Mozilla Foundation Security Advisory 2016-89

Security vulnerabilities fixed in Firefox 50

Announced
November 15, 2016
Impact
critical
Products
Firefox
Fixed in
  • Firefox 50

#CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1

Reporter
Abhishek Arya
Impact
critical
Description

A heap-buffer-overflow in Cairo when processing SVG content caused by compiler optimization, resulting in a potentially exploitable crash.

References

#CVE-2016-5292: URL parsing causes crash

Reporter
Daniel Browning
Impact
high
Description

During URL parsing, a maliciously crafted URL can cause a potentially exploitable crash.

References

#CVE-2016-5293: Write to arbitrary file with Mozilla Updater and Maintenance Service using updater.log hardlink

Reporter
Holger Fuhrmannek
Impact
high
Description

When the Mozilla Updater is run, if the Updater's log file in the working directory points to a hardlink, data can be appended to an arbitrary local file. This vulnerability requires local system access.
Note: this issue only affects Windows operating systems.

References

#CVE-2016-5294: Arbitrary target directory for result files of update process

Reporter
Holger Fuhrmannek
Impact
high
Description

The Mozilla Updater can be made to choose an arbitrary target working directory for output files resulting from the update process. This vulnerability requires local system access.
Note: this issue only affects Windows operating systems.

References

#CVE-2016-5297: Incorrect argument length checking in JavaScript

Reporter
André Bargull
Impact
high
Description

An error in argument length checking in JavaScript, leading to potential integer overflows or other bounds checking issues.

References

#CVE-2016-9064: Add-ons update must verify IDs match between current and new versions

Reporter
Multiple people
Impact
high
Description

Add-on updates failed to verify that the add-on ID inside the signed package matched the ID of the add-on being updated. An attacker who could perform a man-in-the-middle attack on the user's connection to the update server and defeat the certificate pinning protection could provide a malicious signed add-on instead of a valid update.

References

#CVE-2016-9065: Firefox for Android location bar spoofing using fullscreen

Reporter
Raphael
Impact
high
Description

The location bar in Firefox for Android can be spoofed by forcing a user into fullscreen mode, blocking its exiting, and creating of a fake location bar without any user notification.
Note: This issue only affects Firefox for Android. Other versions and operating systems are unaffected.

References

#CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler

Reporter
Samuel Groß
Impact
high
Description

A buffer overflow resulting in a potentially exploitable crash due to memory allocation issues when handling large amounts of incoming data.

References

#CVE-2016-9067: heap-use-after-free in nsINode::ReplaceOrInsertBefore

Reporter
Nils
Impact
high
Description

Two use-after-free errors during DOM operations resulting in potentially exploitable crashes.

References

#CVE-2016-9068: heap-use-after-free in nsRefreshDriver

Reporter
Nils
Impact
high
Description

A use-after-free during web animations when working with timelines resulting in a potentially exploitable crash.

References

#CVE-2016-9072: 64-bit NPAPI sandbox isn't enabled on fresh profile

Reporter
Bob Owen
Impact
high
Description

When a new Firefox profile is created on 64-bit Windows installations, the sandbox for 64-bit NPAPI plugins is not enabled by default.
Note: This issue only affects 64-bit Windows. 32-bit Windows and other operating systems are unaffected.

References

#CVE-2016-9075: WebExtensions can access the mozAddonManager API and use it to gain elevated privileges

Reporter
Kris Maglione
Impact
high
Description

An issue where WebExtensions can use the mozAddonManager API to elevate privilege due to privileged pages being allowed in the permissions list. This allows a malicious extension to then install additional extensions without explicit user permission.

References

#CVE-2016-9077: Canvas filters allow feDisplacementMaps to be applied to cross-origin images, allowing timing attacks on them

Reporter
Markus Stange
Impact
high
Description

Canvas allows the use of the feDisplacementMap filter on images loaded cross-origin. The rendering by the filter is variable depending on the input pixel, allowing for timing attacks when the images are loaded from third party locations.

References

#CVE-2016-5291: Same-origin policy violation using local HTML file and saved shortcut file

Reporter
Yuyang Zhou
Impact
moderate
Description

A same-origin policy bypass with local shortcut files to load arbitrary local content from disk.

References

#CVE-2016-5295: Mozilla Maintenance Service: Ability to read arbitrary files as SYSTEM

Reporter
Holger Fuhrmannek
Impact
moderate
Description

This vulnerability allows an attacker to use the Mozilla Maintenance Service to escalate privilege by having the Maintenance Service invoke the Mozilla Updater to run malicious local files. This vulnerability requires local system access and is a variant of MFSA2013-44.
Note: this issue only affects Windows operating systems.

References

#CVE-2016-5298: SSL indicator can mislead the user about the real URL visited

Reporter
Jordi Chancel
Impact
moderate
Description

A mechanism where disruption of the loading of a new web page can cause the previous page's favicon and SSL indicator to not be reset when the new page is loaded.
Note: this issue only affects Firefox for Android. Desktop Firefox is unaffected.

References

#CVE-2016-5299: Firefox AuthToken in broadcast protected with signature-level permission can be accessed by an application installed beforehand that defines the same permissions

Reporter
Ken Okuyama
Impact
moderate
Description

A previously installed malicious Android application with same signature-level permissions as Firefox can intercept AuthTokens meant for Firefox only.
Note: This issue only affects Firefox for Android. Other versions and operating systems are unaffected.

References

#CVE-2016-9061: API key (glocation) in broadcast protected with signature-level permission can be accessed by an application installed beforehand that defines the same permissions

Reporter
Ken Okuyama
Impact
moderate
Description

A previously installed malicious Android application which defines a specific signature-level permissions used by Firefox can access API keys meant for Firefox only.
Note: This issue only affects Firefox for Android. Other versions and operating systems are unaffected.

References

#CVE-2016-9062: Private browsing browser traces (Android) in browser.db and wal file

Reporter
Daniel D.
Impact
moderate
Description

Private browsing mode leaves metadata information, such as URLs, for sites visited in browser.db and browser.db-wal files within the Firefox profile after the mode is exited.
Note: This issue only affects Firefox for Android. Other versions and operating systems are unaffected.

References

#CVE-2016-9070: Sidebar bookmark can have reference to chrome window

Reporter
Abdulrahman Alqabandi
Impact
moderate
Description

A maliciously crafted page loaded to the sidebar through a bookmark can reference a privileged chrome window and engage in limited JavaScript operations violating cross-origin protections.

References

#CVE-2016-9073: windows.create schema doesn't specify "format": "relativeUrl"

Reporter
Will Bamberg
Impact
moderate
Description

WebExtensions can bypass security checks to load privileged URLs and potentially escape the WebExtension sandbox.

References

#CVE-2016-9074: Insufficient timing side-channel resistance in divSpoiler

Reporter
Franziskus Kiefer
Impact
moderate
Description

An existing mitigation of timing side-channel attacks is insufficient in some circumstances. This issue is addressed in Network Security Services (NSS) 3.26.1.

References

#CVE-2016-9076: select dropdown menu can be used for URL bar spoofing on e10s

Reporter
Mats Palmgren
Impact
moderate
Description

An issue where a <select> dropdown menu can be used to cover location bar content, resulting in potential spoofing attacks. This attack requires e10s to be enabled in order to function.

References

#CVE-2016-9063: Possible integer overflow to fix inside XML_Parse in Expat

Reporter
Gustavo Grieco
Impact
low
Description

An integer overflow during the parsing of XML using the Expat library.

References

#CVE-2016-9071: Probe browser history via HSTS/301 redirect + CSP

Reporter
Xiaoyin Liu
Impact
low
Description

Content Security Policy combined with HTTP to HTTPS redirection can be used by malicious server to verify whether a known site is within a user's browser history.

References

#CVE-2016-5289: Memory safety bugs fixed in Firefox 50

Reporter
Mozilla developers
Impact
critical
Description

Mozilla developers and community members Christian Holler, Andrew McCreight, Dan Minor, Tyson Smith, Jon Coppeard, Jan-Ivar Bruaroey, Jesse Ruderman, and Markus Stange reported memory safety bugs present in Firefox 49. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.

References

#CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5

Reporter
Mozilla developers
Impact
critical
Description

Mozilla developers and community members Olli Pettay, Christian Holler, Ehsan Akhgari, Jon Coppeard, Gary Kwong, Tooru Fujisawa, Philipp, and Randell Jesup reported memory safety bugs present in Firefox 49 and Firefox ESR 45.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.

References