Vulnerabilities > CVE-2014-1565 - Buffer Errors vulnerability in Mozilla Firefox, Firefox ESR and Thunderbird
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
The mozilla::dom::AudioEventTimeline function in the Web Audio API implementation in Mozilla Firefox before 32.0, Firefox ESR 31.x before 31.1, and Thunderbird 31.x before 31.1 does not properly create audio timelines, which allows remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read) via crafted API calls.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Nessus
NASL family SuSE Local Security Checks NASL id OPENSUSE-2014-531.NASL description MozillaThunderbird was updated to Thunderbird 31.1.0 (bnc#894370), fixinfg security issues : - MFSA 2014-67/CVE-2014-1553/CVE-2014-1562 Miscellaneous memory safety hazards - MFSA 2014-68/CVE-2014-1563 (bmo#1018524) Use-after-free during DOM interactions with SVG - MFSA 2014-69/CVE-2014-1564 (bmo#1045977) Uninitialized memory use during GIF rendering - MFSA 2014-70/CVE-2014-1565 (bmo#1047831) Out-of-bounds read in Web Audio audio timeline - MFSA 2014-72/CVE-2014-1567 (bmo#1037641) Use-after-free setting text directionality - update to Thunderbird 31.0 - based on Gecko 31 - Autocompleting email addresses now matches against any part of the name or email - Composing a mail to a newsgroup will now autocomplete newsgroup names - Insecure NTLM (pre-NTLMv2) authentication disabled last seen 2020-06-05 modified 2014-09-11 plugin id 77619 published 2014-09-11 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77619 title openSUSE Security Update : MozillaThunderbird (openSUSE-SU-2014:1098-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2014-531. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(77619); script_version("1.9"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2014-1553", "CVE-2014-1562", "CVE-2014-1563", "CVE-2014-1564", "CVE-2014-1565", "CVE-2014-1567"); script_bugtraq_id(69519, 69520, 69521, 69523, 69524, 69525); script_name(english:"openSUSE Security Update : MozillaThunderbird (openSUSE-SU-2014:1098-1)"); script_summary(english:"Check for the openSUSE-2014-531 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "MozillaThunderbird was updated to Thunderbird 31.1.0 (bnc#894370), fixinfg security issues : - MFSA 2014-67/CVE-2014-1553/CVE-2014-1562 Miscellaneous memory safety hazards - MFSA 2014-68/CVE-2014-1563 (bmo#1018524) Use-after-free during DOM interactions with SVG - MFSA 2014-69/CVE-2014-1564 (bmo#1045977) Uninitialized memory use during GIF rendering - MFSA 2014-70/CVE-2014-1565 (bmo#1047831) Out-of-bounds read in Web Audio audio timeline - MFSA 2014-72/CVE-2014-1567 (bmo#1037641) Use-after-free setting text directionality - update to Thunderbird 31.0 - based on Gecko 31 - Autocompleting email addresses now matches against any part of the name or email - Composing a mail to a newsgroup will now autocomplete newsgroup names - Insecure NTLM (pre-NTLMv2) authentication disabled" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=894370" ); script_set_attribute( attribute:"see_also", value:"https://lists.opensuse.org/opensuse-updates/2014-09/msg00010.html" ); script_set_attribute( attribute:"solution", value:"Update the affected MozillaThunderbird packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaThunderbird"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaThunderbird-buildsymbols"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaThunderbird-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaThunderbird-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaThunderbird-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaThunderbird-translations-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaThunderbird-translations-other"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:12.3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.1"); script_set_attribute(attribute:"patch_publication_date", value:"2014/09/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/09/11"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE12\.3|SUSE13\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "12.3 / 13.1", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE12.3", reference:"MozillaThunderbird-31.1.0-61.59.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"MozillaThunderbird-buildsymbols-31.1.0-61.59.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"MozillaThunderbird-debuginfo-31.1.0-61.59.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"MozillaThunderbird-debugsource-31.1.0-61.59.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"MozillaThunderbird-devel-31.1.0-61.59.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"MozillaThunderbird-translations-common-31.1.0-61.59.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"MozillaThunderbird-translations-other-31.1.0-61.59.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaThunderbird-31.1.0-70.31.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaThunderbird-buildsymbols-31.1.0-70.31.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaThunderbird-debuginfo-31.1.0-70.31.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaThunderbird-debugsource-31.1.0-70.31.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaThunderbird-devel-31.1.0-70.31.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaThunderbird-translations-common-31.1.0-70.31.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaThunderbird-translations-other-31.1.0-70.31.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "MozillaThunderbird"); }NASL family Windows NASL id MOZILLA_THUNDERBIRD_31_1.NASL description The version of Thunderbird installed on the remote host is a version prior to 31.1. It is, therefore, affected by the following vulnerabilities : - Multiple memory safety flaws exist within the browser engine. Exploiting these, an attacker can cause a denial of service or execute arbitrary code. (CVE-2014-1553, CVE-2014-1562) - A use-after-free vulnerability exists due to improper cycle collection when processing animated SVG content. A remote attacker can exploit this to cause a denial of service or execute arbitrary code. (CVE-2014-1563) - Memory is not properly initialized during GIF rendering. Using a specially crafted web script, a remote attacker can exploit this to acquire sensitive information from the process memory. (CVE-2014-1564) - The Web Audio API contains a flaw where audio timelines are properly created. Using specially crafted API calls, a remote attacker can exploit this to acquire sensitive information from the process memory or cause a denial of service. (CVE-2014-1565) - A use-after-free vulnerability exists due to improper handling of text layout in directionality resolution. A remote attacker can exploit this to execute arbitrary code. (CVE-2014-1567) last seen 2020-06-01 modified 2020-06-02 plugin id 77502 published 2014-09-03 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77502 title Mozilla Thunderbird < 31.1 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(77502); script_version("1.7"); script_cvs_date("Date: 2019/11/25"); script_cve_id( "CVE-2014-1553", "CVE-2014-1562", "CVE-2014-1563", "CVE-2014-1564", "CVE-2014-1565", "CVE-2014-1567" ); script_bugtraq_id( 69519, 69520, 69521, 69523, 69524, 69525 ); script_name(english:"Mozilla Thunderbird < 31.1 Multiple Vulnerabilities"); script_summary(english:"Checks the version of Thunderbird."); script_set_attribute(attribute:"synopsis", value: "The remote Windows host contains a mail client that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Thunderbird installed on the remote host is a version prior to 31.1. It is, therefore, affected by the following vulnerabilities : - Multiple memory safety flaws exist within the browser engine. Exploiting these, an attacker can cause a denial of service or execute arbitrary code. (CVE-2014-1553, CVE-2014-1562) - A use-after-free vulnerability exists due to improper cycle collection when processing animated SVG content. A remote attacker can exploit this to cause a denial of service or execute arbitrary code. (CVE-2014-1563) - Memory is not properly initialized during GIF rendering. Using a specially crafted web script, a remote attacker can exploit this to acquire sensitive information from the process memory. (CVE-2014-1564) - The Web Audio API contains a flaw where audio timelines are properly created. Using specially crafted API calls, a remote attacker can exploit this to acquire sensitive information from the process memory or cause a denial of service. (CVE-2014-1565) - A use-after-free vulnerability exists due to improper handling of text layout in directionality resolution. A remote attacker can exploit this to execute arbitrary code. (CVE-2014-1567)"); script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/archive/1/533357/30/0/threaded"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/security/announce/2014/mfsa2014-67.html"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/security/announce/2014/mfsa2014-68.html"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/security/announce/2014/mfsa2014-69.html"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/security/announce/2014/mfsa2014-70.html"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/security/announce/2014/mfsa2014-72.html"); script_set_attribute(attribute:"solution", value: "Upgrade to Thunderbird 31.1 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-1563"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/09/02"); script_set_attribute(attribute:"patch_publication_date", value:"2014/09/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/09/03"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:mozilla:thunderbird"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("mozilla_org_installed.nasl"); script_require_keys("Mozilla/Thunderbird/Version"); exit(0); } include("mozilla_version.inc"); port = get_kb_item("SMB/transport"); if (!port) port = 445; installs = get_kb_list("SMB/Mozilla/Thunderbird/*"); if (isnull(installs)) audit(AUDIT_NOT_INST, "Thunderbird"); mozilla_check_version(installs:installs, product:'thunderbird', esr:FALSE, fix:'31.1', min:'31.0', severity:SECURITY_HOLE, xss:FALSE);NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201504-01.NASL description The remote host is affected by the vulnerability described in GLSA-201504-01 (Mozilla Products: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Firefox, Thunderbird, and SeaMonkey. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could entice a user to view a specially crafted web page or email, possibly resulting in execution of arbitrary code or a Denial of Service condition. Furthermore, a remote attacker may be able to perform Man-in-the-Middle attacks, obtain sensitive information, spoof the address bar, conduct clickjacking attacks, bypass security restrictions and protection mechanisms, or have other unspecified impact. Workaround : There are no known workarounds at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 82632 published 2015-04-08 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/82632 title GLSA-201504-01 : Mozilla Products: Multiple vulnerabilities code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 201504-01. # # The advisory text is Copyright (C) 2001-2019 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(82632); script_version("1.7"); script_cvs_date("Date: 2019/08/12 17:35:38"); script_cve_id("CVE-2013-1741", "CVE-2013-2566", "CVE-2013-5590", "CVE-2013-5591", "CVE-2013-5592", "CVE-2013-5593", "CVE-2013-5595", "CVE-2013-5596", "CVE-2013-5597", "CVE-2013-5598", "CVE-2013-5599", "CVE-2013-5600", "CVE-2013-5601", "CVE-2013-5602", "CVE-2013-5603", "CVE-2013-5604", "CVE-2013-5605", "CVE-2013-5606", "CVE-2013-5607", "CVE-2013-5609", "CVE-2013-5610", "CVE-2013-5612", "CVE-2013-5613", "CVE-2013-5614", "CVE-2013-5615", "CVE-2013-5616", "CVE-2013-5618", "CVE-2013-5619", "CVE-2013-6671", "CVE-2013-6672", "CVE-2013-6673", "CVE-2014-1477", "CVE-2014-1478", "CVE-2014-1479", "CVE-2014-1480", "CVE-2014-1481", "CVE-2014-1482", "CVE-2014-1483", "CVE-2014-1485", "CVE-2014-1486", "CVE-2014-1487", "CVE-2014-1488", "CVE-2014-1489", "CVE-2014-1490", "CVE-2014-1491", "CVE-2014-1492", "CVE-2014-1493", "CVE-2014-1494", "CVE-2014-1496", "CVE-2014-1497", "CVE-2014-1498", "CVE-2014-1499", "CVE-2014-1500", "CVE-2014-1502", "CVE-2014-1504", "CVE-2014-1505", "CVE-2014-1508", "CVE-2014-1509", "CVE-2014-1510", "CVE-2014-1511", "CVE-2014-1512", "CVE-2014-1513", "CVE-2014-1514", "CVE-2014-1518", "CVE-2014-1519", "CVE-2014-1520", "CVE-2014-1522", "CVE-2014-1523", "CVE-2014-1524", "CVE-2014-1525", "CVE-2014-1526", "CVE-2014-1529", "CVE-2014-1530", "CVE-2014-1531", "CVE-2014-1532", "CVE-2014-1533", "CVE-2014-1534", "CVE-2014-1536", "CVE-2014-1537", "CVE-2014-1538", "CVE-2014-1539", "CVE-2014-1540", "CVE-2014-1541", "CVE-2014-1542", "CVE-2014-1543", "CVE-2014-1544", "CVE-2014-1545", "CVE-2014-1547", "CVE-2014-1548", "CVE-2014-1549", "CVE-2014-1550", "CVE-2014-1551", "CVE-2014-1552", "CVE-2014-1553", "CVE-2014-1554", "CVE-2014-1555", "CVE-2014-1556", "CVE-2014-1557", "CVE-2014-1558", "CVE-2014-1559", "CVE-2014-1560", "CVE-2014-1561", "CVE-2014-1562", "CVE-2014-1563", "CVE-2014-1564", "CVE-2014-1565", "CVE-2014-1566", "CVE-2014-1567", "CVE-2014-1568", "CVE-2014-1574", "CVE-2014-1575", "CVE-2014-1576", "CVE-2014-1577", "CVE-2014-1578", "CVE-2014-1580", "CVE-2014-1581", "CVE-2014-1582", "CVE-2014-1583", "CVE-2014-1584", "CVE-2014-1585", "CVE-2014-1586", "CVE-2014-1587", "CVE-2014-1588", "CVE-2014-1589", "CVE-2014-1590", "CVE-2014-1591", "CVE-2014-1592", "CVE-2014-1593", "CVE-2014-1594", "CVE-2014-5369", "CVE-2014-8631", "CVE-2014-8632", "CVE-2014-8634", "CVE-2014-8635", "CVE-2014-8636", "CVE-2014-8637", "CVE-2014-8638", "CVE-2014-8639", "CVE-2014-8640", "CVE-2014-8641", "CVE-2014-8642", "CVE-2015-0817", "CVE-2015-0818", "CVE-2015-0819", "CVE-2015-0820", "CVE-2015-0821", "CVE-2015-0822", "CVE-2015-0823", "CVE-2015-0824", "CVE-2015-0825", "CVE-2015-0826", "CVE-2015-0827", "CVE-2015-0828", "CVE-2015-0829", "CVE-2015-0830", "CVE-2015-0831", "CVE-2015-0832", "CVE-2015-0833", "CVE-2015-0834", "CVE-2015-0835", "CVE-2015-0836"); script_xref(name:"GLSA", value:"201504-01"); script_name(english:"GLSA-201504-01 : Mozilla Products: Multiple vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-201504-01 (Mozilla Products: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Firefox, Thunderbird, and SeaMonkey. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could entice a user to view a specially crafted web page or email, possibly resulting in execution of arbitrary code or a Denial of Service condition. Furthermore, a remote attacker may be able to perform Man-in-the-Middle attacks, obtain sensitive information, spoof the address bar, conduct clickjacking attacks, bypass security restrictions and protection mechanisms, or have other unspecified impact. Workaround : There are no known workarounds at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/201504-01" ); script_set_attribute( attribute:"solution", value: "All firefox users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=www-client/firefox-31.5.3' All firefox-bin users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=www-client/firefox-bin-31.5.3' All thunderbird users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=mail-client/thunderbird-31.5.0' All thunderbird-bin users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=mail-client/thunderbird-bin-31.5.0' All seamonkey users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=www-client/seamonkey-2.33.1' All seamonkey-bin users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=www-client/seamonkey-bin-2.33.1' All nspr users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=dev-libs/nspr-4.10.6'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Firefox Proxy Prototype Privileged Javascript Injection'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:firefox"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:firefox-bin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:nspr"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:seamonkey"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:seamonkey-bin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:thunderbird"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:thunderbird-bin"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/03/15"); script_set_attribute(attribute:"patch_publication_date", value:"2015/04/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/04/08"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"dev-libs/nspr", unaffected:make_list("ge 4.10.6"), vulnerable:make_list("lt 4.10.6"))) flag++; if (qpkg_check(package:"www-client/firefox-bin", unaffected:make_list("ge 31.5.3"), vulnerable:make_list("lt 31.5.3"))) flag++; if (qpkg_check(package:"www-client/seamonkey", unaffected:make_list("ge 2.33.1"), vulnerable:make_list("lt 2.33.1"))) flag++; if (qpkg_check(package:"www-client/seamonkey-bin", unaffected:make_list("ge 2.33.1"), vulnerable:make_list("lt 2.33.1"))) flag++; if (qpkg_check(package:"mail-client/thunderbird-bin", unaffected:make_list("ge 31.5.0"), vulnerable:make_list("lt 31.5.0"))) flag++; if (qpkg_check(package:"www-client/firefox", unaffected:make_list("ge 31.5.3"), vulnerable:make_list("lt 31.5.3"))) flag++; if (qpkg_check(package:"mail-client/thunderbird", unaffected:make_list("ge 31.5.0"), vulnerable:make_list("lt 31.5.0"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Mozilla Products"); }NASL family SuSE Local Security Checks NASL id OPENSUSE-2014-530.NASL description Mozilla Firefox was updated to Firefox 32 fixing security issues and bugs. Security issues fixed: MFSA 2014-72 / CVE-2014-1567: Security researcher regenrecht reported, via TippingPoint last seen 2020-06-05 modified 2014-09-11 plugin id 77618 published 2014-09-11 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77618 title openSUSE Security Update : MozillaFirefox (openSUSE-SU-2014:1099-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2014-530. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(77618); script_version("1.6"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2014-1553", "CVE-2014-1554", "CVE-2014-1562", "CVE-2014-1563", "CVE-2014-1564", "CVE-2014-1565", "CVE-2014-1567"); script_name(english:"openSUSE Security Update : MozillaFirefox (openSUSE-SU-2014:1099-1)"); script_summary(english:"Check for the openSUSE-2014-530 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "Mozilla Firefox was updated to Firefox 32 fixing security issues and bugs. Security issues fixed: MFSA 2014-72 / CVE-2014-1567: Security researcher regenrecht reported, via TippingPoint's Zero Day Initiative, a use-after-free during text layout when interacting with the setting of text direction. This results in a use-after-free which can lead to arbitrary code execution. MFSA 2014-70 / CVE-2014-1565: Security researcher Holger Fuhrmannek discovered an out-of-bounds read during the creation of an audio timeline in Web Audio. This results in a crash and could allow for the reading of random memory values. MFSA 2014-69 / CVE-2014-1564: Google security researcher Michal Zalewski discovered that when a malformated GIF image is rendered in certain circumstances, memory is not properly initialized before use. The resulting image then uses this memory during rendering. This could allow for the a script in web content to access this uninitialized memory using the <canvas> feature. MFSA 2014-68 / CVE-2014-1563: Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team used the Address Sanitizer tool to discover a use-after-free during cycle collection. This was found in interactions with the SVG content through the document object model (DOM) with animating SVG content. This leads to a potentially exploitable crash. MFSA 2014-67: Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. Jan de Mooij reported a memory safety problem that affects Firefox ESR 24.7, ESR 31 and Firefox 31. (CVE-2014-1562) Christian Holler, Jan de Mooij, Karl Tomlinson, Randell Jesup, Gary Kwong, Jesse Ruderman, and JW Wang reported memory safety problems and crashes that affect Firefox ESR 31 and Firefox 31. (CVE-2014-1553) Gary Kwong, Christian Holler, and David Weir reported memory safety problems and crashes that affect Firefox 31. (CVE-2014-1554) Mozilla NSS was updated to 3.16.4: Notable Changes : - The following 1024-bit root CA certificate was restored to allow more time to develop a better transition strategy for affected sites. It was removed in NSS 3.16.3, but discussion in the mozilla.dev.security.policy forum led to the decision to keep this root included longer in order to give website administrators more time to update their web servers. - CN = GTE CyberTrust Global Root - In NSS 3.16.3, the 1024-bit 'Entrust.net Secure Server Certification Authority' root CA certificate was removed. In NSS 3.16.4, a 2048-bit intermediate CA certificate has been included, without explicit trust. The intention is to mitigate the effects of the previous removal of the 1024-bit Entrust.net root certificate, because many public Internet sites still use the 'USERTrust Legacy Secure Server CA' intermediate certificate that is signed by the 1024-bit Entrust.net root certificate. The inclusion of the intermediate certificate is a temporary measure to allow those sites to function, by allowing them to find a trust path to another 2048-bit root CA certificate. The temporarily included intermediate certificate expires November 1, 2015." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=894201" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=894370" ); script_set_attribute( attribute:"see_also", value:"https://lists.opensuse.org/opensuse-updates/2014-09/msg00011.html" ); script_set_attribute( attribute:"solution", value:"Update the affected MozillaFirefox packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-branding-upstream"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-buildsymbols"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-translations-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-translations-other"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libfreebl3"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libfreebl3-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libfreebl3-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libfreebl3-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libsoftokn3"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libsoftokn3-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libsoftokn3-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libsoftokn3-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-certs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-certs-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-certs-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-certs-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-sysinit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-sysinit-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-sysinit-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-sysinit-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-tools-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:12.3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.1"); script_set_attribute(attribute:"patch_publication_date", value:"2014/09/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/09/11"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE12\.3|SUSE13\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "12.3 / 13.1", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE12.3", reference:"MozillaFirefox-31.1.0-1.86.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"MozillaFirefox-branding-upstream-31.1.0-1.86.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"MozillaFirefox-buildsymbols-31.1.0-1.86.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"MozillaFirefox-debuginfo-31.1.0-1.86.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"MozillaFirefox-debugsource-31.1.0-1.86.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"MozillaFirefox-devel-31.1.0-1.86.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"MozillaFirefox-translations-common-31.1.0-1.86.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"MozillaFirefox-translations-other-31.1.0-1.86.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"libfreebl3-3.16.4-1.51.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"libfreebl3-debuginfo-3.16.4-1.51.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"libsoftokn3-3.16.4-1.51.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"libsoftokn3-debuginfo-3.16.4-1.51.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"mozilla-nss-3.16.4-1.51.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"mozilla-nss-certs-3.16.4-1.51.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"mozilla-nss-certs-debuginfo-3.16.4-1.51.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"mozilla-nss-debuginfo-3.16.4-1.51.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"mozilla-nss-debugsource-3.16.4-1.51.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"mozilla-nss-devel-3.16.4-1.51.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"mozilla-nss-sysinit-3.16.4-1.51.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"mozilla-nss-sysinit-debuginfo-3.16.4-1.51.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"mozilla-nss-tools-3.16.4-1.51.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"mozilla-nss-tools-debuginfo-3.16.4-1.51.1") ) flag++; if ( rpm_check(release:"SUSE12.3", cpu:"x86_64", reference:"libfreebl3-32bit-3.16.4-1.51.1") ) flag++; if ( rpm_check(release:"SUSE12.3", cpu:"x86_64", reference:"libfreebl3-debuginfo-32bit-3.16.4-1.51.1") ) flag++; if ( rpm_check(release:"SUSE12.3", cpu:"x86_64", reference:"libsoftokn3-32bit-3.16.4-1.51.1") ) flag++; if ( rpm_check(release:"SUSE12.3", cpu:"x86_64", reference:"libsoftokn3-debuginfo-32bit-3.16.4-1.51.1") ) flag++; if ( rpm_check(release:"SUSE12.3", cpu:"x86_64", reference:"mozilla-nss-32bit-3.16.4-1.51.1") ) flag++; if ( rpm_check(release:"SUSE12.3", cpu:"x86_64", reference:"mozilla-nss-certs-32bit-3.16.4-1.51.1") ) flag++; if ( rpm_check(release:"SUSE12.3", cpu:"x86_64", reference:"mozilla-nss-certs-debuginfo-32bit-3.16.4-1.51.1") ) flag++; if ( rpm_check(release:"SUSE12.3", cpu:"x86_64", reference:"mozilla-nss-debuginfo-32bit-3.16.4-1.51.1") ) flag++; if ( rpm_check(release:"SUSE12.3", cpu:"x86_64", reference:"mozilla-nss-sysinit-32bit-3.16.4-1.51.1") ) flag++; if ( rpm_check(release:"SUSE12.3", cpu:"x86_64", reference:"mozilla-nss-sysinit-debuginfo-32bit-3.16.4-1.51.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-31.1.0-42.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-branding-upstream-31.1.0-42.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-buildsymbols-31.1.0-42.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-debuginfo-31.1.0-42.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-debugsource-31.1.0-42.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-devel-31.1.0-42.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-translations-common-31.1.0-42.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-translations-other-31.1.0-42.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"libfreebl3-3.16.4-35.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"libfreebl3-debuginfo-3.16.4-35.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"libsoftokn3-3.16.4-35.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"libsoftokn3-debuginfo-3.16.4-35.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"mozilla-nss-3.16.4-35.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"mozilla-nss-certs-3.16.4-35.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"mozilla-nss-certs-debuginfo-3.16.4-35.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"mozilla-nss-debuginfo-3.16.4-35.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"mozilla-nss-debugsource-3.16.4-35.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"mozilla-nss-devel-3.16.4-35.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"mozilla-nss-sysinit-3.16.4-35.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"mozilla-nss-sysinit-debuginfo-3.16.4-35.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"mozilla-nss-tools-3.16.4-35.