Kaspersky Threats KLA11004

THREATS
Vulnerabilities
Threats

Russian
English

KLA11004
MULTIPLE VULNERABILITIES
IN MOZILLA FIREFOX AND
MOZILLA FIREFOX ESR
Updated: 05/11/2017

CVSS
? 0.0

Detect date
? 04/18/2017

Severity
? Warning

Description Multiple serious vulnerabilities have been found in Mozilla Firefox and Mozilla
Firefox ESR. Malicious users can exploit these vulnerabilities to cause a denial of
service, spoof user interface, obtain sensitive information, execute arbitrary code,
perform cross-site scripting attacks, bypass security restrictions, gain privileges
and read/write localfiles.

Below is a complete list of vulnerabilities:

1. A use-after-free vulnerability in SMIL can be exploited remotely to cause

denial of service;
2. A use-after-free vulnerability which occurs during transaction processing
in the editor can be exploited remotely to cause a denial of service;
3. An out-of-bounds write vulnerability in the Graphite 2 library can be
exploited remotely to cause a denial of service;
4. An out-of-bounds write vulnerability in BASE64 encoding in NSS can be
exploited remotely to cause a denial of service;
5. A buffer overflow vulnerability in WebGL can be exploited remotely to

https://threats.kaspersky.com/en/vulnerability/KLA11004[5/14/2017 7:16:05 AM]

Kaspersky Threats KLA11004

cause denial of service;

6. A use-after-free vulnerability in focus handling can be exploited remotely
to cause denial of service;
7. A use-after-free vulnerability in text input selection can be exploited
remotely to cause denial of service;
8. A use-after-free vulnerability in frame selection can be exploited
remotely to cause denial of service;
9. A use-after-free vulnerability in nsAutoPtr and nsTArrayLength() during
XSLT processing can be exploited remotely to cause denial of service;
10. A use-after-free vulnerability in txExecutionState destructor related to
XSLT processing can be exploited remotely to cause denial of service;
11. A use-after-free vulnerability related to holding a selection during scroll
events can be exploited remotely to cause denial of service;
12. A use-after-free vulnerability related to style changes when manipulating
DOM elements can be exploited remotely to cause denial of service;
13. A memory corruption vulnerability related to DOM manipulations of the
accessibility tree can be exploited remotely to cause denial of service;
14. An out-of-bounds write vulnerability in BinHex decoding can be
exploited remotely to cause denial of service;
15. A buffer overflow vulnerability in application/http-index-format content
can be exploited remotely to allow out-of-bounds reading of data from
memory;
16. An out-of-bounds read vulnerability related to HTTP/2 DATA frames are
sent with incorrect data content can be exploited remotely to cause a
denial of service;
17. An out-of-bounds read vulnerability related to glyph processing can be
exploited remotely to cause denial of service;
18. An out-of-bounds read vulnerability in ConvolvePixel can be exploited
remotely to cause denial of service;
19. An out-of-bounds write vulnerability in ClearKeyDecryptor can be
exploited remotely to cause denial of service;
20. Multiple out-of-bounds read vulnerabilities in the Libevent library can be
exploited remotely to cause denial of service;
21. A potential buffer overflow vulnerability in flex-generated code can be
exploited remotely to cause denial of service;
22. A reading of uninitialized memory vulnerability in application/http-
index-format content can be exploited remotely to read uninitialized
memory;
23. An improper DRBG number generation in NSS (Network Security
Services) library can be exploited remotely possibly to cause a denial of
service or execute arbitrary code;
24. Multiple memory corruption vulnerabilities, which occur because of
memory safety bugs, can be exploited remotely to execute arbitrary code
25. Origin confusion vulnerability related to reloading isolated data:text/html

https://threats.kaspersky.com/en/vulnerability/KLA11004[5/14/2017 7:16:05 AM]

Kaspersky Threats KLA11004

URL can be exploited remotely to execute a cross-site scripting (XSS)

attack;
26. An improper sandbox escape handling can be exploited remotely through
file picker via relative paths to bypass security restrictions and gain
privileges (get read only access to the local file system);
27. An incorrect handling of the internal feed reader APIs which crossed the
sandbox barrier can be exploited remotely to gain privileges and possibly
to execute arbitrary code inside the sandboxed process;
28. An improper work of file system request constructor in the sandbox can
be exploited remotely via a specially designed IPC message to bypass
security restrictions, read and write files in the local system;
29. A potential vulnerability related to layout and manipulation of
bidirectional unicode text in concert with CSS animations can be
exploited remotely to cause denial of service;
30. An addressbar spoofing vulnerability in onblur event can be exploited
remotely to make the loaded site appear to be different from the one
actually loaded within the addressbar;
31. A potential memory corruption occurring while drawing Skia content
outside the bounds of a clipping region can be exploited remotely
possibly to cause a denial of service;
32. An incorrect handling of escape characters sent as URL parameters for a
feeds title element while injecting static HTML into the RSS reader
preview page can be exploited remotely to spoof user interface;
33. An improper handling of drag and drop of a javascript: URL into the
adressbar can be exploited remotely to perform an XSS (cross-site
scripting) attack on themselves;
34. An issue with improper ownership model of privateBrowsing information
(which is exposed through deleveloper tools) can be exploited remotely
while debugging to cause a denial of service.

Technical details

Vulnerability (23) can affect displayed text so that the loaded site will look
different from the one which is to be loaded within the adressbar.

Vulnerability (29) occurs because unitialized values are used to create an array.

Vulnerability (31) occurs because in the NSS library the internal state V does not
correctly carry bits over.

Vulnerabilities 1-24 are related for Mozilla Firefox ESR before 45.9

Vulnerabilities 1-31 are related for Mozilla Firefox ESR before 52.1

https://threats.kaspersky.com/en/vulnerability/KLA11004[5/14/2017 7:16:05 AM]

Kaspersky Threats KLA11004

All vulnerabilities are related for Mozilla Firefox.

NB: This vulnerability have no public CVSS rating so rating can be changed by
the time.

NB: At this moment Mozilla just reserved CVE numbers for this vulnerabilities.
Information can be changed soon.

Affected Mozilla Firefox versions earlier than 53

products Mozilla Firefox ESR versions earlier than45.9
Mozilla Firefox ESR versions earlier than 52.1

Solution Update to the latest version

Download Firefox ESR
Download Firefox

Original MFSA-2017-10
advisories MFSA-2017-11
MFSA-2017-12

Impacts
? WLF [?]
RLF [?]
SUI [?]
ACE[?]
OSI [?]
XSSCSS [?]
SB[?]
PE [?]
DoS [?]

Related Mozilla Firefox

products

https://threats.kaspersky.com/en/vulnerability/KLA11004[5/14/2017 7:16:05 AM]