KLA11082 Multiple vulnerabilities in Mozilla Firefox and Firefox ESR

Multiple serious vulnerabilities have been found in Firefox and Firefox ESR. Malicious users can exploit these vulnerabilities to cause denial of service, privilege escalation, spoof user interface, bypass security restrictions, obtain sensitive information and execute arbitrary code.

Below is complete list of vulnerabilities:

1. A XUL injection vulnerability in the Developer Tools can be exploited remotely by opening a specially designed page in the style editor tool to execute arbitrary code;
2. A use-after-free vulnerability related to Websocket connection holding objects can be exploited remotely to cause a denial of service;
3. A use-after-free vulnerability related to re-computing layout for a marquee element during window resizing can be exploited remotely to cause a denial of service;
4. A use-after-free vulnerability related to tree traversal with prematurely deleted editor DOM node can be exploited to cause a denial of service;
5. A use-after-free vulnerability related to reading an image observer during frame reconstruction can be exploited to cause a denial of service;
6. A use-after-free vulnerability related to image element resizing can be exploited to cause a denial of service;
7. A buffer overflow vulnerability related to Accessible Rich Internet Applications (ARIA) attributes can be exploited to cause a denial of service;
8. A buffer overflow vulnerability which occur when the image renderer attempts to paint non-displayable SVG elements can be exploited remotely to cause a denial of service;
9. An out-of-bounds read vulnerability related to cached style data and pseudo-elements can be exploited remotely possibly to cause a denial of service or obtain sensitive information;
10. An improper handling of bypassing the same-origin policy protections can be exploited remotely via embedded iframes while page reloads to obtain sensitive information;
11. A vulnerability related to the AppCache can be exploited remotely possibly to bypass security restrictions and obtain sensitive information;
12. A buffer overflow vulnerability related to certificate manager can be exploited remotely via a specially designed certificate to cause a denial of service;
13. A vulnerability in the destructor function for the WindowsDllDetourPatcher can be exploited remotely via specially designed code in concern with another vulnerabilities to bypass security restrictions;
14. An unspecified vulnerability in the data: protocol can be exploited remotely via pages containing an iframe to spoof user interface;
15. An improper memory allocation in WindowsDllDetourPatcher function can be exploited remotely to execute arbitrary code;
16. A vulnerability related to content security policy (CSP) component can be exploited remotely via specially designed web page to bypass security restrictions;
17. A use-after-free vulnerability related to specific SVG content rendering done by layer manager can be exploited remotely to cause a denial of service;
18. A vulnerability related to content security policy (CSP) component can be exploited remotely to obtain sensitive information;
19. A vulnerability related to elliptic curve point addition algorithm can be exploited remotely with an unknown impact;
20. An unspecified vulnerability in sandbox broker can be exploited remotely via a compromised content process to gain privileges;
21. An improper satitizing of JavaScript assigned to innerHTML in the about:webrtc page can be exploited remotely to perform coss-site scripting;
22. An incorrect handling of long username/password combination in a site URL can be exploited remotely via a specially designed URL to cause a denial of service;
23. A vulnerability related to sandboxed about:srcdoc iframes can be exploited remotely to bypass security (CSP – Content Security Policy) restrictions;
24. A vulnerability related to STS Header Handler component can be exploited remotely to gain privileges;
25. An improper handling of some non-null-terminated registry values in Crash Reporter component can be exploited locally to obtain private sensitive information;
26. An unspecified vulnerability in Windows updater can be exploited locally to delete files named “update.log”;
27. A vulnerability related to response header name interning can be exploited remotely to bypass same-origin restrictions;
28. Multiple memory corruption vulnerabilities which occur because of memory safety bugs can be exploited remotely to execute arbitrary code.

Technical details

Vulnerability (1) occurs because of improper sanitization of the web page source code.

In case of vulnerability (12), denial of service occurs during at attempt of viewing a certificate in the certificate manager if the certificate has an extremely long object identifier (OID).

Vulnerability (13) allows malicious users to write arbitrary data to the special location in memory controlled by them.

Vulnerability (13), (15), (25), (26) affect Windows operating systems only.

Vulnerability (15) exists because of error which occurs because of violation of DEP protection – RWX (Read/Write/Execute) block is allocated but never protected.

Vulnerability (19) exists because an algorithm uses mixed Jacobian-affine coordinates which can return a result POINT_AT_INFINITY, which leads to an attacked party computing an incorrect shared secret.

Vulnerability (20) affects Linux-based operating systems only.

Vulnerability (20) exists because the sandbox broker will allow files to be truncated even though the sandbox explicitly only has read access to the local file system and no write permissions.

In case of vulnerability (21), data on about:webrtc page is supplied by WebRTC usage and is not under third-party control.

In case of vulnerability (24), if a server sends two Strict-Transport-Security (STS) headers for a single connection, they will be rejected as invalid and HTTP Strict Transport Security (HSTS) will not be enabled for the connection.

Vulnerabilities 1-16 are related to Mozilla Firefox ESR.

All vulnerabilities are related to Mozilla Firefox.

NB: These vulnerabilities do not have any public CVSS rating, so rating can be changed by the time.

NB: At this moment Mozilla has just reserved CVE numbers for these vulnerabilities. Information can be changed soon.

Original advisories

MFSA 2017-18

MFSA 2017-19

Exploitation

Public exploits exist for this vulnerability.

Related products

Mozilla-Firefox

Mozilla-Firefox-ESR

CVE list

CVE-2017-7786 critical

CVE-2017-7753 high

CVE-2017-7787 warning

CVE-2017-7807 high

CVE-2017-7792 critical

CVE-2017-7804 warning

CVE-2017-7791 warning

CVE-2017-7782 warning

CVE-2017-7803 warning

CVE-2017-7779 critical

CVE-2017-7800 critical

CVE-2017-7801 critical

CVE-2017-7809 critical

CVE-2017-7784 critical

CVE-2017-7802 critical

CVE-2017-7785 critical

CVE-2017-7798 high

CVE-2017-7806 warning

CVE-2017-7808 warning

CVE-2017-7781 warning

CVE-2017-7794 warning

CVE-2017-7799 warning

CVE-2017-7783 warning

CVE-2017-7788 critical

CVE-2017-7789 warning

CVE-2017-7790 warning

CVE-2017-7796 warning

CVE-2017-7797 warning

CVE-2017-7780 critical

Solution

Update to the latest versionDownload Mozilla Firefox

Download Mozilla Firefox ESR

Impacts

• ACE

Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.

• OSI

Obtain sensitive information. Exploitation of vulnerabilities with this impact can lead to capturing by abuser information, critical for user or system.

• DoS

Denial of service. Exploitation of vulnerabilities with this impact can lead to loss of system availability or critical functional fault.

• SB

Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.

• PE

Privilege escalation. Exploitation of vulnerabilities with this impact can lead to performing by abuser actions, which are normally disallowed for current role.

• SUI

Spoof user interface. Exploitation of vulnerabilities with this impact can lead to changes in user interface to beguile user into inaccurate behavior.

Affected Products

• Mozilla Firefox versions earlier than 55Mozilla Firefox ESR versions earlier than 52.3