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"mozilla-nss-tools-debuginfo-3.16.4-35.1") ) flag++; if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"libfreebl3-32bit-3.16.4-35.1") ) flag++; if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"libfreebl3-debuginfo-32bit-3.16.4-35.1") ) flag++; if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"libsoftokn3-32bit-3.16.4-35.1") ) flag++; if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"libsoftokn3-debuginfo-32bit-3.16.4-35.1") ) flag++; if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"mozilla-nss-32bit-3.16.4-35.1") ) flag++; if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"mozilla-nss-certs-32bit-3.16.4-35.1") ) flag++; if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"mozilla-nss-certs-debuginfo-32bit-3.16.4-35.1") ) flag++; if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"mozilla-nss-debuginfo-32bit-3.16.4-35.1") ) flag++; if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"mozilla-nss-sysinit-32bit-3.16.4-35.1") ) flag++; if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"mozilla-nss-sysinit-debuginfo-32bit-3.16.4-35.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "MozillaFirefox"); }NASL family Windows NASL id MOZILLA_FIREFOX_31_1_ESR.NASL description The version of Firefox ESR 31.x installed on the remote host is prior to 31.1. It is, therefore, affected by the following vulnerabilities : - Multiple memory safety flaws exist within the browser engine. Exploiting these, an attacker can cause a denial of service or execute arbitrary code. (CVE-2014-1553, CVE-2014-1562) - A use-after-free vulnerability exists due to improper cycle collection when processing animated SVG content. A remote attacker can exploit this to cause a denial of service or execute arbitrary code. (CVE-2014-1563) - Memory is not properly initialized during GIF rendering. Using a specially crafted web script, a remote attacker can exploit this to acquire sensitive information from the process memory. (CVE-2014-1564) - The Web Audio API contains a flaw where audio timelines are properly created. Using specially crafted API calls, a remote attacker can exploit this to acquire sensitive information from the process memory or cause a denial of service. (CVE-2014-1565) - A use-after-free vulnerability exists due to improper handling of text layout in directionality resolution. A remote attacker can exploit this to execute arbitrary code. (CVE-2014-1567) last seen 2020-06-01 modified 2020-06-02 plugin id 77499 published 2014-09-03 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77499 title Firefox ESR 31.x < 31.1 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(77499); script_version("1.9"); script_cvs_date("Date: 2019/11/25"); script_cve_id( "CVE-2014-1553", "CVE-2014-1562", "CVE-2014-1563", "CVE-2014-1564", "CVE-2014-1565", "CVE-2014-1567" ); script_bugtraq_id( 69519, 69520, 69521, 69523, 69524, 69525 ); script_name(english:"Firefox ESR 31.x < 31.1 Multiple Vulnerabilities"); script_summary(english:"Checks the version of Firefox."); script_set_attribute(attribute:"synopsis", value: "The remote Windows host contains a web browser that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Firefox ESR 31.x installed on the remote host is prior to 31.1. It is, therefore, affected by the following vulnerabilities : - Multiple memory safety flaws exist within the browser engine. Exploiting these, an attacker can cause a denial of service or execute arbitrary code. (CVE-2014-1553, CVE-2014-1562) - A use-after-free vulnerability exists due to improper cycle collection when processing animated SVG content. A remote attacker can exploit this to cause a denial of service or execute arbitrary code. (CVE-2014-1563) - Memory is not properly initialized during GIF rendering. Using a specially crafted web script, a remote attacker can exploit this to acquire sensitive information from the process memory. (CVE-2014-1564) - The Web Audio API contains a flaw where audio timelines are properly created. Using specially crafted API calls, a remote attacker can exploit this to acquire sensitive information from the process memory or cause a denial of service. (CVE-2014-1565) - A use-after-free vulnerability exists due to improper handling of text layout in directionality resolution. A remote attacker can exploit this to execute arbitrary code. (CVE-2014-1567)"); script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/archive/1/533357/30/0/threaded"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/security/announce/2014/mfsa2014-67.html"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/security/announce/2014/mfsa2014-68.html"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/security/announce/2014/mfsa2014-69.html"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/security/announce/2014/mfsa2014-70.html"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/security/announce/2014/mfsa2014-72.html"); script_set_attribute(attribute:"solution", value: "Upgrade to Firefox ESR 31.1 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-1563"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/09/02"); script_set_attribute(attribute:"patch_publication_date", value:"2014/09/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/09/03"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:mozilla:firefox_esr"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("mozilla_org_installed.nasl"); script_require_keys("Mozilla/Firefox/Version"); exit(0); } include("mozilla_version.inc"); port = get_kb_item("SMB/transport"); if (!port) port = 445; installs = get_kb_list("SMB/Mozilla/Firefox/*"); if (isnull(installs)) audit(AUDIT_NOT_INST, "Firefox"); mozilla_check_version(installs:installs, product:'firefox', esr:TRUE, fix:'31.1', min:'31.0', severity:SECURITY_HOLE, xss:FALSE);NASL family Windows NASL id MOZILLA_FIREFOX_32.NASL description The version of Firefox installed on the remote host is a version prior to 32.0. It is, therefore, affected by the following vulnerabilities : - Multiple memory safety flaws exist within the browser engine. Exploiting these, an attacker can cause a denial of service or execute arbitrary code. (CVE-2014-1553, CVE-2014-1554, CVE-2014-1562) - A use-after-free vulnerability exists due to improper cycle collection when processing animated SVG content. A remote attacker can exploit this to cause a denial of service or execute arbitrary code. (CVE-2014-1563) - Memory is not properly initialized during GIF rendering. Using a specially crafted web script, a remote attacker can exploit this to acquire sensitive information from the process memory. (CVE-2014-1564) - The Web Audio API contains a flaw where audio timelines are properly created. Using specially crafted API calls, a remote attacker can exploit this to acquire sensitive information from the process memory or cause a denial of service. (CVE-2014-1565) - A use-after-free vulnerability exists due to improper handling of text layout in directionality resolution. A remote attacker can exploit this to execute arbitrary code. (CVE-2014-1567) last seen 2020-06-01 modified 2020-06-02 plugin id 77500 published 2014-09-03 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77500 title Firefox < 32.0 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(77500); script_version("1.8"); script_cvs_date("Date: 2019/11/25"); script_cve_id( "CVE-2014-1553", "CVE-2014-1554", "CVE-2014-1562", "CVE-2014-1563", "CVE-2014-1564", "CVE-2014-1565", "CVE-2014-1567" ); script_bugtraq_id( 69519, 69520, 69521, 69523, 69524, 69525, 69526 ); script_name(english:"Firefox < 32.0 Multiple Vulnerabilities"); script_summary(english:"Checks the version of Firefox."); script_set_attribute(attribute:"synopsis", value: "The remote Windows host contains a web browser that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Firefox installed on the remote host is a version prior to 32.0. It is, therefore, affected by the following vulnerabilities : - Multiple memory safety flaws exist within the browser engine. Exploiting these, an attacker can cause a denial of service or execute arbitrary code. (CVE-2014-1553, CVE-2014-1554, CVE-2014-1562) - A use-after-free vulnerability exists due to improper cycle collection when processing animated SVG content. A remote attacker can exploit this to cause a denial of service or execute arbitrary code. (CVE-2014-1563) - Memory is not properly initialized during GIF rendering. Using a specially crafted web script, a remote attacker can exploit this to acquire sensitive information from the process memory. (CVE-2014-1564) - The Web Audio API contains a flaw where audio timelines are properly created. Using specially crafted API calls, a remote attacker can exploit this to acquire sensitive information from the process memory or cause a denial of service. (CVE-2014-1565) - A use-after-free vulnerability exists due to improper handling of text layout in directionality resolution. A remote attacker can exploit this to execute arbitrary code. (CVE-2014-1567)"); script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/archive/1/533357/30/0/threaded"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/security/announce/2014/mfsa2014-67.html"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/security/announce/2014/mfsa2014-68.html"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/security/announce/2014/mfsa2014-69.html"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/security/announce/2014/mfsa2014-70.html"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2014-71/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/security/announce/2014/mfsa2014-72.html"); script_set_attribute(attribute:"solution", value: "Upgrade to Firefox 32.0 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-1563"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/09/02"); script_set_attribute(attribute:"patch_publication_date", value:"2014/09/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/09/03"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:mozilla:firefox"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("mozilla_org_installed.nasl"); script_require_keys("Mozilla/Firefox/Version"); exit(0); } include("mozilla_version.inc"); port = get_kb_item("SMB/transport"); if (!port) port = 445; installs = get_kb_list("SMB/Mozilla/Firefox/*"); if (isnull(installs)) audit(AUDIT_NOT_INST, "Firefox"); mozilla_check_version(installs:installs, product:'firefox', esr:FALSE, fix:'32.0', severity:SECURITY_HOLE, xss:FALSE);NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2330-1.NASL description Jan de Mooij, Christian Holler, Karl Tomlinson, Randell Jesup, Gary Kwong, Jesse Ruderman and JW Wang discovered multiple memory safety issues in Thunderbird. If a user were tricked in to opening a specially crafted message with scripting enabled, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Thunderbird. (CVE-2014-1553, CVE-2014-1562) Abhishek Arya discovered a use-after-free during DOM interactions with SVG. If a user were tricked in to opening a specially crafted message with scripting enabled, an attacker could potentially exploit this to cause a denial of service via application crash or execute arbitrary code with the privileges of the user invoking Thunderbird. (CVE-2014-1563) Michal Zalewski discovered that memory is not initialized properly during GIF rendering in some circumstances. If a user were tricked in to opening a specially crafted message, an attacker could potentially exploit this to steal confidential information. (CVE-2014-1564) Holger Fuhrmannek discovered an out-of-bounds read in Web Audio. If a user were tricked in to opening a specially crafted message with scripting enabled, an attacker could potentially exploit this to cause a denial of service via application crash or steal confidential information. (CVE-2014-1565) A use-after-free was discovered during text layout in some circumstances. If a user were tricked in to opening a specially crafted message with scripting enabled, an attacker could potentially exploit this to cause a denial of service via application crash or execute arbitrary code with the privileges of the user invoking Thunderbird. (CVE-2014-1567). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 77664 published 2014-09-12 reporter Ubuntu Security Notice (C) 2014-2019 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77664 title Ubuntu 12.04 LTS / 14.04 LTS : thunderbird vulnerabilities (USN-2330-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-2330-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(77664); script_version("1.13"); script_cvs_date("Date: 2019/09/19 12:54:30"); script_cve_id("CVE-2014-1553", "CVE-2014-1562", "CVE-2014-1563", "CVE-2014-1564", "CVE-2014-1565", "CVE-2014-1567"); script_bugtraq_id(69519, 69520, 69521, 69523, 69524, 69525); script_xref(name:"USN", value:"2330-1"); script_name(english:"Ubuntu 12.04 LTS / 14.04 LTS : thunderbird vulnerabilities (USN-2330-1)"); script_summary(english:"Checks dpkg output for updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Ubuntu host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "Jan de Mooij, Christian Holler, Karl Tomlinson, Randell Jesup, Gary Kwong, Jesse Ruderman and JW Wang discovered multiple memory safety issues in Thunderbird. If a user were tricked in to opening a specially crafted message with scripting enabled, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Thunderbird. (CVE-2014-1553, CVE-2014-1562) Abhishek Arya discovered a use-after-free during DOM interactions with SVG. If a user were tricked in to opening a specially crafted message with scripting enabled, an attacker could potentially exploit this to cause a denial of service via application crash or execute arbitrary code with the privileges of the user invoking Thunderbird. (CVE-2014-1563) Michal Zalewski discovered that memory is not initialized properly during GIF rendering in some circumstances. If a user were tricked in to opening a specially crafted message, an attacker could potentially exploit this to steal confidential information. (CVE-2014-1564) Holger Fuhrmannek discovered an out-of-bounds read in Web Audio. If a user were tricked in to opening a specially crafted message with scripting enabled, an attacker could potentially exploit this to cause a denial of service via application crash or steal confidential information. (CVE-2014-1565) A use-after-free was discovered during text layout in some circumstances. If a user were tricked in to opening a specially crafted message with scripting enabled, an attacker could potentially exploit this to cause a denial of service via application crash or execute arbitrary code with the privileges of the user invoking Thunderbird. (CVE-2014-1567). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/2330-1/" ); script_set_attribute( attribute:"solution", value:"Update the affected thunderbird package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:thunderbird"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:12.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/09/03"); script_set_attribute(attribute:"patch_publication_date", value:"2014/09/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/09/12"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2014-2019 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(12\.04|14\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 12.04 / 14.04", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"12.04", pkgname:"thunderbird", pkgver:"1:31.1.1+build1-0ubuntu0.12.04.1")) flag++; if (ubuntu_check(osver:"14.04", pkgname:"thunderbird", pkgver:"1:31.1.1+build1-0ubuntu0.14.04.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "thunderbird"); }NASL family MacOS X Local Security Checks NASL id MACOSX_THUNDERBIRD_31_1.NASL description The version of Thunderbird installed on the remote Mac OS X host is a version prior to 31.1. It is, therefore, affected by the following vulnerabilities : - Multiple memory safety flaws exist within the browser engine. Exploiting these, an attacker can cause a denial of service or execute arbitrary code. (CVE-2014-1553, CVE-2014-1562) - A use-after-free vulnerability exists due to improper cycle collection when processing animated SVG content. A remote attacker can exploit this to cause a denial of service or execute arbitrary code. (CVE-2014-1563) - Memory is not properly initialized during GIF rendering. Using a specially crafted web script, a remote attacker can exploit this to acquire sensitive information from the process memory. (CVE-2014-1564) - The Web Audio API contains a flaw where audio timelines are properly created. Using specially crafted API calls, a remote attacker can exploit this to acquire sensitive information from the process memory or cause a denial of service. (CVE-2014-1565) - A use-after-free vulnerability exists due to improper handling of text layout in directionality resolution. A remote attacker can exploit this to execute arbitrary code. (CVE-2014-1567) last seen 2020-06-01 modified 2020-06-02 plugin id 77497 published 2014-09-03 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77497 title Mozilla Thunderbird < 31.1 Multiple Vulnerabilities (Mac OS X) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(77497); script_version("1.8"); script_cvs_date("Date: 2019/11/25"); script_cve_id( "CVE-2014-1553", "CVE-2014-1562", "CVE-2014-1563", "CVE-2014-1564", "CVE-2014-1565", "CVE-2014-1567" ); script_bugtraq_id( 69519, 69520, 69521, 69523, 69524, 69525 ); script_name(english:"Mozilla Thunderbird < 31.1 Multiple Vulnerabilities (Mac OS X)"); script_summary(english:"Checks the version of Thunderbird."); script_set_attribute(attribute:"synopsis", value: "The remote Mac OS X host contains a mail client that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Thunderbird installed on the remote Mac OS X host is a version prior to 31.1. It is, therefore, affected by the following vulnerabilities : - Multiple memory safety flaws exist within the browser engine. Exploiting these, an attacker can cause a denial of service or execute arbitrary code. (CVE-2014-1553, CVE-2014-1562) - A use-after-free vulnerability exists due to improper cycle collection when processing animated SVG content. A remote attacker can exploit this to cause a denial of service or execute arbitrary code. (CVE-2014-1563) - Memory is not properly initialized during GIF rendering. Using a specially crafted web script, a remote attacker can exploit this to acquire sensitive information from the process memory. (CVE-2014-1564) - The Web Audio API contains a flaw where audio timelines are properly created. Using specially crafted API calls, a remote attacker can exploit this to acquire sensitive information from the process memory or cause a denial of service. (CVE-2014-1565) - A use-after-free vulnerability exists due to improper handling of text layout in directionality resolution. A remote attacker can exploit this to execute arbitrary code. (CVE-2014-1567)"); script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/archive/1/533357/30/0/threaded"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/security/announce/2014/mfsa2014-67.html"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/security/announce/2014/mfsa2014-68.html"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/security/announce/2014/mfsa2014-69.html"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/security/announce/2014/mfsa2014-70.html"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/security/announce/2014/mfsa2014-72.html"); script_set_attribute(attribute:"solution", value: "Upgrade to Thunderbird 31.1 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-1563"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/09/02"); script_set_attribute(attribute:"patch_publication_date", value:"2014/09/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/09/03"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:mozilla:thunderbird"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("macosx_thunderbird_installed.nasl"); script_require_keys("MacOSX/Thunderbird/Installed"); exit(0); } include("mozilla_version.inc"); kb_base = "MacOSX/Thunderbird"; get_kb_item_or_exit(kb_base+"/Installed"); version = get_kb_item_or_exit(kb_base+"/Version", exit_code:1); path = get_kb_item_or_exit(kb_base+"/Path", exit_code:1); if (get_kb_item(kb_base + '/is_esr')) exit(0, 'The Mozilla Thunderbird install is in the ESR branch.'); mozilla_check_version(product:'thunderbird', version:version, path:path, esr:FALSE, fix:'31.1', min:'31.0', severity:SECURITY_HOLE, xss:FALSE);NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2329-1.NASL description Jan de Mooij, Christian Holler, Karl Tomlinson, Randell Jesup, Gary Kwong, Jesse Ruderman, JW Wang and David Weir discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2014-1553, CVE-2014-1554, CVE-2014-1562) Abhishek Arya discovered a use-after-free during DOM interactions with SVG. If a user were tricked in to opening a specially crafted page, an attacker could potentially exploit this to cause a denial of service via application crash or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2014-1563) Michal Zalewski discovered that memory is not initialized properly during GIF rendering in some circumstances. If a user were tricked in to opening a specially crafted page, an attacker could potentially exploit this to steal confidential information. (CVE-2014-1564) Holger Fuhrmannek discovered an out-of-bounds read in Web Audio. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash or steal confidential information. (CVE-2014-1565) A use-after-free was discovered during text layout in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2014-1567). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 77486 published 2014-09-03 reporter Ubuntu Security Notice (C) 2014-2019 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77486 title Ubuntu 12.04 LTS / 14.04 LTS : firefox vulnerabilities (USN-2329-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-2329-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(77486); script_version("1.12"); script_cvs_date("Date: 2019/09/19 12:54:30"); script_cve_id("CVE-2014-1553", "CVE-2014-1554", "CVE-2014-1562", "CVE-2014-1563", "CVE-2014-1564", "CVE-2014-1565", "CVE-2014-1567"); script_bugtraq_id(69519, 69520, 69521, 69523, 69524, 69525, 69526); script_xref(name:"USN", value:"2329-1"); script_name(english:"Ubuntu 12.04 LTS / 14.04 LTS : firefox vulnerabilities (USN-2329-1)"); script_summary(english:"Checks dpkg output for updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Ubuntu host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "Jan de Mooij, Christian Holler, Karl Tomlinson, Randell Jesup, Gary Kwong, Jesse Ruderman, JW Wang and David Weir discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2014-1553, CVE-2014-1554, CVE-2014-1562) Abhishek Arya discovered a use-after-free during DOM interactions with SVG. If a user were tricked in to opening a specially crafted page, an attacker could potentially exploit this to cause a denial of service via application crash or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2014-1563) Michal Zalewski discovered that memory is not initialized properly during GIF rendering in some circumstances. If a user were tricked in to opening a specially crafted page, an attacker could potentially exploit this to steal confidential information. (CVE-2014-1564) Holger Fuhrmannek discovered an out-of-bounds read in Web Audio. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash or steal confidential information. (CVE-2014-1565) A use-after-free was discovered during text layout in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2014-1567). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/2329-1/" ); script_set_attribute( attribute:"solution", value:"Update the affected firefox package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:firefox"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:12.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/09/03"); script_set_attribute(attribute:"patch_publication_date", value:"2014/09/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/09/03"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2014-2019 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(12\.04|14\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 12.04 / 14.04", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"12.04", pkgname:"firefox", pkgver:"32.0+build1-0ubuntu0.12.04.1")) flag++; if (ubuntu_check(osver:"14.04", pkgname:"firefox", pkgver:"32.0+build1-0ubuntu0.14.04.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "firefox"); }NASL family MacOS X Local Security Checks NASL id MACOSX_FIREFOX_31_1_ESR.NASL description The version of Firefox ESR 31.x installed on the remote Mac OS X host is prior to 31.1. It is, therefore, affected by the following vulnerabilities : - Multiple memory safety flaws exist within the browser engine. Exploiting these, an attacker can cause a denial of service or execute arbitrary code. (CVE-2014-1553, CVE-2014-1562) - A use-after-free vulnerability exists due to improper cycle collection when processing animated SVG content. A remote attacker can exploit this to cause a denial of service or execute arbitrary code. (CVE-2014-1563) - Memory is not properly initialized during GIF rendering. Using a specially crafted web script, a remote attacker can exploit this to acquire sensitive information from the process memory. (CVE-2014-1564) - The Web Audio API contains a flaw where audio timelines are properly created. Using specially crafted API calls, a remote attacker can exploit this to acquire sensitive information from the process memory or cause a denial of service. (CVE-2014-1565) - A use-after-free vulnerability exists due to improper handling of text layout in directionality resolution. A remote attacker can exploit this to execute arbitrary code. (CVE-2014-1567) last seen 2020-06-01 modified 2020-06-02 plugin id 77494 published 2014-09-03 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77494 title Firefox ESR 31.x < 31.1 Multiple Vulnerabilities (Mac OS X) NASL family MacOS X Local Security Checks NASL id MACOSX_FIREFOX_32.NASL description The version of Firefox installed on the remote Mac OS X host is a version prior to 32.0. It is, therefore, affected by the following vulnerabilities : - Multiple memory safety flaws exist within the browser engine. Exploiting these, an attacker can cause a denial of service or execute arbitrary code. (CVE-2014-1553, CVE-2014-1554, CVE-2014-1562) - A use-after-free vulnerability exists due to improper cycle collection when processing animated SVG content. A remote attacker can exploit this to cause a denial of service or execute arbitrary code. (CVE-2014-1563) - Memory is not properly initialized during GIF rendering. Using a specially crafted web script, a remote attacker can exploit this to acquire sensitive information from the process memory. (CVE-2014-1564) - The Web Audio API contains a flaw where audio timelines are properly created. Using specially crafted API calls, a remote attacker can exploit this to acquire sensitive information from the process memory or cause a denial of service. (CVE-2014-1565) - A use-after-free vulnerability exists due to improper handling of text layout in directionality resolution. A remote attacker can exploit this to execute arbitrary code. (CVE-2014-1567) last seen 2020-06-01 modified 2020-06-02 plugin id 77495 published 2014-09-03 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77495 title Firefox < 32.0 Multiple Vulnerabilities (Mac OS X)
References
- http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00003.html
- http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00024.html
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00031.html
- http://lists.opensuse.org/opensuse-updates/2014-09/msg00011.html
- http://secunia.com/advisories/60148
- http://secunia.com/advisories/61114
- http://www.mozilla.org/security/announce/2014/mfsa2014-70.html
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- http://www.securityfocus.com/bid/69521
- http://www.securitytracker.com/id/1030793
- http://www.securitytracker.com/id/1030794
- https://bugzilla.mozilla.org/show_bug.cgi?id=1047831
- https://security.gentoo.org/glsa/201504-01