SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Mozilla Firefox Vendors:   Mozilla.org
Mozilla Firefox Multiple Flaws Let Remote Users Execute Arbitrary Code and Obtain Potentially Sensitive Information and Let Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1032301
SecurityTracker URL:  http://securitytracker.com/id/1032301
CVE Reference:   CVE-2011-3079, CVE-2015-0797, CVE-2015-2708, CVE-2015-2709, CVE-2015-2710, CVE-2015-2711, CVE-2015-2712, CVE-2015-2713, CVE-2015-2714, CVE-2015-2715, CVE-2015-2716, CVE-2015-2717, CVE-2015-2718, CVE-2015-2720   (Links to External Site)
Date:  May 13 2015
Impact:   Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 38.0
Description:   Multiple vulnerabilities were reported in Mozilla Firefox. A remote user can cause arbitrary code to be executed on the target user's system. A local user can obtain elevated privileges on the target system. A remote user can obtain potentially sensitive information on the target system. A remote user can bypass security controls on the target system.

A remote user can create specially crafted content that, when loaded by the target user, will execute arbitrary code on the target system.

A memory corruption error may occur [CVE-2015-2708, CVE-2015-2709].

A buffer overflow may occur in the processing of H.264 video by the Linux Gstreamer plugin [CVE-2015-0797].

A buffer overflow may occur in the processing of SVG content and CSS [CVE-2015-2710].

A use-after-free memory error may occur during text processing when vertical text is enabled [CVE-2015-2713].

A race condition when media decoder threads are created during the shutdown process may result in use-after-free [CVE-2015-2715].

A buffer overflow may occur in the parsing of compressed XML content [CVE-2015-2716].

A buffer overflow and out-of-bounds memory read error may occur in the libstagefright library when parsing specially crafted metadata in MP4 video files [CVE-2015-2717].

The system may not enforce referrer policy in meta tags when opening a link via the middle-click and context menu [CVE-2015-2711].

A remote user can trigger an out-of-bounds read and write in 'asm.js' during JavaScript validation [CVE-2015-2712].

Firefox for Android writes potentially sensitive data to the Android logcat via logged URL strings [CVE-2015-2714]. A local user on Android 4.0 or prior with READ_LOGS permission can access this data.

'WebChannel.jsm' does not properly handle message traffic. A remote user can bypass origin restrictions [CVE-2015-2718].

The 'updater.exe' process can be run from directories other than the application directory [CVE-2015-2720].

On Windows-based systems, an Inter-process Communication (IPC) flaw may allow a local process to obtain elevated privileges [CVE-2011-3079].

Jesse Ruderman, Mats Palmgren, Byron Campen, Steve Fink, Gary Kwong, Andrew McCreight, Christian Holler, Jon Coppeard, Milan Sreckovic, Aki Helin, Atte Kettunen, Alex Verstak, Dougall Johnson, Scott Bell, Muneaki Nishimura, Tyson Smith, Jesse Schwartzentruber, Ucha Gobejishvili, laf.intel, Mark Hammond, Jed Davis, Christoph Diehl, and Holger Fuhrmannek reported these vulnerabilities.

Impact:   A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.

A local user can obtain elevated privileges on the target system.

A remote user can obtain potentially sensitive information on the target system.

A remote user can bypass same-origin restrictions on the target system.

Solution:   The vendor has issued a fix (38.0, 31.7 ESR).

The vendor's advisories are available at:

https://www.mozilla.org/en-US/security/advisories/mfsa2015-46/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-47/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-48/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-49/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-50/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-51/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-52/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-53/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-54/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-55/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-56/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-57/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-58/

Vendor URL:  www.mozilla.org/en-US/security/advisories/mfsa2015-46/ (Links to External Site)
Cause:   Access control error, Boundary error
Underlying OS:  Android, Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
May 13 2015 (Red Hat Issues Fix) Mozilla Firefox Multiple Flaws Let Remote Users Execute Arbitrary Code and Obtain Potentially Sensitive Information and Let Local Users Gain Elevated Privileges
Red Hat has issued a fix for Red Hat Enterprise Linux 5, 6, and 7.
May 13 2015 Mozilla Firefox Multiple Flaws Let Remote Users Execute Arbitrary Code and Obtain Potentially Sensitive Information and Let Local Users Gain Elevated Privileges
Ubuntu has issued a fix for Ubuntu 12.04 LTS, 14.04 LTS, 14.10, and 15.04.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC