Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2016.0096
Multiple vulnerabilities identified in Mozilla Firefox prior
to version 49.0.2
24 October 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Mozilla Firefox
Operating System: UNIX variants (UNIX, Linux, OSX)
Android
Windows
Impact/Access: Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2016-5288 CVE-2016-5287
Member content until: Wednesday, November 23 2016
OVERVIEW
Multiple vulnerabilities have been identified in Mozilla Firefox
prior to version 49.0.2. [1]
IMPACT
The vendor has provided the following information regarding the
vulnerabilities:
"CVE-2016-5287: Crash in nsTArray_base<T>::SwapArrayElements
REPORTER
Philipp
IMPACT
HIGH
Description
A potentially exploitable use-after-free crash during actor
destruction with service workers. This issue does not affect
releases earlier than Firefox 49." [1]
"CVE-2016-5288: Web content can read cache entries
REPORTER
Developers at Cliqz.com
IMPACT
HIGH
Description
A Cliqz.com developer demonstrated that web content could access
information in the HTTP cache if e10s is disabled. This can reveal
some visited URLs and the contents of those pages. This issue
affects Firefox 48 and 49." [1]
MITIGATION
The vendor recommends upgrading to the latest version. [1]
REFERENCES
[1] Mozilla Foundation Security Advisory 2016-87
https://www.mozilla.org/en-US/security/advisories/mfsa2016-87/
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWA2I2Ix+lLeg9Ub1AQiloRAAlxGze6XcIJ9iW2zK7aGy2uS9yufZ+MCX
ik8YJEgfNXucK8UzkDZg6n7Qu1ldhOiTnG+U7O85LXq2mMbw/kH+P/MQwn4hFjX3
xZ66zFoGT1Qkvdk9AVQSPQT0Iqis2ZZ5TWWHUtLTZYqCmucrOG2ZxHieWhV2F5h+
nkR/RTTzNHw/LhykCHbbg/kH6vzEPZrCxUxZruYXbYwwWP2qgxQ/ftRhvpQMWz4q
8uPGVGT+5QmwjOTv0SPSa32mT0Xd2oRhvbvy2URl81nfBLAAUz8W4CFyiNbxXzI2
SiWOxC0z5wdIMYX0i76B0Xwox6d6HeWdYAOgkk8lp5XxbFv06HremsTlmRH11ACC
wC6Yh2bmGkHJdIY+Buf2yV0Kz2moyjuAfa0SM0R+P6KPOsaiNHuzUefpFQ2VXjED
5F9Ibgo0ZHgdKL+Uh08daCPzwE+lN9h40QobhVT95fZFHhrkKXQEHCKaZ9LQgjQI
hZrRK8UBt+YuIZNys0KES5i0kwBrraNzThgZJFLiLYoThi2Z0vO5JDLpLMf3FaF4
uQBKd1y+0DgnGGodwrkE966HN2ZP+Mn2B7HA9bWjIp8BcavAhZxJ4/N/9b7tihyb
jX0kSGGnbablnOgKZwQDsTc+umoe2Gb1k7t2vK74KTeRBY6yFWjbkD+S2OkyXGGM
z3qpC6DKclY=
=yweH
-----END PGP SIGNATURE-----