Hash: SHA256

                         AUSCERT Security Bulletin

     Security vulnerabilities fixed in Firefox 51 and Firefox ESR 45.7
                              26 January 2017


        AusCERT Security Bulletin Summary

Product:              Mozilla Firefox
                      Firefox ESR
Operating System:     UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Increased Privileges            -- Remote with User Interaction
                      Access Privileged Data          -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
                      Provide Misleading Information  -- Remote with User Interaction
                      Reduced Security                -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2017-5396 CVE-2017-5395 CVE-2017-5394
                      CVE-2017-5393 CVE-2017-5392 CVE-2017-5391
                      CVE-2017-5390 CVE-2017-5389 CVE-2017-5388
                      CVE-2017-5387 CVE-2017-5386 CVE-2017-5385
                      CVE-2017-5384 CVE-2017-5383 CVE-2017-5382
                      CVE-2017-5381 CVE-2017-5380 CVE-2017-5379
                      CVE-2017-5378 CVE-2017-5377 CVE-2017-5376
                      CVE-2017-5375 CVE-2017-5374 CVE-2017-5373
Member content until: Saturday, February 25 2017


        Critical vulnerabilities have been identified in Mozilla Firefox 
        prior to version 51 and Firefox ESR 45.7. [1 - 2]


        The vendor has provided the following details regarding the 
        "#CVE-2017-5375: Excessive JIT code allocation allows bypass of ASLR
        and DEP
        JIT code allocation can allow for a bypass of ASLR and DEP 
        protections leading to potential memory corruption attacks.
        #CVE-2017-5376: Use-after-free in XSL
        Use-after-free while manipulating XSL in XSLT documents
        #CVE-2017-5377: Memory corruption with transforms to create 
        gradients in Skia
        A memory corruption vulnerability in Skia that can occur when using
        transforms to make gradients, resulting in a potentially exploitable
        #CVE-2017-5378: Pointer and frame data leakage of Javascript objects
        Hashed codes of JavaScript objects are shared between pages. This 
        allows for pointer leaks because an object’s address can be 
        discovered through hash codes, and also allows for data leakage of 
        an object’s content using these hash codes.
        #CVE-2017-5379: Use-after-free in Web Animations
        Use-after-free vulnerability in Web Animations when interacting with
        cycle collection found through fuzzing.
        #CVE-2017-5380: Potential use-after-free during DOM manipulations
        A potential use-after-free found through fuzzing during DOM 
        manipulation of SVG content.
        #CVE-2017-5390: Insecure communication methods in Developer Tools 
        JSON viewer
        The JSON viewer in the Developer Tools uses insecure methods to 
        create a communication channel for copying and viewing JSON or HTTP
        headers data, allowing for potential privilege escalation.
        #CVE-2017-5389: WebExtensions can install additional add-ons via 
        modified host requests
        WebExtensions could use the mozAddonManager API by modifying the CSP
        headers on sites with the appropriate permissions and then using 
        host requests to redirect script loads to a malicious site. This 
        allows a malicious extension to then install additional extensions 
        without explicit user permission.
        #CVE-2017-5396: Use-after-free with Media Decoder
        A use-after-free vulnerability in the Media Decoder when working 
        with media files when some events are fired after the media elements
        are freed from memory.
        #CVE-2017-5381: Certificate Viewer exporting can be used to navigate
        and save to arbitrary filesystem locations
        The "export" function in the Certificate Viewer can force local 
        filesystem navigation when the "common name" in a certificate 
        contains slashes, allowing certificate content to be saved in unsafe
        locations with an arbitrary filename.
        #CVE-2017-5382: Feed preview can expose privileged content errors 
        and exceptions
        Feed preview for RSS feeds can be used to capture errors and 
        exceptions generated by privileged content, allowing for the 
        exposure of internal information not meant to be seen by web 
        #CVE-2017-5383: Location bar spoofing with unicode characters
        URLs containing certain unicode glyphs for alternative hyphens and 
        quotes do not properly trigger punycode display, allowing for domain
        name spoofing attacks in the location bar.
        #CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC)
        Proxy Auto-Config (PAC) files can specify a JavaScript function 
        called for all URL requests with the full URL path which exposes 
