1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. Web Attack: Mozilla Firefox CVE-2016-9899

Web Attack: Mozilla Firefox CVE-2016-9899

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

Attackers can exploit to steal cookie-based authentication credentials, bypass certain security restrictions, obtain sensitive information and execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions.

Additional Information

Firefox is a browser and available for multiple platforms.

Mozilla Firefox is prone to the following security vulnerabilities:

1. A Use-after-free vulnerability that occurs due to an error in the handling of node adoption. Specifically, this issue occurs when manipulating DOM events and removing audio elements. [CVE-2016-9899]

2. A security bypass vulnerability that occurs because event handlers on marquee elements were executed despite a strict Content Security Policy (CSP) that disallowed inline JavaScript. [CVE-2016-9895]

3. A memory-corruption vulnerability that occurs within the 'libGLES' development package. Specifically, this issue results in a potentially exploitable crash during 'WebGL' functions using a vector constructor with a varying array. [CVE-2016-9897]

4. A Use-after-free vulnerability that occurs when manipulating DOM subtrees in the Editor. An attacker can leverage this issue to crash the affected application. [CVE-2016-9898]

5. A security bypass vulnerability that occurs because restricted external resources can be loaded by 'SVG' images through data URLs. An attacker can leverage this issue to cause cross-domain data leakage. [CVE-2016-9900]

6. An information disclosure vulnerability that occurs because it allows to determine whether an atom is used by another compartment/zone in specific contexts. An attacker can leverage this issue to obtain usernames embedded in JavaScript code, across websites. [CVE-2016-9904]

7. An HTML-injection vulnerability that occurs because it fails to properly sanitize the HTML tags received from the Pocket server. An attacker can leverage this issue to gain access to Pocket's messaging API. [CVE-2016-9901]

8. A same-origin policy security bypass vulnerability that occurs because the Pocket toolbar button fails to properly verify the origin of incoming events. An attacker can exploit this issue to fire events from other origins and inject content and commands into the Pocket context. [CVE-2016-9902]

9. An unspecified memory-corruption vulnerability. Successful exploits may allow an attackers to run arbitrary code. [CVE-2016-9080]

Note #1: This issue exists only in Firefox 50.0.2 and Firefox ESR 45.5.1.
Note #2: This issue does not affect users with e10s enabled.

Attackers can exploit to steal cookie-based authentication credentials, bypass certain security restrictions, obtain sensitive information and execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions.

Affected

  • Firefox 50.0.2 and Firefox ESR 45.5.1
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube