SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Mozilla Firefox Vendors:   Mozilla.org
Mozilla Firefox Multiple Flaws Let Remote Users Execute Arbitrary Code, Obtain Potentially Sensitive Information, Bypass Security Restrictions, and Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1033247
SecurityTracker URL:  http://securitytracker.com/id/1033247
CVE Reference:   CVE-2015-4473, CVE-2015-4474, CVE-2015-4475, CVE-2015-4477, CVE-2015-4478, CVE-2015-4479, CVE-2015-4480, CVE-2015-4481, CVE-2015-4482, CVE-2015-4483, CVE-2015-4484, CVE-2015-4485, CVE-2015-4486, CVE-2015-4487, CVE-2015-4488, CVE-2015-4489, CVE-2015-4490, CVE-2015-4491, CVE-2015-4492, CVE-2015-4493   (Links to External Site)
Date:  Aug 11 2015
Impact:   Denial of service via network, Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 40.0
Description:   Multiple vulnerabilities were reported in Mozilla Firefox. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can cause the target application to crash. A remote user can modify files on the target system. A remote user can bypass security controls on the target system. A remote user can obtain potentially sensitive information on the target system. A remote user can conduct cross-site scripting attacks.

A remote user can create specially crafted content that, when loaded by the target user, will execute arbitrary code on the target system.

Some memory corruption errors may occur [CVE-2015-4473, CVE-2015-4474].

A use-after-free may occur in the processing of audio via the Web Audio API during MediaStream playback [CVE-2015-4477].

Some integer and buffer overflows may occur when processing MPEG4 video [CVE-2015-4479, CVE-2015-4480, CVE-2015-4493].

Some buffer overflows may occur in the Libvpx library in the processing of WebM video [CVE-2015-4485, CVE-2015-4486].

Some memory errors may occur [CVE-2015-4487, CVE-2015-4488, CVE-2015-4489].

A use-after-free memory error may occur in XMLHttpRequest::Open() in a SharedWorker [CVE-2015-4492].

A remote user can create a specially crafted MP3 audio file that, when loaded by the target user, will read portions of system memory [CVE-2015-4475].

A remote user can redefine some non-configurable properties on JavaScript objects when parsing JSON to bypass same-origin policy [CVE-2015-4478].

On Windows-based systems, a local user can trigger a hardlink race condition to cause the Mozilla Maintenance Service to write its log file to a restricted location with an arbitrary file name. This can be exploited to gain elevated privileges on the target system [CVE-2015-4481].

A remote user can create a MAR file with a specially crafted name that, when opened, will trigger an out-of-bounds write and potentially execute arbitrary code [CVE-2015-4482].

A remote user that can conduct a man-in-the-middle attack and modify a 'feed:' protocol URL to cause the mixed content blocker to be disabled for that page [CVE-2015-4483].

A remote user can create specially crafted JavaScript that, when loaded by the target user, will trigger a flaw in the use of shared memory and crash [CVE-2015-4484].

On Linux systems running Gnome, a remote user scale a specially crafted bitmap image to trigger a heap overflow in gdk-pixbuf and potentially execute arbitrary code [CVE-2015-4491].

A remote user can exploit a flaw in the processing of wildcard characters in the Content Security Policy in 'blob:', 'data:', and 'filesystem:' URLs to potentially allow cross-site scripting attacks [CVE-2015-4490].

Gary Kwong, Christian Holler, Byron Campen, Tyson Smith, Bobby Holley, Chris Coulson, Eric Rahm, Aki Helin, SkyLined, Andre Bargull, Anonymous, laf.intel, Massimiliano Tomassoli, Tyson Smith, James Forshaw, Holger Fuhrmannek,
Masato Kinugawa, Jukka Jylanki, Gustavo Grieco, Abhishek Arya, Ronald Crane, Christoph Kerschbaumer, and Looben Yang reported these vulnerabilities.

Impact:   A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.

A remote user can cause the target application to crash.

A remote authenticated user can modify files on the target system.

A remote user can bypass security controls on the target system.

A remote user can obtain potentially sensitive information on the target system.

A remote user can conduct cross-site scripting attacks.

Solution:   The vendor has issued a fix (40.0, ESR 38.2).

The vendor's advisories are available at:

https://www.mozilla.org/en-US/security/advisories/mfsa2015-79/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-80/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-81/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-82/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-83/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-84/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-85/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-86/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-87/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-88/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-89/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-90/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-91/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-92/

Vendor URL:  www.mozilla.org/en-US/security/advisories/mfsa2015-79/ (Links to External Site)
Cause:   Access control error, Boundary error, Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Aug 11 2015 (Red Hat Issues Fix) Mozilla Firefox Multiple Flaws Let Remote Users Execute Arbitrary Code, Obtain Potentially Sensitive Information, Bypass Security Restrictions, and Conduct Cross-Site Scripting Attacks
Red Hat has issued a fix for Red Hat Enterprise Linux 5, 6, and 7.
Aug 11 2015 (Ubuntu Issues Fix) Mozilla Firefox Multiple Flaws Let Remote Users Execute Arbitrary Code, Obtain Potentially Sensitive Information, Bypass Security Restrictions, and Conduct Cross-Site Scripting Attacks
Ubuntu has issued a fix for Ubuntu 12.04 LTS, 14.04 LTS, and 15.04.
Aug 12 2015 (CentOS Issues Fix) Mozilla Firefox Multiple Flaws Let Remote Users Execute Arbitrary Code, Obtain Potentially Sensitive Information, Bypass Security Restrictions, and Conduct Cross-Site Scripting Attacks
CentOS has issued a fix for CentOS Linux 5, 6, and 7.
Aug 12 2015 (Oracle Issues Fix for Oracle Linux) Mozilla Firefox Multiple Flaws Let Remote Users Execute Arbitrary Code, Obtain Potentially Sensitive Information, Bypass Security Restrictions, and Conduct Cross-Site Scripting Attacks
Oracle has issued a fix for Oracle Linux 5, 6, and 7.
Aug 31 2015 (Red Hat Issues Fix for gdk-pixbuf) Mozilla Firefox Multiple Flaws Let Remote Users Execute Arbitrary Code, Obtain Potentially Sensitive Information, Bypass Security Restrictions, and Conduct Cross-Site Scripting Attacks
Red Hat has issued an advisory for gdk-pixbuf for Red Hat Enterprise Linux 6 and 7.
Sep 1 2015 (Oracle Issues Fix for gdk-pixbuf for Oracle Linux) Mozilla Firefox Multiple Flaws Let Remote Users Execute Arbitrary Code, Obtain Potentially Sensitive Information, Bypass Security Restrictions, and Conduct Cross-Site Scripting Attacks
Oracle has issued a fix for gdk-pixbuf for Oracle Linux 6 and 7.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC