-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2017.0134
         Multiple vulnerabilities have been identified in Mozilla
                      Firefox and Mozilla Firefox ESR
                              10 August 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Mozilla Firefox
                      Mozilla Firefox ESR
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Overwrite Arbitrary Files       -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
                      Provide Misleading Information  -- Remote with User Interaction
                      Access Confidential Data        -- Remote with User Interaction
                      Reduced Security                -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2017-7809 CVE-2017-7808 CVE-2017-7807
                      CVE-2017-7806 CVE-2017-7804 CVE-2017-7803
                      CVE-2017-7802 CVE-2017-7801 CVE-2017-7800
                      CVE-2017-7799 CVE-2017-7798 CVE-2017-7797
                      CVE-2017-7796 CVE-2017-7794 CVE-2017-7792
                      CVE-2017-7791 CVE-2017-7790 CVE-2017-7789
                      CVE-2017-7788 CVE-2017-7787 CVE-2017-7786
                      CVE-2017-7785 CVE-2017-7784 CVE-2017-7783
                      CVE-2017-7782 CVE-2017-7781 CVE-2017-7780
                      CVE-2017-7779 CVE-2017-7753 
Member content until: Saturday, September  9 2017

OVERVIEW

        Multiple vulnerabilities have been identified in Mozilla Firefox 
        prior to version 55 and Mozilla Firefox ESR prior to version 52.3. [1,2]


IMPACT

        Mozilla has provided the following details regarding the vulnerabilities:
        
        Vulnerabilities affecting Firefox and Firefox ESR:
        
        "#CVE-2017-7798: XUL injection in the style editor in devtools
        
        Description
        
        The Developer Tools feature suffers from a XUL injection vulnerability due
        to improper sanitization of the web page source code. In the worst case,
        this could allow arbitrary code execution when opening a malicious page
        with the style editor tool.
        
        #CVE-2017-7800: Use-after-free in WebSockets during disconnection
        
        Description
        
        A use-after-free vulnerability can occur in WebSockets when the object
        holding the connection is freed before the disconnection operation is
        finished. This results in an exploitable crash.
        
        #CVE-2017-7801: Use-after-free with marquee during window resizing
        
        Description
        
        A use-after-free vulnerability can occur while re-computing layout for a
        marquee element during window resizing where the updated style object is
        freed while still in use. This results in a potentially exploitable crash.
        
        Description
        
        A use-after-free vulnerability can occur when an editor DOM node is deleted
        prematurely during tree traversal while still bound to the document. This
        results in a potentially exploitable crash.
        
        #CVE-2017-7784: Use-after-free with image observers
        
        Description
        
        A use-after-free vulnerability can occur when reading an image observer
        during frame reconstruction after the observer has been freed. This results
        in a potentially exploitable crash.
        
        #CVE-2017-7802: Use-after-free resizing image elements
        
        Description
        
        A use-after-free vulnerability can occur when manipulating the DOM during
        the resize event of an image element. If these elements have been freed
        due to a lack of strong references, a potentially exploitable crash may
        occur when the freed elements are accessed.
        
        #CVE-2017-7785: Buffer overflow manipulating ARIA attributes in DOM
        
        Description
        
        A buffer overflow can occur when manipulating Accessible Rich Internet
        Applications (ARIA) attributes within the DOM. This results in a potentially
        exploitable crash.
        
        #CVE-2017-7786: Buffer overflow while painting non-displayable SVG
        
        Description
        
        A buffer overflow can occur when the image renderer attempts to paint
        non-displayable SVG elements. This results in a potentially exploitable
        crash.
        
        #CVE-2017-7753: Out-of-bounds read with cached style data and pseudo-elements
        
        Description
        
        An out-of-bounds read occurs when applying style rules to pseudo-elements,
        such as ::first-line, using cached style data.
        
        #CVE-2017-7787: Same-origin policy bypass with iframes through page reloads
        
        Description
        
        Same-origin policy protections can be bypassed on pages with embedded
        iframes during page reloads, allowing the iframes to access content on
        the top level page, leading to information disclosure.
        
        #CVE-2017-7807: Domain hijacking through AppCache fallback
        
        Description
        
        A mechanism that uses AppCache to hijack a URL in a domain using fallback
        by serving the files from a sub-path on the domain. This has been addressed
        by requiring fallback files be inside the manifest directory.
        
        #CVE-2017-7792: Buffer overflow viewing certificates with an extremely
        long OID
        
        Description
        
        A buffer overflow will occur when viewing a certificate in the certificate
        manager if the certificate has an extremely long object identifier
        (OID). This results in a potentially exploitable crash.
        
        #CVE-2017-7804: Memory protection bypass through WindowsDllDetourPatcher
        
        Description
        
        The destructor function for the WindowsDllDetourPatcher class can be
        re-purposed by malicious code in concert with another vulnerability to
        write arbitrary data to an attacker controlled location in memory. This
        can be used to bypass existing memory protections in this situation.
        Note: This attack only affects Windows operating systems. Other operating
        systems are not affected.
        
        #CVE-2017-7791: Spoofing following page navigation with data: protocol
        and modal alerts
        
        Description
        
        On pages containing an iframe, the data: protocol can be used to create
        a modal alert that will render over arbitrary domains following page
        navigation, spoofing of the origin of the modal alert from the iframe
        content.
        
        #CVE-2017-7782: WindowsDllDetourPatcher allocates memory without DEP
        protections
        
        Description
        
        An error in the WindowsDllDetourPatcher where a RWX ("Read/Write/Execute")
        4k block is allocated but never protected, violating DEP protections.
        Note: This attack only affects Windows operating systems. Other operating
        systems are not affected.
        
        #CVE-2017-7803: CSP containing 'sandbox' improperly applied
        
        Description
        
        When a page's content security policy (CSP) header contains a sandbox
        directive, other directives are ignored. This results in the incorrect
        enforcement of CSP.
        
        #CVE-2017-7779: Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3
        
        Description
        
        Mozilla developers and community members Masayuki Nakano, Gary Kwong,
        Ronald Crane, Andrew McCreight, Tyson Smith, Bevis Tseng, Christian Holler,
        Bryce Van Dyk, Dragana Damjanovic, Kartikaya Gupta, Philipp, Tristan
        Bourvon, and Andi-Bogdan Postelnicu reported memory safety bugs present
        in Firefox 54 and Firefox ESR 52.2. Some of these bugs showed evidence
        of memory corruption and we presume that with enough effort that some of
        these could be exploited to run arbitrary code.
        " [1]
        
        Vulnerabilities affecting Firefox:
        
        "#CVE-2017-7798: XUL injection in the style editor in devtools
        
        Description
        
        The Developer Tools feature suffers from a XUL injection vulnerability due
        to improper sanitization of the web page source code. In the worst case,
        this could allow arbitrary code execution when opening a malicious page
        with the style editor tool.
        
        #CVE-2017-7800: Use-after-free in WebSockets during disconnection
        
        Description
        
        A use-after-free vulnerability can occur in WebSockets when the object
        holding the connection is freed before the disconnection operation is
        finished. This results in an exploitable crash.
        
        #CVE-2017-7801: Use-after-free with marquee during window resizing
        
        Description
        
        A use-after-free vulnerability can occur while re-computing layout for a
        marquee element during window resizing where the updated style object is
        freed while still in use. This results in a potentially exploitable crash.
        
        #CVE-2017-7809: Use-after-free while deleting attached editor DOM node
        
        Description
        
        A use-after-free vulnerability can occur when an editor DOM node is deleted
        prematurely during tree traversal while still bound to the document. This
        results in a potentially exploitable crash.
        
        #CVE-2017-7784: Use-after-free with image observers
        
        Description
        
        A use-after-free vulnerability can occur when reading an image observer
        during frame reconstruction after the observer has been freed. This results
        in a potentially exploitable crash.
        
        #CVE-2017-7802: Use-after-free resizing image elements
        
        Description
        
        A use-after-free vulnerability can occur when manipulating the DOM during
        the resize event of an image element. If these elements have been freed
        due to a lack of strong references, a potentially exploitable crash may
        occur when the freed elements are accessed.
        
        #CVE-2017-7785: Buffer overflow manipulating ARIA attributes in DOM
        
        Description
        
        A buffer overflow can occur when manipulating Accessible Rich Internet
        Applications (ARIA) attributes within the DOM. This results in a potentially
        exploitable crash.
        
        #CVE-2017-7786: Buffer overflow while painting non-displayable SVG
        
        Description
        
        A buffer overflow can occur when the image renderer attempts to paint
        non-displayable SVG elements. This results in a potentially exploitable
        crash.
        
        #CVE-2017-7806: Use-after-free in layer manager with SVG
        
        Description
        
        A use-after-free vulnerability can occur when the layer manager is freed
        too early when rendering specific SVG content, resulting in a potentially
        exploitable crash.
        
        #CVE-2017-7753: Out-of-bounds read with cached style data and pseudo-elements
        
        Description
        
        An out-of-bounds read occurs when applying style rules to pseudo-elements,
        such as ::first-line, using cached style data.
        
        #CVE-2017-7787: Same-origin policy bypass with iframes through page reloads
        
        Description
        
        Same-origin policy protections can be bypassed on pages with embedded
        iframes during page reloads, allowing the iframes to access content on
        the top level page, leading to information disclosure.
        
        #CVE-2017-7807: Domain hijacking through AppCache fallback
        
        Description
        
        A mechanism that uses AppCache to hijack a URL in a domain using fallback
        by serving the files from a sub-path on the domain. This has been addressed
        by requiring fallback files be inside the manifest directory.
        
        #CVE-2017-7792: Buffer overflow viewing certificates with an extremely long OID
        
        Description
        
        A buffer overflow will occur when viewing a certificate in the certificate
        manager if the certificate has an extremely long object identifier
        (OID). This results in a potentially exploitable crash.
        
        #CVE-2017-7804: Memory protection bypass through WindowsDllDetourPatcher
        
        Description
        
        The destructor function for the WindowsDllDetourPatcher class can be
        re-purposed by malicious code in concert with another vulnerability to
        write arbitrary data to an attacker controlled location in memory. This
        can be used to bypass existing memory protections in this situation.
        Note: This attack only affects Windows operating systems. Other operating
        systems are not affected.
        
        #CVE-2017-7791: Spoofing following page navigation with data: protocol and modal alerts
        
        Description
        
        On pages containing an iframe, the data: protocol can be used to create
        a modal alert that will render over arbitrary domains following page
        navigation, spoofing of the origin of the modal alert from the iframe
        content.
        
        #CVE-2017-7808: CSP information leak with frame-ancestors containing paths
        
        Description
        
        A content security policy (CSP) frame-ancestors directive containing
        origins with paths allows for comparisons against those paths instead
        of the origin. This results in a cross-origin information leak of this
        path information.
        
        #CVE-2017-7782: WindowsDllDetourPatcher allocates memory without DEP protections
        
        Description
        
        An error in the WindowsDllDetourPatcher where a RWX ("Read/Write/Execute")
        4k block is allocated but never protected, violating DEP protections.
        Note: This attack only affects Windows operating systems. Other operating
        systems are not affected.
        
        #CVE-2017-7781: Elliptic curve point addition error when using mixed
        Jacobian-affine coordinates
        
        Description
        
        An error occurs in the elliptic curve point addition algorithm that
        uses mixed Jacobian-affine coordinates where it can yield a result
        POINT_AT_INFINITY when it should not. A man-in-the-middle attacker could
        use this to interfere with a connection, resulting in an attacked party
        computing an incorrect shared secret.
        
        #CVE-2017-7794: Linux file truncation via sandbox broker
        
        Description
        
        On Linux systems, if the content process is compromised, the sandbox broker
        will allow files to be truncated even though the sandbox explicitly only
        has read access to the local file system and no write permissions.
        Note: This attack only affects the Linux operating system. Other operating
        systems are not affected.
        
        #CVE-2017-7803: CSP containing 'sandbox' improperly applied
        
        Description
        
        When a page's content security policy (CSP) header contains a sandbox
        directive, other directives are ignored. This results in the incorrect
        enforcement of CSP.
        
        #CVE-2017-7799: Self-XSS XUL injection in about:webrtc
        
        Description
        
        JavaScript in the about:webrtc page is not sanitized properly being being
        assigned to innerHTML. Data on this page is supplied by WebRTC usage and
        is not under third-party control, making this difficult to exploit, but the
        vulnerability could possibly be used for a cross-site scripting (XSS) attack.
        
        #CVE-2017-7783: DOS attack through long username in URL
        
        Description
        
        If a long user name is used in a username/password combination in a site URL
        (such as http://UserName:Password@example.com), the resulting modal prompt
        will hang in a non-responsive state or crash, causing a denial of service.
        
        #CVE-2017-7788: Sandboxed about:srcdoc iframes do not inherit CSP directives
        
        Description
        
        When an iframe has a sandbox attribute and its content is specified
        using srcdoc, that content does not inherit the containing page's Content
        Security Policy (CSP) as it should unless the sandbox attribute included
        allow-same-origin.
        
