KLA11082
Multiple vulnerabilities in Mozilla Firefox and Firefox ESR

Multiple serious vulnerabilities have been found in Firefox and Firefox ESR. Malicious users can exploit these vulnerabilities to cause denial of service, privilege escalation, spoof user interface, bypass security restrictions, obtain sensitive information and execute arbitrary code.

Below is complete list of vulnerabilities:

1. A XUL injection vulnerability in the Developer Tools can be exploited remotely by opening a specially designed page in the style editor tool to execute arbitrary code;
2. A use-after-free vulnerability related to Websocket connection holding objects can be exploited remotely to cause a denial of service;
3. A use-after-free vulnerability related to re-computing layout for a marquee element during window resizing can be exploited remotely to cause a denial of service;
4. A use-after-free vulnerability related to tree traversal with prematurely deleted editor DOM node can be exploited to cause a denial of service;
5. A use-after-free vulnerability related to reading an image observer during frame reconstruction can be exploited to cause a denial of service;
6. A use-after-free vulnerability related to image element resizing can be exploited to cause a denial of service;
7. A buffer overflow vulnerability related to Accessible Rich Internet Applications (ARIA) attributes can be exploited to cause a denial of service;
8. A buffer overflow vulnerability which occur when the image renderer attempts to paint non-displayable SVG elements can be exploited remotely to cause a denial of service;
9. An out-of-bounds read vulnerability related to cached style data and pseudo-elements can be exploited remotely possibly to cause a denial of service or obtain sensitive information;
10. An improper handling of bypassing the same-origin policy protections can be exploited remotely via embedded iframes while page reloads to obtain sensitive information;
11. A vulnerability related to the AppCache can be exploited remotely possibly to bypass security restrictions and obtain sensitive information;
12. A buffer overflow vulnerability related to certificate manager can be exploited remotely via a specially designed certificate to cause a denial of service;
13. A vulnerability in the destructor function for the WindowsDllDetourPatcher can be exploited remotely via specially designed code in concern with another vulnerabilities to bypass security restrictions;
14. An unspecified vulnerability in the data: protocol can be exploited remotely via pages containing an iframe to spoof user interface;
15. An improper memory allocation in WindowsDllDetourPatcher function can be exploited remotely to execute arbitrary code;
16. A vulnerability related to content security policy (CSP) component can be exploited remotely via specially designed web page to bypass security restrictions;
17. A use-after-free vulnerability related to specific SVG content rendering done by layer manager can be exploited remotely to cause a denial of service;
18. A vulnerability related to content security policy (CSP) component can be exploited remotely to obtain sensitive information;
19. A vulnerability related to elliptic curve point addition algorithm can be exploited remotely with an unknown impact;
20. An unspecified vulnerability in sandbox broker can be exploited remotely via a compromised content process to gain privileges;
21. An improper satitizing of JavaScript assigned to innerHTML in the about:webrtc page can be exploited remotely to perform coss-site scripting;
22. An incorrect handling of long username/password combination in a site URL can be exploited remotely via a specially designed URL to cause a denial of service;
23. A vulnerability related to sandboxed about:srcdoc iframes can be exploited remotely to bypass security (CSP — Content Security Policy) restrictions;
24. A vulnerability related to STS Header Handler component can be exploited remotely to gain privileges;
25. An improper handling of some non-null-terminated registry values in Crash Reporter component can be exploited locally to obtain private sensitive information;
26. An unspecified vulnerability in Windows updater can be exploited locally to delete files named «update.log»;
27. A vulnerability related to response header name interning can be exploited remotely to bypass same-origin restrictions;
28. Multiple memory corruption vulnerabilities which occur because of memory safety bugs can be exploited remotely to execute arbitrary code.

Technical details

Vulnerability (1) occurs because of improper sanitization of the web page source code.

In case of vulnerability (12), denial of service occurs during at attempt of viewing a certificate in the certificate manager if the certificate has an extremely long object identifier (OID).

Vulnerability (13) allows malicious users to write arbitrary data to the special location in memory controlled by them.

Vulnerability (13), (15), (25), (26) affect Windows operating systems only.

Vulnerability (15) exists because of error which occurs because of violation of DEP protection – RWX (Read/Write/Execute) block is allocated but never protected.

Vulnerability (19) exists because an algorithm uses mixed Jacobian-affine coordinates which can return a result POINT_AT_INFINITY, which leads to an attacked party computing an incorrect shared secret.

Vulnerability (20) affects Linux-based operating systems only.

Vulnerability (20) exists because the sandbox broker will allow files to be truncated even though the sandbox explicitly only has read access to the local file system and no write permissions.

In case of vulnerability (21), data on about:webrtc page is supplied by WebRTC usage and is not under third-party control.

In case of vulnerability (24), if a server sends two Strict-Transport-Security (STS) headers for a single connection, they will be rejected as invalid and HTTP Strict Transport Security (HSTS) will not be enabled for the connection.

Vulnerabilities 1-16 are related to Mozilla Firefox ESR.

All vulnerabilities are related to Mozilla Firefox.

NB: These vulnerabilities do not have any public CVSS rating, so rating can be changed by the time.

NB: At this moment Mozilla has just reserved CVE numbers for these vulnerabilities. Information can be changed soon.

Mozilla Firefox versions earlier than 55
Mozilla Firefox ESR versions earlier than 52.3

Update to the latest version
Download Mozilla Firefox ESR
Download Mozilla Firefox

The following public exploits exists for this vulnerability:

https://www.exploit-db.com/exploits/43020