed plugin in concert with specially designed web content to cause denial of service or execute arbitrary code;
17. An integer underflow at WebRTC possibly can be exploited remotely via a specially designed web content to cause denial of service or execute arbitrary code;
18. Missing status check at WebRTC potentially can be exploited remotely via a specially designed web content to cause denial of service or execute arbitrary code; (Windows)
19. Multiple race conditions at WebRTC potentially can be exploited remotely via a specially designed web content to cause denial of service or execute arbitrary code;
20. Deleted pointers usage at WebRTC potentially can be exploited remotely via a specially designed web content to cause denial of service or execute arbitrary code;
21. A race condition at LibVPX potentially can be exploited remotely via a specially designed web content to cause denial of service or execute arbitrary code;
22. Use-after-free vulnerability at WebRTC can be exploited remotely via a specially designed web content to cause denial of service or possibly execute arbitrary code;
23. Out-of-bounds vulnerability at HTML parser can be exploited remotely via a specially unicode strings or XML and SVG content to cause denial of service or possibly execute arbitrary code;
24. Buffer overflow at obsolete version of Network Security Service (NSS) can be exploited remotely via a specially designed certificate to cause denial of service or execute arbitrary code;
25. Use-after-free vulnerability at obsolete version of NSS can be exploited remotely via a specially designed key to cause denial of service;
26. Multiple uninitialized memory usages, out-of-bounds read, out-of-bounds write and other unknown vulnerabilities can be exploited remotely to cause denial of service or possibly execute arbitrary code.

Technical details

Vulnerability (1) related to js/src/jit/arm/Assembler-arm.cpp and other unknown vectors.

Vulnerability (2) related to nsCSPContext::SendReports function in dom/security/nsCSPContext.cpp which does not prevent non-HTTP report-URI for a CSP violation report. This vulnerability can be triggered if user has disabled add-on signing and has installed unpacked add-on.

Vulnerability (3) caused by storing full path information for cross-origin iframe navigations.

Vulnerability (4) can be exploited via performing WebGL operations in a canvas requiring an unusually large amount buffer to be allocated. This vulnerability can be exploited on Linux with Intel video driver used. If vulnerability exploited successfully it will be required to reboot computer to return functionality.

Vulnerability (5) can be exploited via video which triggers a delete operation on an array.

Vulnerability (6) related to browser/base/content/browser.js which allows spoof address bar via jsvscropt: URL.

Vulnerability (8) can be exploited via content triggers mishandling of end tags. This vulnerability related to nsHtml5TreeBuilder.

Vulnerability (9) can be exploited via content triggers mishandling of root element, This vulnerability related to nsHTMLDocument::SetBody function in dom/html/nsHTMLDocument.cpp

Vulnerability (10) can be exploited via leveraging mishandling of WebRTC data-channel connection.

Vulnerability (11) can be exploited via files modification during FileReader API read operation.

Vulnerability (12) related to AtomicBaseIncDec function.

Vulnerability (13) can be exploited via navigation sequences which involve returning back. If user returns to original page displayed URL will not reflect reloaded page location.

Vulnerability (14) related to already fixed bug CVE-2015-7207. It was discovered that history navigation in restored browser session still allow same attack.

Vulnerability (16) related to nsNPObjWrapper::GetNewOrUsed function in dom/plugins/base/nsJSNPRuntime.cpp

Vulnerability (17) related to srtp_unprotect function.

Vulnerability (18) related to I420VideoFrame::CreateFrame function on Windows.

Vulnerability (19) related to dom/media/systemservices/CamerasChild.cpp

Vulnerability (20) related to DesktopDisplayDevice class.

Vulnerability (22) related to GetStaticInstance function.

Vulnerability (23) related to nsScannerString::AppendUnicodeTo function which does not verify success of memory allocation.

Vulnerability (24) related to vulnerability in NSS versions earlier than 3.19.2.3 and 3.20 versions earlier than 3.21. This vulnerability can be exploited remotely via a specially designed ASN.1 data in X.509 certificate.

Vulnerability (25) related to PK11_ImportDERPrivateKeyInfoAndReturnKey function. This vulnerability can be exploited via a key with DER encoded data.

Vulnerability (26) related to multiple different vulnerabilities in code which corresponds vectors listed below:

1. Machine::Code::decoder::analysis::set_ref function;
2. graphite2::TtfUtil::GetTableInfo function;
3. graphite2::GlyphCache::glyph function;
4. graphite2::Slot::getAttr function in Slot.cpp;
5. CachedCmap.cpp;
6. graphite2::TtfUtil::CmapSubtable12NextCodepoint function;
7. graphite2::FileFace::get_table_fn function;
8. graphite2::vm::Machine::Code::Code function;
9. graphite2::TtfUtil::CmapSubtable12Lookup function;
10. graphite2::GlyphCache::Loader::Loader function;
11. graphite2::Slot::setAttr function;
12. graphite2::TtfUtil::CmapSubtable4NextCodepoint function;

Mozilla Firefox versions earlier than 45.0
Mozilla Firefox ESR versions earlier than 38.7

Update to the latest version
Get Firefox ESR
Get Firefox

The following public exploits exists for this vulnerability:

https://www.exploit-db.com/exploits/44294

https://www.exploit-db.com/exploits/42484