        #CVE-2017-7789: Failure to enable HSTS when two STS headers are sent for
        a connection
        
        Description
        
        If a server sends two Strict-Transport-Security (STS) headers for a single
        connection, they will be rejected as invalid and HTTP Strict Transport
        Security (HSTS) will not be enabled for the connection.
        
        #CVE-2017-7790: Windows crash reporter reads extra memory for some
        non-null-terminated registry values
        
        Description
        
        On Windows systems, if non-null-terminated strings are copied into the
        crash reporter for some specific registry keys, stack memory data can be
        copied until a null is found. This can potentially contain private data
        from the local system.
        Note: This attack only affects Windows operating systems. Other operating
        systems are not affected.
        
        #CVE-2017-7796: Windows updater can delete any file named update.log
        
        Description
        
        On Windows systems, the logger run by the Windows updater deletes the file
        "update.log" before it runs in order to write a new log of that name. The
        path to this file is supplied at the command line to the updater and could
        be used in concert with another local exploit to delete a different file
        named "update.log" instead of the one intended.
        Note: This attack only affects Windows operating systems. Other operating
        systems are not affected.
        
        #CVE-2017-7797: Response header name interning leaks across origins
        
        Description
        
        Response header name interning does not have same-origin protections and
        these headers are stored in a global registry. This allows stored header
        names to be available cross-origin.
        
        #CVE-2017-7780: Memory safety bugs fixed in Firefox 55
        
        Description
        
        Mozilla developers and community members Gary Kwong, Christian Holler,
        Andre Bargull, Bob Clary, Carsten Book, Emilio Cobos Alvarez, Masayuki
        Nakano, Sebastian Hengst, Franziskus Kiefer, Tyson Smith, and Ronald
        Crane reported memory safety bugs present in Firefox 54. Some of these
        bugs showed evidence of memory corruption and we presume that with enough
        effort that some of these could be exploited to run arbitrary code.
        
        #CVE-2017-7779: Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3
        
        Description
        
        Mozilla developers and community members Masayuki Nakano, Gary Kwong,
        Ronald Crane, Andrew McCreight, Tyson Smith, Bevis Tseng, Christian Holler,
        Bryce Van Dyk, Dragana Damjanovic, Kartikaya Gupta, Philipp, Tristan
        Bourvon, and Andi-Bogdan Postelnicu reported memory safety bugs present
        in Firefox 54 and Firefox ESR 52.2. Some of these bugs showed evidence
        of memory corruption and we presume that with enough effort that some of
        these could be exploited to run arbitrary code.
        " [2]


MITIGATION

        Users are advised to the upgrade to the latest versions to address 
        these issues. [1,2]


REFERENCES

        [1] Security vulnerabilities fixed in Firefox ESR 52.3
            https://www.mozilla.org/en-US/security/advisories/mfsa2017-19/

        [2] Security vulnerabilities fixed in Firefox 55
            https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWYv0lIx+lLeg9Ub1AQgOFA/+MtT0WR49u97enysNIGo1MxV3iKBQskr8
KNlBEtoMOI4Kr2bOJDSRadhMFSS9wtBf+WhpHR00Uru2DWxsYlFyPDm6OoS5ZsUA
eLob7kzCPHSPkmIZCPfh41ntgQroq+PBErPxvt2XlxTMZPvnEj2qDr69wSZ0INrA
VJwWKaXGohQE/KrEmAAhsHasmKhBvnJw/QmoDYnntruIm1zt+i2vXF6rMkeFj6EA
bceepcTEtt6s70gek3VlFNfoCl6V//vDpEZNBFqWbw5SIEOScSWAWd1OViA2QNSN
UXvlx8siADDd1UxiUxfdKzQB06umlRAcrTNEFnjoZz6LcyNkpIgNrKfj2NwG1wKT
2utKQASpeOpFr4HJLahbzLSl39cYO6xAANAU8v4YR8uRe9z0bBEloTbPVFMAAmkU
NpoPht9rf+KN1M2Vr7dVt4sD0fIIOqF9wW3mVJ34niSKbncJzQEbSL7JgB2RjVx8
5tAL+nu6jEXoBreO9ckxq2QQ1CUDtfAjIARDgWgxMmgApPkgRjEGVbWmcE8e22nq
l3nzMP301AJtbxw/iEvPTCWlKxJocw75mZbz9Vvv3EOtKT/jJCdBmkdekpAKDPbP
cc5MjZvWSrikSzHW/jyhaVnqGCvbbDF2TmAbwT0fYjUNblbieslQMPyYX+IxjRyU
49V91Jzo39E=
=dhbG
-----END PGP SIGNATURE-----