Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2016.0119 Security vulnerabilities fixed in Firefox 50.1 and Firefox ESR 45.6 14 December 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Mozilla Firefox Firefox ESR Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Denial of Service -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2016-9905 CVE-2016-9904 CVE-2016-9903 CVE-2016-9902 CVE-2016-9901 CVE-2016-9900 CVE-2016-9899 CVE-2016-9898 CVE-2016-9897 CVE-2016-9896 CVE-2016-9895 CVE-2016-9894 CVE-2016-9893 CVE-2016-9080 Member content until: Friday, January 13 2017 OVERVIEW A critical vulnerability has been identified in Mozilla Firefox prior to version 50.1 and Firefox ESR 45.6 [1 - 2] IMPACT The vendor has provided the following details regarding the vulnerability: "#CVE-2016-9894: Buffer overflow in SkiaGL A buffer overflow in SkiaGl caused when a GrGLBuffer is truncated during allocation. Later writers will overflow the buffer, resulting in a potentially exploitable crash. #CVE-2016-9899: Use-after-free while manipulating DOM events and audio elements Use-after-free while manipulating DOM events and removing audio elements due to errors in the handling of node adoption. #CVE-2016-9895: CSP bypass using marquee tag Event handlers on marquee elements were executed despite a strict Content Security Policy (CSP) that disallowed inline JavaScript. #CVE-2016-9896: Use-after-free with WebVR Use-after-free while manipulating the navigator object within WebVR. Note: WebVR is not currently enabled by default. #CVE-2016-9897: Memory corruption in libGLES Memory corruption resulting in a potentially exploitable crash during WebGL functions using a vector constructor with a varying array within libGLES. #CVE-2016-9898: Use-after-free in Editor while manipulating DOM subtrees Use-after-free resulting in potentially exploitable crash when manipulating DOM subtrees in the Editor. #CVE-2016-9900: Restricted external resources can be loaded by SVG images through data URLs External resources that should be blocked when loaded by SVG images can bypass security restrictions through the use of data: URLs. This could allow for cross-domain data leakage. #CVE-2016-9904: Cross-origin information leak in shared atoms An attacker could use a JavaScript Map/Set timing attack to determine whether an atom is used by another compartment/zone in specific contexts. This could be used to leak information, such as usernames embedded in JavaScript code, across websites. #CVE-2016-9901: Data from Pocket server improperly sanitized before execution HTML tags received from the Pocket server will be processed without sanitization and any JavaScript code executed will be run in the about:pocket-saved (unprivileged) page, giving it access to Pocket's messaging API through HTML injection. #CVE-2016-9902: Pocket extension does not validate the origin of events The Pocket toolbar button, once activated, listens for events fired from it's own pages but does not verify the origin of incoming events. This allows content from other origins to fire events and inject content and commands into the Pocket context. Note: this issue does not affect users with e10s enabled. #CVE-2016-9903: XSS injection vulnerability in add-ons SDK Mozilla's add-ons SDK had a world-accessible resource with an HTML injection vulnerability. If an additional vulnerability allowed this resource to be loaded as a document it could allow injecting content and script into an add-on's context. #CVE-2016-9080: Memory safety bugs fixed in Firefox 50.1 Mozilla developers and community members Kan-Ru Chen, Christian Holler, and Tyson Smith reported memory safety bugs present in Firefox 50.0.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. #CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and Firefox ESR 45.6 Mozilla developers and community members Jan de Mooij, Iris Hsiao, Christian Holler, Carsten Book, Timothy Nikkel, Christoph Diehl, Olli Pettay, Raymond Forbes, and Boris Zbarsky reported memory safety bugs present in Firefox 50.0.2 and Firefox ESR 45.5.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code." [1] "#CVE-2016-9899: Use-after-free while manipulating DOM events and audio elements Use-after-free while manipulating DOM events and removing audio elements due to errors in the handling of node adoption. #CVE-2016-9895: CSP bypass using marquee tag Event handlers on marquee elements were executed despite a strict Content Security Policy (CSP) that disallowed inline JavaScript. #CVE-2016-9897: Memory corruption in libGLES Memory corruption resulting in a potentially exploitable crash during WebGL functions using a vector constructor with a varying array within libGLES. #CVE-2016-9898: Use-after-free in Editor while manipulating DOM subtrees Use-after-free resulting in potentially exploitable crash when manipulating DOM subtrees in the Editor. #CVE-2016-9900: Restricted external resources can be loaded by SVG images through data URLs External resources that should be blocked when loaded by SVG images can bypass security restrictions through the use of data: URLs. This could allow for cross-domain data leakage. #CVE-2016-9904: Cross-origin information leak in shared atoms An attacker could use a JavaScript Map/Set timing attack to determine whether an atom is used by another compartment/zone in specific contexts. This could be used to leak information, such as usernames embedded in JavaScript code, across websites. #CVE-2016-9905: Crash in EnumerateSubDocuments A potentially exploitable crash in EnumerateSubDocuments while adding or removing sub-documents. #CVE-2016-9901: Data from Pocket server improperly sanitized before execution HTML tags received from the Pocket server will be processed without sanitization and any JavaScript code executed will be run in the about:pocket-saved (unprivileged) page, giving it access to Pocket's messaging API through HTML injection. #CVE-2016-9902: Pocket extension does not validate the origin of events The Pocket toolbar button, once activated, listens for events fired from it's own pages but does not verify the origin of incoming events. This allows content from other origins to fire events and inject content and commands into the Pocket context. Note: this issue does not affect users with e10s enabled. #CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and Firefox ESR 45.6 Mozilla developers and community members Jan de Mooij, Iris Hsiao, Christian Holler, Carsten Book, Timothy Nikkel, Christoph Diehl, Olli Pettay, Raymond Forbes, and Boris Zbarsky reported memory safety bugs present in Firefox 50.0.2 and Firefox ESR 45.5.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code."[2] MITIGATION Mozilla advises upgrading to the latest version to address this issues. [1 -2] REFERENCES [1] Mozilla Foundation Security Advisory 2016-94 https://www.mozilla.org/en-US/security/advisories/mfsa2016-94/ [2] Mozilla Foundation Security Advisory 2016-95 https://www.mozilla.org/en-US/security/advisories/mfsa2016-95/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWFDgJ4x+lLeg9Ub1AQh1iBAAk8thVO/8DlSGRbwXkwbKjVEq7JjL9oNi 1ElOfb8APyUWX2y+dJGKrH4MUQCdPSMlxL7V92tV6ikSmBn1FEaTbTsDXo6iS6+T scJAVFl0dXkXCyzC9a63mAklpYj1lYCArlK6dtbb1CYpaPxvKYj9XeMrx1AO+ECQ QsfxTv4zeZZJd52NlozSeFL6ZaqEerFHJTUOS95KB+31u6fXo3/hFqI5W52H7hPP EBZX4g209+fqvVfn7oAEwBeL7LnduRWLn69UCKXMxga55fI3Kj+JRVqCizy7pPhJ GIDjFticTjGnWJelYACryhxh36DG53XMfCjwfoJzfckZssiFcymKJP2MxUTKUdW0 Y4ULiKlcNIakqoWbdrLuzpGIC7E67m34v9aDu0kKpoTOF/gLRftB5r89mLGH9AmX tH55Kn6fR3whK6dI2czH+JiO8iSevH+Y6sxzp5wIIrufC1y6llptUXRe7j3+4IVA aCIdgQ8WtWcvBcR/NTBWXs3UoEUAV2alNpx5JHTcSzTuKldPtB1oVwcFTLCu5ilA fQqSYSx6K6Y/B7+ZNjz0ITorUzXgyYMmLGxrwAMthsK0BhT/PSRAoCAwAgGwnaaH pWi8ghbDvwIj1FFuhng6jFXEKlCwPpJK9X5Ze895ICoW2tjovQsdzOElTq5HdSpf 8IPx5YjKvUM= =o2JI -----END PGP SIGNATURE-----