Дата обнаружения
|
08/08/2017 |
Уровень угрозы
|
Critical |
Описание
|
Multiple serious vulnerabilities have been found in Firefox and Firefox ESR. Malicious users can exploit these vulnerabilities to cause denial of service, privilege escalation, spoof user interface, bypass security restrictions, obtain sensitive information and execute arbitrary code. Below is complete list of vulnerabilities:
Technical details Vulnerability (1) occurs because of improper sanitization of the web page source code. In case of vulnerability (12), denial of service occurs during at attempt of viewing a certificate in the certificate manager if the certificate has an extremely long object identifier (OID). Vulnerability (13) allows malicious users to write arbitrary data to the special location in memory controlled by them. Vulnerability (13), (15), (25), (26) affect Windows operating systems only. Vulnerability (15) exists because of error which occurs because of violation of DEP protection – RWX (Read/Write/Execute) block is allocated but never protected. Vulnerability (19) exists because an algorithm uses mixed Jacobian-affine coordinates which can return a result POINT_AT_INFINITY, which leads to an attacked party computing an incorrect shared secret. Vulnerability (20) affects Linux-based operating systems only. Vulnerability (20) exists because the sandbox broker will allow files to be truncated even though the sandbox explicitly only has read access to the local file system and no write permissions. In case of vulnerability (21), data on about:webrtc page is supplied by WebRTC usage and is not under third-party control. In case of vulnerability (24), if a server sends two Strict-Transport-Security (STS) headers for a single connection, they will be rejected as invalid and HTTP Strict Transport Security (HSTS) will not be enabled for the connection. Vulnerabilities 1-16 are related to Mozilla Firefox ESR. All vulnerabilities are related to Mozilla Firefox. NB: These vulnerabilities do not have any public CVSS rating, so rating can be changed by the time. NB: At this moment Mozilla has just reserved CVE numbers for these vulnerabilities. Information can be changed soon. |
Пораженные продукты
|
Mozilla Firefox versions earlier than 55 |
Решение
|
Update to the latest version |
Первичный источник обнаружения
|
MFSA 2017-18 MFSA 2017-19 |
Оказываемое влияние
?
|
ACE
[?]
OSI
[?]
DoS
[?]
SB
[?]
PE
[?]
SUI
[?]
|
Связанные продукты
|
Mozilla Firefox Mozilla Firefox ESR |
CVE-IDS
|
CVE-2017-77867.5Critical
CVE-2017-77536.4High CVE-2017-77875.0Critical CVE-2017-78075.8High CVE-2017-77927.5Critical CVE-2017-78045.0Critical CVE-2017-77915.0Critical CVE-2017-77825.0Critical CVE-2017-78035.0Critical CVE-2017-78007.5Critical CVE-2017-78017.5Critical CVE-2017-78097.5Critical CVE-2017-77847.5Critical CVE-2017-78027.5Critical CVE-2017-77857.5Critical CVE-2017-77986.8High CVE-2017-78065.0Critical CVE-2017-78085.0Critical CVE-2017-77814.3Warning CVE-2017-77944.6Warning CVE-2017-77994.3Warning CVE-2017-77835.0Critical CVE-2017-77887.5Critical CVE-2017-77895.0Critical CVE-2017-77905.0Critical CVE-2017-77963.3Warning CVE-2017-77975.0Critical CVE-2017-77807.5Critical |
Эксплуатация
|
Public exploits exist for this vulnerability. |
Узнай статистику распространения уязвимостей в твоем регионе |