Vulnerabilities > CVE-2017-7760 - Channel and Path Errors vulnerability in Mozilla Firefox

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
mozilla
CWE-417
nessus
NVD
Published: 2018-06-11
Updated: 2018-08-14

Summary

The Mozilla Windows updater modifies some files to be updated by reading the original file and applying changes to it. The location of the original file can be altered by a malicious user by passing a special path to the callback parameter through the Mozilla Maintenance Service, allowing the manipulation of files in the installation directory and privilege escalation by manipulating the Mozilla Maintenance Service, which has privileged access. Note: This attack requires local system access and only affects Windows. Other operating systems are not affected. This vulnerability affects Firefox ESR < 52.2 and Firefox < 54.

Vulnerable Configurations

Part Description Count
Application
Mozilla
614
OS
Microsoft
1

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_FIREFOX_52_2_ESR.NASL
    descriptionThe version of Mozilla Firefox ESR installed on the remote macOS or Mac OS X host is prior to 52.2. It is, therefore, affected by multiple vulnerabilities : - Multiple memory corruption issues exist that allow an unauthenticated, remote attacker to execute arbitrary code by convincing a user to visit a specially crafted website. (CVE-2017-5470) - A use-after-free error exists in the EndUpdate() function in nsCSSFrameConstructor.cpp that is triggered when reconstructing trees during regeneration of CSS layouts. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-5472) - A use-after-free error exists in the Reload() function in nsDocShell.cpp that is triggered when using an incorrect URL during the reload of a docshell. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7749) - A use-after-free error exists in the Hide() function in nsDocumentViewer.cpp that is triggered when handling track elements. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7750) - A use-after-free error exists in the nsDocumentViewer class in nsDocumentViewer.cpp that is triggered when handling content viewer listeners. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7751) - A use-after-free error exists that is triggered when handling events while specific user interaction occurs with the input method editor (IME). An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7752) - An out-of-bounds read error exists in the IsComplete() function in WebGLTexture.cpp that is triggered when handling textures. An unauthenticated, remote attacker can exploit this to disclose memory contents. (CVE-2017-7754) - A privilege escalation vulnerability exists due to improper loading of dynamic-link library (DLL) files. A local attacker can exploit this, via a specially crafted DLL file in the installation path, to inject and execute arbitrary code. (CVE-2017-7755) - A use-after-free error exists in the SetRequestHead() function in XMLHttpRequestMainThread.cpp that is triggered when logging XML HTTP Requests (XHR). An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7756) - A use-after-free error exists in ActorsParent.cpp due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7757) - An out-of-bounds read error exists in the AppendAudioSegment() function in TrackEncoder.cpp that is triggered when the number of channels in an audio stream changes while the Opus encoder is in use. An unauthenticated, remote attacker can exploit this to disclose sensitive information. (CVE-2017-7758) - A flaw exists in the NS_main() function in updater.cpp due to improper validation of input when handling callback file path parameters. A local attacker can exploit this to manipulate files in the installation directory. (CVE-2017-7760) - A flaw exists in the Maintenance Service helper.exe application that is triggered as permissions for a temporary directory are set to writable by non-privileged users. A local attacker can exploit this to delete arbitrary files on the system. (CVE-2017-7761) - A flaw exists in the ReadCMAP() function in gfxMacPlatformFontList.mm that is triggered when handling tibetan characters in combination with macOS fonts. An unauthenticated, remote attacker can exploit this, via a specially crafted IDN domain, to spoof a valid URL. (CVE-2017-7763) - A flaw exists in the isLabelSafe() function in nsIDNService.cpp that is triggered when handling characters from different unicode blocks. An unauthenticated, remote attacker can exploit this, via a specially crafted IDN domain, to spoof a valid URL and conduct phishing attacks. (CVE-2017-7764) - Multiple integer overflow conditions exist in the Graphite component in the decompress() function in Decompressor.cpp due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7772, CVE-2017-7773, CVE-2017-7778) - An out-of-bounds read error exists in the Graphite component in the readGraphite() function in Silf.cpp. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or disclose memory contents. (CVE-2017-7774) - An assertion flaw exists in the Graphite component when handling zero value sizes. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2017-7775) - An out-of-bounds read error exists in the Graphite component in getClassGlyph() function in Silf.cpp due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2017-7776) - A flaw exists in the Graphite component in the read_glyph() function in GlyphCache.cpp related to use of uninitialized memory. An unauthenticated, remote attacker can exploit this to have an unspecified impact. (CVE-2017-7777)
    last seen2020-06-01
    modified2020-06-02
    plugin id100807
    published2017-06-15
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100807
    titleMozilla Firefox ESR < 52.2 Multiple Vulnerabilities (macOS)
    code
    #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(100807);
  script_version("1.5");
  script_cvs_date("Date: 2019/11/13");

  script_cve_id(
    "CVE-2017-5470",
    "CVE-2017-5472",
    "CVE-2017-7749",
    "CVE-2017-7750",
    "CVE-2017-7751",
    "CVE-2017-7752",
    "CVE-2017-7754",
    "CVE-2017-7755",
    "CVE-2017-7756",
    "CVE-2017-7757",
    "CVE-2017-7758",
    "CVE-2017-7760",
    "CVE-2017-7761",
    "CVE-2017-7763",
    "CVE-2017-7764",
    "CVE-2017-7772",
    "CVE-2017-7773",
    "CVE-2017-7774",
    "CVE-2017-7775",
    "CVE-2017-7776",
    "CVE-2017-7777",
    "CVE-2017-7778"
  );
  script_bugtraq_id(99040, 99041, 99057);
  script_xref(name:"MFSA", value:"2017-16");

  script_name(english:"Mozilla Firefox ESR < 52.2 Multiple Vulnerabilities (macOS)");
  script_summary(english:"Checks the version of Firefox.");

  script_set_attribute(attribute:"synopsis", value:
"A web browser installed on the remote macOS or Mac OS X host is
affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Mozilla Firefox ESR installed on the remote macOS or
Mac OS X host is prior to 52.2. It is, therefore, affected by multiple
vulnerabilities :

  - Multiple memory corruption issues exist that allow an
    unauthenticated, remote attacker to execute arbitrary
    code by convincing a user to visit a specially crafted
    website. (CVE-2017-5470)

  - A use-after-free error exists in the EndUpdate()
    function in nsCSSFrameConstructor.cpp that is triggered
    when reconstructing trees during regeneration of CSS
    layouts. An unauthenticated, remote attacker can exploit
    this, by convincing a user to visit a specially crafted
    website, to cause a denial of service condition or the
    execution of arbitrary code. (CVE-2017-5472)

  - A use-after-free error exists in the Reload() function
    in nsDocShell.cpp that is triggered when using an
    incorrect URL during the reload of a docshell. An
    unauthenticated, remote attacker can exploit this to
    cause a denial of service condition or the execution of
    arbitrary code. (CVE-2017-7749)

  - A use-after-free error exists in the Hide() function in
    nsDocumentViewer.cpp that is triggered when handling
    track elements. An unauthenticated, remote attacker can
    exploit this to cause a denial of service condition or
    the execution of arbitrary code. (CVE-2017-7750)

  - A use-after-free error exists in the nsDocumentViewer
    class in nsDocumentViewer.cpp that is triggered when
    handling content viewer listeners. An unauthenticated,
    remote attacker can exploit this to cause a denial of
    service condition or the execution of arbitrary code.
    (CVE-2017-7751)

  - A use-after-free error exists that is triggered when
    handling events while specific user interaction occurs
    with the input method editor (IME). An unauthenticated,
    remote attacker can exploit this to cause a denial of
    service condition or the execution of arbitrary code.
    (CVE-2017-7752)

  - An out-of-bounds read error exists in the IsComplete()
    function in WebGLTexture.cpp that is triggered when
    handling textures. An unauthenticated, remote attacker
    can exploit this to disclose memory contents.
    (CVE-2017-7754)

  - A privilege escalation vulnerability exists due to
    improper loading of dynamic-link library (DLL) files. A
    local attacker can exploit this, via a specially crafted
    DLL file in the installation path, to inject and execute
    arbitrary code. (CVE-2017-7755)

  - A use-after-free error exists in the SetRequestHead()
    function in XMLHttpRequestMainThread.cpp that is
    triggered when logging XML HTTP Requests (XHR). An
    unauthenticated, remote attacker can exploit this to
    cause a denial of service condition or the execution of
    arbitrary code. (CVE-2017-7756)

  - A use-after-free error exists in ActorsParent.cpp due to
    improper handling of objects in memory. An
    unauthenticated, remote attacker can exploit this to
    cause a denial of service condition or the execution of
    arbitrary code. (CVE-2017-7757)

  - An out-of-bounds read error exists in the
    AppendAudioSegment() function in TrackEncoder.cpp that
    is triggered when the number of channels in an audio
    stream changes while the Opus encoder is in use. An
    unauthenticated, remote attacker can exploit this to
    disclose sensitive information. (CVE-2017-7758)

  - A flaw exists in the NS_main() function in updater.cpp
    due to improper validation of input when handling
    callback file path parameters. A local attacker can
    exploit this to manipulate files in the installation
    directory. (CVE-2017-7760)

  - A flaw exists in the Maintenance Service helper.exe
    application that is triggered as permissions for a
    temporary directory are set to writable by
    non-privileged users. A local attacker can exploit this
    to delete arbitrary files on the system. (CVE-2017-7761)

  - A flaw exists in the ReadCMAP() function in
    gfxMacPlatformFontList.mm that is triggered when
    handling tibetan characters in combination with macOS
    fonts. An unauthenticated, remote attacker can exploit
    this, via a specially crafted IDN domain, to spoof a
    valid URL. (CVE-2017-7763)

  - A flaw exists in the isLabelSafe() function in
    nsIDNService.cpp that is triggered when handling
    characters from different unicode blocks. An
    unauthenticated, remote attacker can exploit this, via a
    specially crafted IDN domain, to spoof a valid URL and
    conduct phishing attacks. (CVE-2017-7764)

  - Multiple integer overflow conditions exist in the
    Graphite component in the decompress() function in
    Decompressor.cpp due to improper validation of
    user-supplied input. An unauthenticated, remote attacker
    can exploit this to cause a denial of service condition
    or the execution of arbitrary code. (CVE-2017-7772,
    CVE-2017-7773, CVE-2017-7778)

  - An out-of-bounds read error exists in the Graphite
    component in the readGraphite() function in Silf.cpp. An
    unauthenticated, remote attacker can exploit this to
    cause a denial of service condition or disclose memory
    contents. (CVE-2017-7774)

  - An assertion flaw exists in the Graphite component when
    handling zero value sizes. An unauthenticated, remote
    attacker can exploit this to cause a denial of service
    condition. (CVE-2017-7775)

  - An out-of-bounds read error exists in the Graphite
    component in getClassGlyph() function in Silf.cpp due to
    improper validation of user-supplied input. An
    unauthenticated, remote attacker can exploit this to
    cause a denial of service condition. (CVE-2017-7776)

  - A flaw exists in the Graphite component in the
    read_glyph() function in GlyphCache.cpp related to use
    of uninitialized memory. An unauthenticated, remote
    attacker can exploit this to have an unspecified impact.
    (CVE-2017-7777)");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Mozilla Firefox ESR version 52.2 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-7778");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/06/13");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/06/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/06/15");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:mozilla:firefox_esr");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"MacOS X Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("macosx_firefox_installed.nasl");
  script_require_keys("MacOSX/Firefox/Version");

  exit(0);
}

include("mozilla_version.inc");

kb_base = "MacOSX/Firefox";
get_kb_item_or_exit(kb_base+"/Installed");

version = get_kb_item_or_exit(kb_base+"/Version", exit_code:1);
path = get_kb_item_or_exit(kb_base+"/Path", exit_code:1);

is_esr = get_kb_item(kb_base+"/is_esr");
if (isnull(is_esr)) audit(AUDIT_NOT_INST, "Mozilla Firefox ESR");

