SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Mozilla Firefox Vendors:   Mozilla.org
Mozilla Firefox Multiple Flaws Let Remote Users Execute Arbitrary Code, Gain Elevated Privileges, Bypass Security Restrictions, and Obtain Potentially Sensitive Information
SecurityTracker Alert ID:  1035692
SecurityTracker URL:  http://securitytracker.com/id/1035692
CVE Reference:   CVE-2016-2804, CVE-2016-2805, CVE-2016-2806, CVE-2016-2807, CVE-2016-2808, CVE-2016-2809, CVE-2016-2810, CVE-2016-2811, CVE-2016-2812, CVE-2016-2813, CVE-2016-2814, CVE-2016-2816, CVE-2016-2817, CVE-2016-2820   (Links to External Site)
Date:  Apr 27 2016
Impact:   Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 46.0
Description:   Multiple vulnerabilities were reported in Mozilla Firefox. A remote user can cause arbitrary code to be executed on the target user's system. A remote or local user can gain elevated privileges. A remote user can bypass security controls on the target system. A remote user can obtain potentially sensitive information on the target system.

A remote user can create a specially crafted HTML that, when loaded by the target user, will trigger a memory corruption error and execute arbitrary code on the target system [CVE-2016-2804, CVE-2016-2805, CVE-2016-2806, CVE-2016-2807]. The code will run with the privileges of the target user.

A local user can execute a specially crafted file to exploit a flaw in the Mozilla Maintenance Service updater on Windows-based systems and delete arbitrary files and potentially gain elevated privileges [CVE-2016-2809].

An application can access content provider permissions for Firefox to read data, including browser history and saved passwords [CVE-2016-2810]. Android-based systems are affected. Android versions prior to 5.0 are affected.

A remote user can trigger a use-after-free memory error in BeginReading() to potentially execute arbitrary code [CVE-2016-2811].

A remote user can trigger a race condition and buffer overflow in get() in the ServiceWorkerManager to potentially execute arbitrary code [CVE-2016-2812].

A remote user can exploit a flaw to access orientation data and motion sensors information and infer touch actions on the target Android-based device, potentially including PIN code data [CVE-2016-2813].

A remote user can trigger a buffer overflow in libstagefright [CVE-2016-2814].

A remote user can send specially crafted content with the multipart/x-mixed-replace MIME type to bypass Content Security Policy (CSP) [CVE-2016-2816].

A remote user can cause chrome.tabs.update API for web extensions to navigate to a javascript: URL and potentially conduct cross-site-scripting attacks to gain elevated privileges [CVE-2016-2817].

A remote user can trigger an out-of-bounds memory write error to execute arbitrary code [CVE-2016-2808].

The Firefox Health Report (about:healthreport) accepts certain events from untrusted domains [CVE-2016-2820]. A remote user may be able to exploit a separate vulnerability and issue events to change the sharing preferences of the target user.

Christian Holler, Tyson Smith, Phil Ringalda, Gary Kwong, Jesse Ruderman, Mats Palmgren, Carsten Book, Boris Zbarsky, David Bolter, Randell Jesup, Andrew McCreight, Steve Fink, Holger Fuhrmannek, Ken Okuyama, Looben Yang, Muneaki Nishimura (nishimunea) of Recruit Technologies Co., Ltd., Maryam Mehrnezhad, Ehsan Toreini, Siamak F. Shahandashti, and Feng Hao of Newcastle University, UK, Sascha Just, Mark Goodwin, and CESG (the Information Security Arm of GCHQ) reported these vulnerabilities.

Impact:   A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.

A remote or local user can gain elevated privileges on the target system.

A remote user can bypass security controls on the target system.

A remote user can obtain potentially sensitive information on the target system.

Solution:   The vendor has issued a fix (46.0; ESR 38.8, ESR 45.1).

The vendors advisories are available at:

https://www.mozilla.org/en-US/security/advisories/mfsa2016-39/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-40/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-41/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-42/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-43/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-44/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-45/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-46/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-47/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-48/

Vendor URL:  www.mozilla.org/en-US/security/advisories/mfsa2016-39/ (Links to External Site)
Cause:   Access control error, Boundary error, State error
Underlying OS:  Android, Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Apr 27 2016 (Red Hat Issues Fix) Mozilla Firefox Multiple Flaws Let Remote Users Execute Arbitrary Code, Gain Elevated Privileges, Bypass Security Restrictions, and Obtain Potentially Sensitive Information
Red Hat has issued a fix for Red Hat Enterprise Linux 5, 6, and 7.
Apr 27 2016 (CentOS Issues Fix) Mozilla Firefox Multiple Flaws Let Remote Users Execute Arbitrary Code, Gain Elevated Privileges, Bypass Security Restrictions, and Obtain Potentially Sensitive Information
CentOS has issued a fix for CentOS 7.
Apr 27 2016 (Ubuntu Issues Fix) Mozilla Firefox Multiple Flaws Let Remote Users Execute Arbitrary Code, Gain Elevated Privileges, Bypass Security Restrictions, and Obtain Potentially Sensitive Information
Ubuntu has issued a fix for Ubuntu Linux 12.04 LTS, 14.04 LTS, 15.10, and 16.04 LTS.
Apr 27 2016 (Oracle Issues Fix for Oracle Linux) Mozilla Firefox Multiple Flaws Let Remote Users Execute Arbitrary Code, Gain Elevated Privileges, Bypass Security Restrictions, and Obtain Potentially Sensitive Information
Oracle has issued a fix for Oracle Linux 5, 6, and 7.
May 12 2016 (Red Hat Issues Fix for Mozilla Thunderbird) Mozilla Firefox Multiple Flaws Let Remote Users Execute Arbitrary Code, Gain Elevated Privileges, Bypass Security Restrictions, and Obtain Potentially Sensitive Information
Red Hat has issued a fix for Mozilla Thunderbird for Red Hat Enterprise Linux 5, 6, and 7.
May 12 2016 (Oracle Issues Fix for Oracle Linux) Mozilla Firefox Multiple Flaws Let Remote Users Execute Arbitrary Code, Gain Elevated Privileges, Bypass Security Restrictions, and Obtain Potentially Sensitive Information
Oracle has issued a fix for Oracle Linux 7.
May 16 2016 (CentOS Issues Fix for Mozilla Thunderbird) Mozilla Firefox Multiple Flaws Let Remote Users Execute Arbitrary Code, Gain Elevated Privileges, Bypass Security Restrictions, and Obtain Potentially Sensitive Information
CentOS has issued a fix for Mozilla Thunderbird for CentOS 5.
May 19 2016 (Ubuntu Issues Fix for Mozilla Thunderbird) Mozilla Firefox Multiple Flaws Let Remote Users Execute Arbitrary Code, Gain Elevated Privileges, Bypass Security Restrictions, and Obtain Potentially Sensitive Information
Ubuntu has issued a fix for Mozilla Thunderbird for Ubuntu Linux 12.04 LTS, 14.04 LTS, 15.10, and 16.04 LTS.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC