|
VCID-2w58-mdmk-guh8
|
Mozilla has updated the version of Network Security Services
(NSS) library used in Firefox to NSS 3.23. This addresses four moderate rated
networking security issues reported by Mozilla engineers Tyson Smith and
Jed Davis.
|
CVE-2016-2834
|
|
VCID-4gwx-75uj-tyep
|
Mozilla community member jomo reported a use-after-free crash when
processing WebGL content. This issue was caused by the use of a texture after its recycle
pool has been destroyed during WebGL operations, which frees the memory associated with
the texture. This results in a potentially exploitable crash when the texture is later
called.
|
CVE-2016-2828
|
|
VCID-bd3j-r1wt-dyf4
|
Security researcher sushi Anton Larsson reported that when paired
fullscreen and pointerlock requests are done in combination with closing windows, a
pointerlock can be created within a fullscreen window without user permission. This
pointerlock cannot then be cancelled without terminating the browser, resulting in a
persistent denial of service attack. This can also be used for spoofing and clickjacking
attacks against the browser UI.
|
CVE-2016-2831
|
|
VCID-bp6q-cu6s-2ke7
|
Mozilla developers and community members reported several memory safety bugs in the
browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed
evidence of memory corruption under certain circumstances, and we presume that with enough
effort at least some of these could be exploited to run arbitrary code.
|
CVE-2016-2818
|
|
VCID-c6jc-3917-x7dx
|
Security researcher Tim McCormack reported that when a page requests a
series of permissions in a short timespan, the resulting permission notifications can show
the icon for the wrong permission request. This can lead to user confusion and inadvertent
consent given when a user is prompted by web content to give permissions, such as for
geolocation or microphone access.
|
CVE-2016-2829
|
|
VCID-ev18-anej-zbap
|
Security researcher Jordi Chancel reported a method to spoof the
contents of the addressbar. This uses a persistent menu within a
<select> element, which acts as a container for HTML content and can be
placed in an arbitrary location. When placed over the addressbar, this can mask the true
site URL, allowing for spoofing by a malicious site.
|
CVE-2016-2822
|
|
VCID-k813-qahc-ubf4
|
Security researcher Aral reported an out-of-bounds write when using
the ANGLE graphics library, which is used for WebGL content on Windows systems. This crash
occurs due to improper size checking while writing to an array during some WebGL shader
operations.
The ANGLE graphics library is only used on Windows. Linux, OS X, and
Android operating systems are not affected by this vulnerability.
|
CVE-2016-2824
|
|
VCID-kvkh-dxw4-rfde
|
Security researcher firehack reported a buffer overflow when parsing
HTML5 fragments in a foreign context such as under an <svg> node. This
results in a potentially exploitable crash when inserting an HTML fragment into an
existing document.
|
CVE-2016-2819
|
|
VCID-qa9c-xyvd-kygu
|
Mozilla developer John Schoenick reported that CSS pseudo-classes can
be used by web content to leak information on plugins that are installed but disabled.
This can be used for information disclosure through a fingerprinting attack that lists all
of the plugins installed by a user on a system, even when they are disabled.
|
CVE-2016-2832
|
|
VCID-qu9b-rst3-v7fa
|
Security researcher Frédéric Hoguin reported a mechanism where the
Mozilla Windows updater could be used to overwrite arbitrary files. He found that files
extracted by the updater from a MAR archive are not locked for writing and
can be overwritten by other processes while the updater is running. A malicious local
program could invoke the updater and then interfere with the extracted files, replacing
them with its own. This vulnerability could be used for privilege escalation if these
overwritten files were later invoked by other Windows components that had higher
privileges.
This issue does not affect non-Windows operating systems.
|
CVE-2016-2826
|
|
VCID-qzrz-4abn-q7f2
|
Security researcher Armin Ebert reported that the
location.host property can be set to an arbitrary string after creating an
invalid data: URI. This allows for a bypass of some same-origin policy
protections. This issue is mitigated by the data: URI in use and any
same-origin checks for http: or https: are still enforced
correctly. As a result cookie stealing and other common same-origin bypass attacks are not
possible.
|
CVE-2016-2825
|
|
VCID-sr99-hhmv-xkhq
|
Security researcher firehack used the Address Sanitizer
tool to discover a use-after-free in contenteditable mode. This occurs when deleting
document object model (DOM) table elements created within the editor and results in a
potentially exploitable crash.
|
CVE-2016-2821
|
|
VCID-vzwe-r2ms-m7bv
|
Mozilla engineer Matt Wobensmith reported that Content Security Policy
(CSP) does not block the loading of cross-domain Java applets when specified by policy.
This is because the Java applet is loaded by the Java plugin, which then mediates all
network requests without checking against CSP. This could allow a malicious site to
manipulate content through a Java applet to bypass CSP protections, allowing for possible
cross-site scripting (XSS) attacks.
|
CVE-2016-2833
|