        more information than would be sent to the proxy itself in the case
        of HTTPS. Normally the Proxy Auto-Config file is specified by the 
        user or machine owner and presumed to be non-malicious, but if a 
        user has enabled Web Proxy Auto Detect (WPAD) this file can be 
        served remotely.
        #CVE-2017-5385: Data sent in multipart channels ignores 
        referrer-policy response headers
        Data sent with in multipart channels, such as the 
        multipart/x-mixed-replace MIME type, will ignore the referrer-policy
        response header, leading to potential information disclosure for 
        sites using this header.
        #CVE-2017-5386: WebExtensions can use data: protocol to affect other
        WebExtension scripts can use the data: protocol to affect pages 
        loaded by other web extensions using this protocol, leading to 
        potential data disclosure or privilege escalation in affected 
        #CVE-2017-5394: Android location bar spoofing using fullscreen and 
        JavaScript events
        A location bar spoofing attack where the location bar of loaded page
        will be shown over the content of another tab due to a series of 
        JavaScript events combined with fullscreen mode. Note: This issue 
        only affects Firefox for Android. Other operating systems are not 
        #CVE-2017-5391: Content about: pages can load privileged about: 
        Special about: pages used by web content, such as RSS feeds, can 
        load privileged about: pages in an iframe. If a content-injection 
        bug were found in one of those pages this could allow for potential
        privilege escalation.
        #CVE-2017-5392: Weak references using multiple threads on weak proxy
        objects lead to unsafe memory usage
        Weak proxy objects have weak references on multiple threads when 
        they should only have them on one, resulting in incorrect memory 
        usage and corruption, which leads to potentially exploitable 
        crashes. Note: This issue only affects Firefox for Android. Other 
        operating systems are not affected.
        #CVE-2017-5393: Remove addons.mozilla.org CDN from whitelist for 
        The mozAddonManager allows for the installation of extensions from 
        the CDN for addons.mozilla.org, a publicly accessible site. This 
        could allow malicious extensions to install additional extensions 
        from the CDN in combination with an XSS attack on Mozilla AMO sites.
        #CVE-2017-5395: Android location bar spoofing during scrolling
        Malicious sites can display a spoofed location bar on a subsequently
        loaded page when the existing location bar on the new page is 
        scrolled out of view if navigations between pages can be timed 
        correctly. Note: This issue only affects Firefox for Android. Other
        operating systems are not affected.
        #CVE-2017-5387: Disclosure of local file existence through TRACK tag
        error messages
        The existence of a specifically requested local file can be found 
        due to the double firing of the onerror when the source attribute on
        a <track> tag refers to a file that does not exist if the source 
        page is loaded locally.
        #CVE-2017-5388: WebRTC can be used to generate a large amount of UDP
        traffic for DDOS attacks
        A STUN server in conjunction with a large number of 
        webkitRTCPeerConnection objects can be used to send large STUN 
        packets in a short period of time due to a lack of rate limiting 
        being applied on e10s systems, allowing for a denial of service 
        #CVE-2017-5374: Memory safety bugs fixed in Firefox 51
        Mozilla developers and community members Gary Kwong, Olli Pettay, 
        Tooru Fujisawa, Carsten Book, Andrew McCreight, Chris Pearce, Ronald
        Crane, Jan de Mooij, Julian Seward, Nicolas Pierron, Randell Jesup,
        Esther Monchari, Honza Bambas, and Philipp reported memory safety 
        bugs present in Firefox 50.1. Some of these bugs showed evidence of
        memory corruption and we presume that with enough effort that some 
        of these could be exploited to run arbitrary code.
        #CVE-2017-5373: Memory safety bugs fixed in Firefox 51 and Firefox 
        ESR 45.7
        Mozilla developers and community members Christian Holler, Gary 
        Kwong, André Bargull, Jan de Mooij, Tom Schuster, and Oriol reported
        memory safety bugs present in Firefox 50.1 and Firefox ESR 45.6. 
        Some of these bugs showed evidence of memory corruption and we 
        presume that with enough effort that some of these could be 
        exploited to run arbitrary code." [1]


        Mozilla advises upgrading to the latest version to address this 
        issues. [1 -2]


        [1] Mozilla Foundation Security Advisory 2017-01

        [2] Mozilla Foundation Security Advisory 2017-02

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967