KLA10464 Multiple vulnerabilities in Mozilla products

Multiple serious vulnerabilities have been found in Mozilla products. Malicious users can exploit these vulnerabilities to cause denial of service, gain privilleges, obtain sensitiv information, execute arbitrary code, spoof user interface or read local files.

Below is a complete list of vulnerabilities

1. An unspecified vulnerabilities can be exploited remotely via unknown vectors;
2. Buffer overflow can be exploited remotely via a specially designed MP3 file, MP4 file or SVG graphics;
3. An use-after-free vulnerability can be exploited remotely via specially designed content and other unknown vectors;
4. Improper domain name recognition can be exploited remotely via a specially designed URL;
5. An untrusted path vulnerability can be exploited locally via DLL hijack;
6. Improper memory allocation can be exploited remotely via a specially designed WebGL content;
7. An unspecified vulnerability can be exploited remotely via unknown vectors;
8. Unknown vulnerability related to form autocompletion can be exploited remotely via a specially designed JavaScript;
9. A double free vulnerability can be exploited remotely via specially designed JavaScript;
10. An unknwon vulnerability can be exploited remotely via a specially designed CSS;
11. Lack of API restrictions can be exploited remotely via vectirs related to UITour;
12. Lack of transaction restrictions and other unknown vulnerabilities can be exploited remotely via specially designed web site;

Original advisories

MFSA 2015-11 — 2015-27

Related products

Mozilla-Firefox

Mozilla-Thunderbird

CVE list

CVE-2015-0823 critical

CVE-2015-0828 high

CVE-2015-0834 warning

CVE-2015-0835 critical

CVE-2015-0836 critical

CVE-2015-0825 warning

CVE-2015-0831 high

CVE-2015-0830 critical

CVE-2015-0824 critical

CVE-2015-0827 warning

CVE-2015-0829 high

CVE-2015-0822 warning

CVE-2015-0833 high

CVE-2015-0826 high

CVE-2015-0820 warning

CVE-2015-0832 critical

CVE-2015-0821 high

CVE-2015-0819 warning

Solution

Update to latest version!

Impacts

• ACE

Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.

• OSI

Obtain sensitive information. Exploitation of vulnerabilities with this impact can lead to capturing by abuser information, critical for user or system.

• DoS

Denial of service. Exploitation of vulnerabilities with this impact can lead to loss of system availability or critical functional fault.

• SB

Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.

• PE

Privilege escalation. Exploitation of vulnerabilities with this impact can lead to performing by abuser actions, which are normally disallowed for current role.

• RLF

Read Local Files. Exploitation of vulnerabilities with this impact can lead to reading some inaccessible files. Files that can be read depends on conсrete program errors.

• SUI

Spoof user interface. Exploitation of vulnerabilities with this impact can lead to changes in user interface to beguile user into inaccurate behavior.

Affected Products

• Mozilla Firefox versions earlier than 36Mozilla Firefox ESR versions earlier than 31.5Mozilla Thunderbird versions earlier than 31.5