mozilla_check_version(version:version, path:path, product:'firefox', esr:TRUE, fix:'52.2', min:'52', severity:SECURITY_HOLE);
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_FIREFOX_54_0.NASL
    descriptionThe version of Mozilla Firefox installed on the remote macOS or Mac OS X host is prior to 54. It is, therefore, affected by multiple vulnerabilities : - Multiple memory corruption issues exist that allow an unauthenticated, remote attacker to execute arbitrary code by convincing a user to visit a specially crafted website. (CVE-2017-5470, CVE-2017-5471) - A use-after-free error exists in the EndUpdate() function in nsCSSFrameConstructor.cpp that is triggered when reconstructing trees during regeneration of CSS layouts. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-5472) - A use-after-free error exists in the Reload() function in nsDocShell.cpp that is triggered when using an incorrect URL during the reload of a docshell. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7749) - A use-after-free error exists in the Hide() function in nsDocumentViewer.cpp that is triggered when handling track elements. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7750) - A use-after-free error exists in the nsDocumentViewer class in nsDocumentViewer.cpp that is triggered when handling content viewer listeners. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7751) - A use-after-free error exists that is triggered when handling events while specific user interaction occurs with the input method editor (IME). An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7752) - An out-of-bounds read error exists in the IsComplete() function in WebGLTexture.cpp that is triggered when handling textures. An unauthenticated, remote attacker can exploit this to disclose memory contents. (CVE-2017-7754) - A privilege escalation vulnerability exists due to improper loading of dynamic-link library (DLL) files. A local attacker can exploit this, via a specially crafted DLL file in the installation path, to inject and execute arbitrary code. (CVE-2017-7755) - A use-after-free error exists in the SetRequestHead() function in XMLHttpRequestMainThread.cpp that is triggered when logging XML HTTP Requests (XHR). An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7756) - A use-after-free error exists in ActorsParent.cpp due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7757) - An out-of-bounds read error exists in the AppendAudioSegment() function in TrackEncoder.cpp that is triggered when the number of channels in an audio stream changes while the Opus encoder is in use. An unauthenticated, remote attacker can exploit this to disclose sensitive information. (CVE-2017-7758) - A flaw exists in the NS_main() function in updater.cpp due to improper validation of input when handling callback file path parameters. A local attacker can exploit this to manipulate files in the installation directory. (CVE-2017-7760) - A flaw exists in the Maintenance Service helper.exe application that is triggered as permissions for a temporary directory are set to writable by non-privileged users. A local attacker can exploit this to delete arbitrary files on the system. (CVE-2017-7761) - A flaw exists that is triggered when displaying URLs including authentication sections in reader mode. An unauthenticated, remote attacker can exploit this, via a specially crafted URL, to spoof domains in the address bar. (CVE-2017-7762) - A flaw exists in the ReadCMAP() function in gfxMacPlatformFontList.mm that is triggered when handling tibetan characters in combination with macOS fonts. An unauthenticated, remote attacker can exploit this, via a specially crafted IDN domain, to spoof a valid URL. (CVE-2017-7763) - A flaw exists in the isLabelSafe() function in nsIDNService.cpp that is triggered when handling characters from different unicode blocks. An unauthenticated, remote attacker can exploit this, via a specially crafted IDN domain, to spoof a valid URL and conduct phishing attacks. (CVE-2017-7764) - Multiple integer overflow conditions exist in the Graphite component in the decompress() function in Decompressor.cpp due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7772, CVE-2017-7778) - An out-of-bounds read error exists in the Graphite component in the readGraphite() function in Silf.cpp. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or disclose memory contents. (CVE-2017-7774) - An assertion flaw exists in the Graphite component when handling zero value sizes. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2017-7775) - An out-of-bounds read error exists in the Graphite component in getClassGlyph() function in Silf.cpp due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2017-7776) - A flaw exists in the Graphite component in the read_glyph() function in GlyphCache.cpp related to use of uninitialized memory. An unauthenticated, remote attacker can exploit this to have an unspecified impact. (CVE-2017-7777)
    last seen2020-06-01
    modified2020-06-02
    plugin id100808
    published2017-06-15
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100808
    titleMozilla Firefox < 54 Multiple Vulnerabilities (macOS)
    code
    #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(100808);
  script_version("1.5");
  script_cvs_date("Date: 2019/11/13");

  script_cve_id(
    "CVE-2017-5470",
    "CVE-2017-5471",
    "CVE-2017-5472",
    "CVE-2017-7749",
    "CVE-2017-7750",
    "CVE-2017-7751",
    "CVE-2017-7752",
    "CVE-2017-7754",
    "CVE-2017-7755",
    "CVE-2017-7756",
    "CVE-2017-7757",
    "CVE-2017-7758",
    "CVE-2017-7760",
    "CVE-2017-7761",
    "CVE-2017-7762",
    "CVE-2017-7763",
    "CVE-2017-7764",
    "CVE-2017-7772",
    "CVE-2017-7774",
    "CVE-2017-7775",
    "CVE-2017-7776",
    "CVE-2017-7777",
    "CVE-2017-7778"
  );
  script_bugtraq_id(
    99040,
    99041,
    99042,
    99047,
    99057
  );
  script_xref(name:"MFSA", value:"2017-15");

  script_name(english:"Mozilla Firefox < 54 Multiple Vulnerabilities (macOS)");
  script_summary(english:"Checks the version of Firefox.");

  script_set_attribute(attribute:"synopsis", value:
"A web browser installed on the remote macOS or Mac OS X host is
affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Mozilla Firefox installed on the remote macOS or Mac
OS X host is prior to 54. It is, therefore, affected by multiple
vulnerabilities :

  - Multiple memory corruption issues exist that allow an
    unauthenticated, remote attacker to execute arbitrary
    code by convincing a user to visit a specially crafted
    website. (CVE-2017-5470, CVE-2017-5471)

  - A use-after-free error exists in the EndUpdate()
    function in nsCSSFrameConstructor.cpp that is triggered
    when reconstructing trees during regeneration of CSS
    layouts. An unauthenticated, remote attacker can exploit
    this, by convincing a user to visit a specially crafted
    website, to cause a denial of service condition or the
    execution of arbitrary code. (CVE-2017-5472)

  - A use-after-free error exists in the Reload() function
    in nsDocShell.cpp that is triggered when using an
    incorrect URL during the reload of a docshell. An
    unauthenticated, remote attacker can exploit this to
    cause a denial of service condition or the execution of
    arbitrary code. (CVE-2017-7749)

  - A use-after-free error exists in the Hide() function in
    nsDocumentViewer.cpp that is triggered when handling
    track elements. An unauthenticated, remote attacker can
    exploit this to cause a denial of service condition or
    the execution of arbitrary code. (CVE-2017-7750)

  - A use-after-free error exists in the nsDocumentViewer
    class in nsDocumentViewer.cpp that is triggered when
    handling content viewer listeners. An unauthenticated,
    remote attacker can exploit this to cause a denial of
    service condition or the execution of arbitrary code.
    (CVE-2017-7751)

  - A use-after-free error exists that is triggered when
    handling events while specific user interaction occurs
    with the input method editor (IME). An unauthenticated,
    remote attacker can exploit this to cause a denial of
    service condition or the execution of arbitrary code.
    (CVE-2017-7752)

  - An out-of-bounds read error exists in the IsComplete()
    function in WebGLTexture.cpp that is triggered when
    handling textures. An unauthenticated, remote attacker
    can exploit this to disclose memory contents.
    (CVE-2017-7754)

  - A privilege escalation vulnerability exists due to
    improper loading of dynamic-link library (DLL) files. A
    local attacker can exploit this, via a specially crafted
    DLL file in the installation path, to inject and execute
    arbitrary code. (CVE-2017-7755)

  - A use-after-free error exists in the SetRequestHead()
    function in XMLHttpRequestMainThread.cpp that is
    triggered when logging XML HTTP Requests (XHR). An
    unauthenticated, remote attacker can exploit this to
    cause a denial of service condition or the execution of
    arbitrary code. (CVE-2017-7756)

  - A use-after-free error exists in ActorsParent.cpp due to
    improper handling of objects in memory. An
    unauthenticated, remote attacker can exploit this to
    cause a denial of service condition or the execution of
    arbitrary code. (CVE-2017-7757)

  - An out-of-bounds read error exists in the
    AppendAudioSegment() function in TrackEncoder.cpp that
    is triggered when the number of channels in an audio
    stream changes while the Opus encoder is in use. An
    unauthenticated, remote attacker can exploit this to
    disclose sensitive information. (CVE-2017-7758)

  - A flaw exists in the NS_main() function in updater.cpp
    due to improper validation of input when handling
    callback file path parameters. A local attacker can
    exploit this to manipulate files in the installation
    directory. (CVE-2017-7760)

  - A flaw exists in the Maintenance Service helper.exe
    application that is triggered as permissions for a
    temporary directory are set to writable by
    non-privileged users. A local attacker can exploit this
    to delete arbitrary files on the system. (CVE-2017-7761)

  - A flaw exists that is triggered when displaying URLs
    including authentication sections in reader mode. An
    unauthenticated, remote attacker can exploit this, via a
    specially crafted URL, to spoof domains in the address
    bar. (CVE-2017-7762)

  - A flaw exists in the ReadCMAP() function in
    gfxMacPlatformFontList.mm that is triggered when
    handling tibetan characters in combination with macOS
    fonts. An unauthenticated, remote attacker can exploit
    this, via a specially crafted IDN domain, to spoof a
    valid URL. (CVE-2017-7763)

  - A flaw exists in the isLabelSafe() function in
    nsIDNService.cpp that is triggered when handling
    characters from different unicode blocks. An
    unauthenticated, remote attacker can exploit this, via a
    specially crafted IDN domain, to spoof a valid URL and
    conduct phishing attacks. (CVE-2017-7764)

  - Multiple integer overflow conditions exist in the
    Graphite component in the decompress() function in
    Decompressor.cpp due to improper validation of
    user-supplied input. An unauthenticated, remote attacker
    can exploit this to cause a denial of service condition
    or the execution of arbitrary code. (CVE-2017-7772,
    CVE-2017-7778)

  - An out-of-bounds read error exists in the Graphite
    component in the readGraphite() function in Silf.cpp. An
    unauthenticated, remote attacker can exploit this to
    cause a denial of service condition or disclose memory
    contents. (CVE-2017-7774)

  - An assertion flaw exists in the Graphite component when
    handling zero value sizes. An unauthenticated, remote
    attacker can exploit this to cause a denial of service
    condition. (CVE-2017-7775)

  - An out-of-bounds read error exists in the Graphite
    component in getClassGlyph() function in Silf.cpp due to
    improper validation of user-supplied input. An
    unauthenticated, remote attacker can exploit this to
    cause a denial of service condition. (CVE-2017-7776)

  - A flaw exists in the Graphite component in the
    read_glyph() function in GlyphCache.cpp related to use
    of uninitialized memory. An unauthenticated, remote
    attacker can exploit this to have an unspecified impact.
    (CVE-2017-7777)");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Mozilla Firefox version 54 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-7778");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/06/13");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/06/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/06/15");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:mozilla:firefox");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"MacOS X Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("macosx_firefox_installed.nasl");
  script_require_keys("MacOSX/Firefox/Installed");

  exit(0);
}

include("mozilla_version.inc");

kb_base = "MacOSX/Firefox";
get_kb_item_or_exit(kb_base+"/Installed");

version = get_kb_item_or_exit(kb_base+"/Version", exit_code:1);
path = get_kb_item_or_exit(kb_base+"/Path", exit_code:1);

if (get_kb_item(kb_base + '/is_esr')) exit(0, 'The Mozilla Firefox installation is in the ESR branch.');

