copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
Search this site

On this site

 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login


ASB-2016.0025 - [Win][UNIX/Linux][Android] Mozilla Firefox: Multiple vulnerabilities

Date: 09 March 2016
References: ESB-2016.0633  ESB-2016.0635  ESB-2016.0639  ESB-2016.0673  ESB-2016.0707  ESB-2016.0725  ESB-2016.0728  ESB-2016.0741  ESB-2016.0742  ESB-2016.0743  
ESB-2016.0746  ESB-2016.0767  ESB-2016.0770  ESB-2016.0820  ESB-2016.0856  ESB-2016.1016  ESB-2016.1207  ESB-2016.1403  ESB-2016.2331  

Click here for printable version
Click here for PGP verifiable version
Hash: SHA1

                         AUSCERT Security Bulletin

        A number of vulnerabilities have been identified in Mozilla
                      Firefox and Mozilla Firefox ESR
                               9 March 2016


        AusCERT Security Bulletin Summary

Product:              Mozilla Firefox
                      Mozilla Firefox ESR
Operating System:     UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Overwrite Arbitrary Files       -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
                      Provide Misleading Information  -- Remote with User Interaction
                      Access Confidential Data        -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2016-2802 CVE-2016-2801 CVE-2016-2800
                      CVE-2016-2799 CVE-2016-2798 CVE-2016-2797
                      CVE-2016-2796 CVE-2016-2795 CVE-2016-2794
                      CVE-2016-2793 CVE-2016-2792 CVE-2016-2791
                      CVE-2016-2790 CVE-2016-1979 CVE-2016-1977
                      CVE-2016-1976 CVE-2016-1975 CVE-2016-1974
                      CVE-2016-1973 CVE-2016-1972 CVE-2016-1971
                      CVE-2016-1970 CVE-2016-1968 CVE-2016-1967
                      CVE-2016-1966 CVE-2016-1965 CVE-2016-1964
                      CVE-2016-1963 CVE-2016-1962 CVE-2016-1961
                      CVE-2016-1960 CVE-2016-1959 CVE-2016-1958
                      CVE-2016-1957 CVE-2016-1956 CVE-2016-1955
                      CVE-2016-1954 CVE-2016-1953 CVE-2016-1952
Member content until: Friday, April  8 2016


        A number of vulnerabilities have been identified in Mozilla Firefox
        prior to version 45 and Mozilla Firefox ESR prior to version 38.7. 


        The vendor has provided the following details regarding the 
        CVE-2016-1977, CVE-2016-2790, CVE-2016-2791, CVE-2016-2792, 
        CVE-2016-2793, CVE-2016-2794, CVE-2016-2795, CVE-2016-2796, 
        CVE-2016-2797, CVE-2016-2798, CVE-2016-2799, CVE-2016-2800, 
        CVE-2016-2801, CVE-2016-2802:
        "Security researcher Holger Fuhrmannek and Mozilla security engineer
        Tyson Smith reported a number of security vulnerabilities in the 
        Graphite 2 library affecting version 1.3.5.
        The issue reported by Holger Fuhrmannek is a mechanism to induce 
        stack corruption with a malicious graphite font. This leads to a 
        potentially exploitable crash when the font is loaded.
        Tyson Smith used the Address Sanitizer tool in concert with a custom
        software fuzzer to find a series of uninitialized memory, 
        out-of-bounds read, and out-of-bounds write errors when working with
        fuzzed graphite fonts." [1]
        CVE-2016-1952, CVE-2016-1953: "Mozilla developers fixed several 
        memory safety bugs in the browser engine used in Firefox and other 
        Mozilla-based products. Some of these bugs showed evidence of memory
        corruption under certain circumstances, and we presume that with 
        enough effort at least some of these could be exploited to run 
        arbitrary code." [2]
        CVE-2016-1954: "Security researcher Nicolas Golubovic reported that
        a malicious page can overwrite files on the user's machine using 
        Content Security Policy (CSP) violation reports. The file contents 
        are restricted to the JSON format of the report. In many cases 
        overwriting a local file may simply be destructive, breaking the 
        functionality of that file. The CSP error reports can include HTML 
        fragments which could be rendered by browsers. If a user has 
        disabled add-on signing and has installed an "unpacked" add-on, a 
        malicious page could overwrite one of the add-on resources. 
        Depending on how this resource is used, this could lead to privilege
        escalation." [3]
        CVE-2016-1955: "Security researcher Muneaki Nishimura (nishimunea) 
        of Recruit Technologies Co.,Ltd. reported that Content Security 
        Policy (CSP) violation reports contained full path information for 
        cross-origin iframe navigations in violation of the CSP 
        specification. This could result in information disclosure." [4]
        CVE-2016-1956: "Security researcher Ucha Gobejishvili reported a 
        denial of service (DOS) attack when doing certain WebGL operations 
        in a canvas requiring an unusually large amount buffer to be 
        allocated from video memory. This resulted in memory resource 
        exhaustion with some Intel video cards, requiring the computer to be
        rebooted to return functionality. This was resolved by putting in 
        additional checks on the amount of memory to be allocated during 
        graphics processing." [5]
        CVE-2016-1957: "Security researchers Jose Martinez and Romina 
        Santillan reported a memory leak in the libstagefright library when
        array destruction occurs during MPEG4 video file processing." [6]
        CVE-2016-1958: "Security researcher Abdulrahman Alqabandi reported 
        an issue where an attacker can load an arbitrary web page but the 
        addressbar's displayed URL will be blank or filled with page defined
        content. This can be used to obfuscate which page is currently 
        loaded and allows for an attacker to spoof an existing page without
        the malicious page's address being displayed correctly." [7]
        CVE-2016-1959: "Security researcher Looben Yang reported a mechanism
        where the Clients API in Service Workers can be used to trigger an 
        out-of-bounds read in ServiceWorkerManager. This results in a 
        potentially exploitable crash." [8]
        CVE-2016-1960: "Security researcher ca0nguyen, working with HP's 
        Zero Day Initiative, reported a use-after-free issue in the HTML5 
        string parser when parsing a particular set of table-related tags in
        a foreign fragment context such as SVG. This results in a 
        potentially exploitable crash." [9]
        CVE-2016-1961: "Security researcher lokihardt, working with HP's 
        Zero Day Initiative, reported a use-after-free issue in the SetBody
        function of HTMLDocument. This results in a potentially exploitable
        crash." [10]
        CVE-2016-1962: "Security researcher Dominique Hazaël-Massieux 
        reported a use-after-free issue when using multiple WebRTC data 
        channel connections. This causes a potentially exploitable crash 
        when a data channel connection is freed from within a call through 
        it." [11]
        CVE-2016-1963: "Security researcher Oriol reported memory corruption
        when local files are modified (by either the user or another 
        program) at the same time being read using the FileReader API. This
        flaw requires that input be taken from a local file in order to be 
        triggered and cannot be triggered by web content. This results in a
        potentially exploitable crash when triggered." [12]
        CVE-2016-1964: "Security researcher Nicolas Grégoire used the 
        Address Sanitizer to find a use-after-free during XML transformation
        operations. This results in a potentially exploitable crash 
        triggerable by web content." [13]
        CVE-2016-1965: "Security researcher Tsubasa Iinuma reported a 
        mechanism where the displayed addressbar can be spoofed to users. 
        This issue involves using history navigation in concert with the 
        Location protocol property. After navigating from a malicious page 
        to another, if the user navigates back to the initial page, the 
        displayed URL will not reflect the reloaded page. This could be used
        to trick users into potentially treating the page as a different and
        trusted site." [14]
        CVE-2016-1967: "Security researcher Jordi Chancel discovered a 
        variant of Mozilla Foundation Security Advisory 2015-136 which was 
        fixed in Firefox 43. In the original bug, it was possible to read 
        cross-origin URLs following a redirect if perfomance.getEntries() 
        was used along with an iframe to host a page. Navigating back in 
        history through script, content was pulled from the browser cache 
        for the redirected location instead of going to the original 
        location. In the newly reported variant issue, it was found that if
        a browser session was restored, history navigation would still allow
        for the same attack as content was restored from the browser cache.
        This is a same-origin policy violation and could allow for data 
        theft." [15]
        CVE-2016-1966: "The Communications Electronics Security Group (UK) 
        of the GCHQ reported a dangling pointer dereference within the 
        Netscape Plugin Application Programming Interface (NPAPI) that could
        lead to the NPAPI subsystem crashing. This issue requires a 
        maliciously crafted NPAPI plugin in concert with scripted web 
        content, resulting in a potentially exploitable crash when 
        triggered." [16]
        CVE-2016-1970, CVE-2016-1971, CVE-2016-1975, CVE-2016-1976, 
        CVE-2016-1972: "Security researcher Ronald Crane reported five 
        "moderate" rated vulnerabilities affecting released code that were 
        found through code inspection. These included the following issues 
        in WebRTC: an integer underflow, a missing status check, race 
        condition, and a use of deleted pointers to create new object. A 
        race condition in LibVPX was also identified. These do not all have
        clear mechanisms to be exploited through web content but are 
        vulnerable if a mechanism can be found to trigger them." [17]
        CVE-2016-1973: "Security researcher Ronald Crane reported a race 
        condition in GetStaticInstance in WebRTC which results in a 
        use-after-free. This could result in a potentially exploitable 
        crash. This issue was found through code inspection and does not 
        have clear mechanism to be exploited through web content but is 
        vulnerable if a mechanism can be found to trigger it." [18]
        CVE-2016-1974: "Security researcher Ronald Crane reported an 
        out-of-bounds read following a failed allocation in the HTML parser
        while working with unicode strings. This can also affect the parsing
        of XML and SVG format data. This leads to a potentially exploitable
        crash." [19]
        CVE-2016-1968: "Security researcher Luke Li reported a pointer 
        underflow bug in the Brotli library's decompression that leads to a
        buffer overflow. This results in a potentially exploitable crash 
        when triggered." [20]
        CVE-2016-1979: "Mozilla developer Tim Taubert used the Address 
        Sanitizer tool and software fuzzing to discover a use-after-free 
        vulnerability while processing DER encoded keys in the Network 
        Security Services (NSS) libraries. The vulnerability overwrites the
        freed memory with zeroes. This issue has been addressed in NSS 
        3.21.1, shipping in Firefox 45." [21]
        CVE-2016-1950: "Security researcher Francis Gabriel reported a 
        heap-based buffer overflow in the way the Network Security Services
        (NSS) libraries parsed certain ASN.1 structures. An attacker could 
        create a specially-crafted certificate which, when parsed by NSS, 
        would cause it to crash or execute arbitrary code with the 
        permissions of the user." [22]


        The vendor recommends updating to the latest versions of Firefox and
        Firefox ESR to address these issues. [1-22]


        [1] Font vulnerabilities in the Graphite 2 library

        [2] Mozilla Foundation Security Advisory 2016-16: Miscellaneous memory
            safety hazards (rv:45.0 / rv:38.7)

        [3] Mozilla Foundation Security Advisory 2016-17: Local file
            overwriting and potential privilege escalation through CSP reports

        [4] Mozilla Foundation Security Advisory 2016-18: CSP reports fail to
            strip location information for embedded iframe pages

        [5] Mozilla Foundation Security Advisory 2016-19: Linux video memory
            DOS with Intel drivers

        [6] Mozilla Foundation Security Advisory 2016-20: Memory leak in
            libstagefright when deleting an array during MP4 processing

        [7] Mozilla Foundation Security Advisory 2016-21: Displayed page
            address can be overridden

        [8] Mozilla Foundation Security Advisory 2016-22: Service Worker
            Manager out-of-bounds read in Service Worker Manager

        [9] Mozilla Foundation Security Advisory 2016-23: Use-after-free in
            HTML5 string parser

        [10] Mozilla Foundation Security Advisory 2016-24: Use-after-free in

        [11] Mozilla Foundation Security Advisory 2016-25: Use-after-free when
             using multiple WebRTC data channels

        [12] Mozilla Foundation Security Advisory 2016-26: Memory corruption
             when modifying a file being read by FileReader

        [13] Mozilla Foundation Security Advisory 2016-27: Use-after-free
             during XML transformations

        [14] Mozilla Foundation Security Advisory 2016-28: Addressbar spoofing
             though history navigation and Location protocol property

        [15] Mozilla Foundation Security Advisory 2016-29: Same-origin policy
             violation using perfomance.getEntries and history navigation with
             session restore

        [16] Mozilla Foundation Security Advisory 2016-31: Memory corruption
             with malicious NPAPI plugin

        [17] Mozilla Foundation Security Advisory 2016-32: WebRTC and LibVPX
             vulnerabilities found through code inspection

        [18] Mozilla Foundation Security Advisory 2016-33: Use-after-free in
             GetStaticInstance in WebRTC

        [19] Mozilla Foundation Security Advisory 2016-34: Out-of-bounds read
             in HTML parser following a failed allocation

        [20] Mozilla Foundation Security Advisory 2016-30: Buffer overflow in
             Brotli decompression

        [21] Mozilla Foundation Security Advisory 2016-36: Use-after-free
             during processing of DER encoded keys in NSS

        [22] Mozilla Foundation Security Advisory 2016-35: Buffer overflow
             during ASN.1 decoding in NSS

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email:
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.