tagline: Confidence in the Connected World
CIS Logo
HomeResourcesAdvisoriesMultiple Vulnerabilities in Mozilla Firefox Could Allow for Arbitrary Code Execution

Multiple Vulnerabilities in Mozilla Firefox Could Allow for Arbitrary Code Execution

MS-ISAC ADVISORY NUMBER:

2016-174

DATE(S) ISSUED:

11/16/2016

OVERVIEW:

Multiple vulnerabilities have been identified in Mozilla Firefox and Firefox Extended Support Release (ESR) which could allow for arbitrary code execution. Mozilla Firefox is a web browser used to access the Internet. Mozilla Firefox ESR is a version of the web browser intended to be deployed in large organizations. Exploitation of the most severe of these vulnerabilities could allow an attacker to bypass same-origin policy restrictions to access data, and execute arbitrary code in the context of the affected application.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • Mozilla Firefox versions prior to 50
  • Mozilla Firefox ESR versions prior to 45.3

RISK:

Goverment:
  • Large and medium government entities: HIGH
  • Small government entities: MEDIUM
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: MEDIUM
Home Users:
LOW

TECHNICAL SUMMARY:

Mozilla has confirmed multiple vulnerabilities in Firefox and Firefox Extended Support Release (ESR). Exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution, bypass the same-origin policy and other security restrictions, and perform unauthorized actions. These vulnerabilities could be exploited if a user visits or is redirected to a specially-crafted webpage or opens a specially-crafted file. Details of these vulnerabilities are as follows:

Mozilla Firefox Vulnerabilities

· A denial-of-service vulnerability. Specifically, this issue occurs during URL parsing. (CVE-2016-5292)

· Multiple denial-of-service vulnerabilities due to an use-after-free errors during DOM operations. Specifically, these issues occurs in 'nsINode::ReplaceOrInsertBefore'. (CVE-2016-9067) (CVE-2016-9069)

· A denial-of-service vulnerability due to an use-after free error during web animations. Specifically, this issue occurs in 'nsRefreshDriver'. (CVE-2016-9068)

· A security-bypass vulnerability exists only for 64-bit Windows operating system. Specifically, this issue occurs when a new Firefox profile is created on 64-bit Windows installations, the sandbox for 64-bit NPAPI plugins is not enabled by default. (CVE-2016-9072)

· A privilege-escalation vulnerability. Specifically, this issue affects the mozAddonManager API. (CVE-2016-9075)

· A security-bypass vulnerability. Specifically, this issue affects 'feDisplacementMap' filter. Successful exploits may allow an attackers to perform timing attacks. (CVE-2016-9077)

· A privilege-escalation vulnerability which only affects Windows operating systems exists, which if successful exploited may allow an attackers to read arbitrary files as SYSTEM. (CVE-2016-5295)

· A denial-of-service vulnerability that only affects Firefox for Android exists. Specifically, this issue affects the SSL indicator. Successful exploits may allow an attacker to mislead the user about the real URL visited. (CVE-2016-5298)

· A security vulnerability that only affects Firefox for Android exists in the Firefox AuthTokens. Specifically, this issue occurs due to an insecure permission. (CVE-2016-5299)

· A security vulnerability that only affects Firefox for Android exists in the API key(glocation). Specifically, this issue occurs due to an insecure permission. (CVE-2016-9061)

· An information-disclosure vulnerability that only impacts Firefox for Android exists. Specifically, this issue affects the browser.db and browser.db-wal files. (CVE-2016-9062)

· A security-bypass vulnerability. An attacker can exploit this issue by loading specially crafted page to the sidebar through a bookmark. (CVE-2016-9070)

· A security-bypass vulnerability because it fails to specify 'format': 'relativeUrl'. Specifically, this issue affects the 'windows.create' schema. (CVE-2016-9073)

· A security-bypass vulnerability due to an address bar spoofing. An attacker can exploit this issue using