mozilla_check_version(product:'firefox', version:version, path:path, esr:FALSE, fix:'54', severity:SECURITY_HOLE);
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-712.NASL
    descriptionThis update for Mozilla Firefox, Thunderbird, and NSS fixes the following issues : Mozilla Firefox was updated to 52.2esr (boo#1043960) MFSA 2017-16 : - CVE-2017-5472 (bmo#1365602) Use-after-free using destroyed node when regenerating trees - CVE-2017-7749 (bmo#1355039) Use-after-free during docshell reloading - CVE-2017-7750 (bmo#1356558) Use-after-free with track elements - CVE-2017-7751 (bmo#1363396) Use-after-free with content viewer listeners - CVE-2017-7752 (bmo#1359547) Use-after-free with IME input - CVE-2017-7754 (bmo#1357090) Out-of-bounds read in WebGL with ImageInfo object - CVE-2017-7755 (bmo#1361326) Privilege escalation through Firefox Installer with same directory DLL files (Windows only) - CVE-2017-7756 (bmo#1366595) Use-after-free and use-after-scope logging XHR header errors - CVE-2017-7757 (bmo#1356824) Use-after-free in IndexedDB - CVE-2017-7778, CVE-2017-7778, CVE-2017-7771, CVE-2017-7772, CVE-2017-7773, CVE-2017-7774, CVE-2017-7775, CVE-2017-7776, CVE-2017-7777 Vulnerabilities in the Graphite 2 library - CVE-2017-7758 (bmo#1368490) Out-of-bounds read in Opus encoder - CVE-2017-7760 (bmo#1348645) File manipulation and privilege escalation via callback parameter in Mozilla Windows Updater and Maintenance Service (Windows only) - CVE-2017-7761 (bmo#1215648) File deletion and privilege escalation through Mozilla Maintenance Service helper.exe application (Windows only) - CVE-2017-7764 (bmo#1364283) Domain spoofing with combination of Canadian Syllabics and other unicode blocks - CVE-2017-7765 (bmo#1273265) Mark of the Web bypass when saving executable files (Windows only) - CVE-2017-7766 (bmo#1342742) File execution and privilege escalation through updater.ini, Mozilla Windows Updater, and Mozilla Maintenance Service (Windows only) - CVE-2017-7767 (bmo#1336964) Privilege escalation and arbitrary file overwrites through Mozilla Windows Updater and Mozilla Maintenance Service (Windows only) - CVE-2017-7768 (bmo#1336979) 32 byte arbitrary file read through Mozilla Maintenance Service (Windows only) - CVE-2017-5470 Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2 - remove -fno-inline-small-functions and explicitely optimize with -O2 for openSUSE > 13.2/Leap 42 to work with gcc7 (boo#1040105) Mozilla NSS was updated to NSS 3.28.5 - Implemented domain name constraints for CA: TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1. (bmo#1350859) - March 2017 batch of root CA changes (bmo#1350859) (version 2.14) CA certificates removed: O = Japanese Government, OU = ApplicationCA CN = WellsSecure Public Root Certificate Authority CN = TURKTRUST Elektronik Sertifika Hizmet H6 CN = Microsec e-Szigno Root CA certificates added: CN = D-TRUST Root CA 3 2013 CN = TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1 java-1_8_0-openjdk was rebuild against NSS 3.28.5 to satisfy a runtime dependency.
    last seen2020-06-05
    modified2017-06-20
    plugin id100885
    published2017-06-20
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100885
    titleopenSUSE Security Update : Mozilla based packages (openSUSE-2017-712)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_6CEC1B0ADA15467D86911DEA392D4C8D.NASL
    descriptionMozilla Foundation reports : Please reference CVE/URL list for details
    last seen2020-06-01
    modified2020-06-02
    plugin id100775
    published2017-06-14
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100775
    titleFreeBSD : mozilla -- multiple vulnerabilities (6cec1b0a-da15-467d-8691-1dea392d4c8d)
  • NASL familyWindows
    NASL idMOZILLA_FIREFOX_52_2ESR.NASL
    descriptionThe version of Mozilla Firefox ESR installed on the remote Windows host is prior to 52.2. It is, therefore, affected by multiple vulnerabilities : - Multiple memory corruption issues exist that allow an unauthenticated, remote attacker to execute arbitrary code by convincing a user to visit a specially crafted website. (CVE-2017-5470) - A use-after-free error exists in the EndUpdate() function in nsCSSFrameConstructor.cpp that is triggered when reconstructing trees during regeneration of CSS layouts. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-5472) - A use-after-free error exists in the Reload() function in nsDocShell.cpp that is triggered when using an incorrect URL during the reload of a docshell. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7749) - A use-after-free error exists in the Hide() function in nsDocumentViewer.cpp that is triggered when handling track elements. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7750) - A use-after-free error exists in the nsDocumentViewer class in nsDocumentViewer.cpp that is triggered when handling content viewer listeners. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7751) - A use-after-free error exists that is triggered when handling events while specific user interaction occurs with the input method editor (IME). An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7752) - An out-of-bounds read error exists in the IsComplete() function in WebGLTexture.cpp that is triggered when handling textures. An unauthenticated, remote attacker can exploit this to disclose memory contents. (CVE-2017-7754) - A privilege escalation vulnerability exists due to improper loading of dynamic-link library (DLL) files. A local attacker can exploit this, via a specially crafted DLL file in the installation path, to inject and execute arbitrary code. (CVE-2017-7755) - A use-after-free error exists in the SetRequestHead() function in XMLHttpRequestMainThread.cpp that is triggered when logging XML HTTP Requests (XHR). An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7756) - A use-after-free error exists in ActorsParent.cpp due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7757) - An out-of-bounds read error exists in the AppendAudioSegment() function in TrackEncoder.cpp that is triggered when the number of channels in an audio stream changes while the Opus encoder is in use. An unauthenticated, remote attacker can exploit this to disclose sensitive information. (CVE-2017-7758) - A flaw exists in the NS_main() function in updater.cpp due to improper validation of input when handling callback file path parameters. A local attacker can exploit this to manipulate files in the installation directory. (CVE-2017-7760) - A flaw exists in the Maintenance Service helper.exe application that is triggered as permissions for a temporary directory are set to writable by non-privileged users. A local attacker can exploit this to delete arbitrary files on the system. (CVE-2017-7761) - A flaw exists in the isLabelSafe() function in nsIDNService.cpp that is triggered when handling characters from different unicode blocks. An unauthenticated, remote attacker can exploit this, via a specially crafted IDN domain, to spoof a valid URL and conduct phishing attacks. (CVE-2017-7764) - A flaw exists that is triggered due to improper parsing of long filenames when handling downloaded files. An unauthenticated, remote attacker can exploit this to cause a file to be downloaded without the
    last seen2020-06-01
    modified2020-06-02
    plugin id100809
    published2017-06-15
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100809
    titleMozilla Firefox ESR < 52.2 Multiple Vulnerabilities
  • NASL familyWindows
    NASL idMOZILLA_FIREFOX_54_0.NASL
    descriptionThe version of Mozilla Firefox installed on the remote Windows host is prior to 54. It is, therefore, affected by multiple vulnerabilities : - Multiple memory corruption issues exist that allow an unauthenticated, remote attacker to execute arbitrary code by convincing a user to visit a specially crafted website. (CVE-2017-5470, CVE-2017-5471) - A use-after-free error exists in the EndUpdate() function in nsCSSFrameConstructor.cpp that is triggered when reconstructing trees during regeneration of CSS layouts. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-5472) - A use-after-free error exists in the Reload() function in nsDocShell.cpp that is triggered when using an incorrect URL during the reload of a docshell. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7749) - A use-after-free error exists in the Hide() function in nsDocumentViewer.cpp that is triggered when handling track elements. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7750) - A use-after-free error exists in the nsDocumentViewer class in nsDocumentViewer.cpp that is triggered when handling content viewer listeners. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7751) - A use-after-free error exists that is triggered when handling events while specific user interaction occurs with the input method editor (IME). An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7752) - An out-of-bounds read error exists in the IsComplete() function in WebGLTexture.cpp that is triggered when handling textures. An unauthenticated, remote attacker can exploit this to disclose memory contents. (CVE-2017-7754) - A privilege escalation vulnerability exists due to improper loading of dynamic-link library (DLL) files. A local attacker can exploit this, via a specially crafted DLL file in the installation path, to inject and execute arbitrary code. (CVE-2017-7755) - A use-after-free error exists in the SetRequestHead() function in XMLHttpRequestMainThread.cpp that is triggered when logging XML HTTP Requests (XHR). An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7756) - A use-after-free error exists in ActorsParent.cpp due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7757) - An out-of-bounds read error exists in the AppendAudioSegment() function in TrackEncoder.cpp that is triggered when the number of channels in an audio stream changes while the Opus encoder is in use. An unauthenticated, remote attacker can exploit this to disclose sensitive information. (CVE-2017-7758) - A flaw exists in the NS_main() function in updater.cpp due to improper validation of input when handling callback file path parameters. A local attacker can exploit this to manipulate files in the installation directory. (CVE-2017-7760) - A flaw exists in the Maintenance Service helper.exe application that is triggered as permissions for a temporary directory are set to writable by non-privileged users. A local attacker can exploit this to delete arbitrary files on the system. (CVE-2017-7761) - A flaw exists that is triggered when displaying URLs including authentication sections in reader mode. An unauthenticated, remote attacker can exploit this, via a specially crafted URL, to spoof domains in the address bar. (CVE-2017-7762) - A flaw exists in the isLabelSafe() function in nsIDNService.cpp that is triggered when handling characters from different unicode blocks. An unauthenticated, remote attacker can exploit this, via a specially crafted IDN domain, to spoof a valid URL and conduct phishing attacks. (CVE-2017-7764) - A flaw exists that is triggered due to improper parsing of long filenames when handling downloaded files. An unauthenticated, remote attacker can exploit this to cause a file to be downloaded without the
    last seen2020-06-01
    modified2020-06-02
    plugin id100810
    published2017-06-15
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100810
    titleMozilla Firefox < 54 Multiple Vulnerabilities

References