Дата обнаружения
|
26/04/2016 |
Уровень угрозы
|
Critical |
Описание
|
Multiple serious vulnerabilities have been found in Mozilla Firefox. Malicious users can exploit these vulnerabilities to bypass security restrictions, inject arbitrary code, elevate privileges, cause denial of service or obtain sensitive information. Below is a complete list of vulnerabilities
Technical details Vulnerability (2) caused by Mozilla Maintenance Service privileged system access. Vulnerability (3) allows malicious user access content provider permissions for Firefox in order to read data includes browser history and locally saved passwords. It occurs when a list of permissions is defined to match those that Firefox uses for content providers and bypasses signature protections. Vulnerability (4) caused by keeping active ServiceWorkerInfo object after its registration finishing. We’ll get use-after-free as result. Vulnerability (5) caused by race condition in the ServiceWorkerManager. Vulnerability (7) caused by improper handling of CENC offsets and the sizes tables in the libstagefright library. It can be exploited through the buffer overflow. Vulnerability (8) caused by sending CSP with the multipart/x-mixed-replace MIME type. Vulnerability (9) related to chrome.tabs.update API and allows navigation to JavaScript URLs without additional permissions. It is possible to inject content into legitimate extensions if they load content within browser tabs. Vulnerability (10) related to JavaScript .watch() method which could be used to overflow the 32-bit generation count of the underlying HashMap. As result we’ll get write to an invalid entry. The overflow require a user to keep a malicious page open for the duration of the attack. Vulnerability (11) allows attacker to change the sharing preferences of a user by firing the appropriate events at its containing page. |
Пораженные продукты
|
Mozilla Firefox versions earlier than 46 |
Решение
|
Update to the latest version |
Первичный источник обнаружения
|
Mozilla Foundation Advisories |
Оказываемое влияние
?
|
ACE
[?]
OSI
[?]
DoS
[?]
CI
[?]
PE
[?]
|
Связанные продукты
|
Mozilla Firefox Mozilla Firefox ESR Mozilla Firefox for Android |
CVE-IDS
|
CVE-2016-28085.1High CVE-2016-28204.3Warning CVE-2016-28174.3Warning CVE-2016-28164.3Warning CVE-2016-28146.8High CVE-2016-28134.3Warning CVE-2016-28125.1High CVE-2016-28116.8High CVE-2016-28104.3Warning CVE-2016-28095.8High CVE-2016-17804.3Warning |
Узнай статистику распространения уязвимостей в твоем регионе |