[PCWorks] Mozilla Firefox Multiple Vulnerabilities
- From: "Clint Hamilton-PCWorks Admin" <PCWorks@xxxxxxxxxxxxxxxxxxxxxxxx>
- To: "PCWorks@xxxxxxxxxxxxx" <pcworks@xxxxxxxxxxxxx>
- Date: Thu, 27 Sep 2012 03:03:09 -0500
TITLE:
Mozilla Firefox Multiple Vulnerabilities
Criticality level: Highly critical
Impact: Cross Site Scripting, System access, Spoofing,
Exposure of sensitive information, Security Bypass
Where: From remote
SECUNIA ADVISORY ID:
SA50088
DESCRIPTION:
Multiple vulnerabilities have been reported in Mozilla Firefox,
which
can be exploited by malicious people to disclose potentially
sensitive
information, conduct cross-site scripting and phishing attacks,
and
compromise a user's system.
1) Several unspecified errors in the browser engine can be
exploited
to corrupt memory.
2) A use-after-free error in
nsHTMLEditor::CollapseAdjacentTextNodes
can be exploited to dereference already freed memory.
3) A use-after-free error in nsObjectLoadingContent::LoadObject
can
be exploited to dereference already freed memory.
4) A use-after-free error in gfxTextRun::CanBreakLineBefore can
be
exploited to dereference already freed memory.
5) A use-after-free error in PresShell::CompleteMove can be
exploited
to dereference already freed memory.
6) A use-after-free error in
nsHTMLSelectElement::SubmitNamesValues
can be exploited to dereference already freed memory.
7) A use-after-free error in
MediaStreamGraphThreadRunnable::Run()
can be exploited to dereference already freed memory.
8) An unspecified error in nsBlockFrame::MarkLineDirty can be
exploited to cause a heap-based buffer overflow.
9) An use-after-free error in
nsHTMLEditRules::DeleteNonTableElements
can be exploited to dereference already freed memory.
10) A use-after-free error in nsRangeUpdater::SelAdjDeleteNode
can be
exploited to dereference already freed memory.
11) A use-after-free error in
mozSpellChecker::SetCurrentDictionary
can be exploited to dereference already freed memory.
12) A use-after-free error in RangeData::~RangeData can be
exploited
to dereference already freed memory.
13) A bad iterator in text runs can be exploited to corrupt
memory.
14) A use-after-free error in js::gc::MapAllocToTraceKind can
be
exploited to dereference already freed memory.
15) A use-after-free error in gfxTextRun::GetUserData can be
exploited to dereference already freed memory.
16) An error allows shadowing the location object using
Object.defineProperty, which can be exploited to confuse the
current
location to plugins and possibly conduct cross-site scripting
attacks.
17) An error when a page opens a new tab allows opening a
subsequent
window that can be navigated to the chrome-privileged page
"about:newtab".
18) An error when decoding a bitmap image with a negative
"height"
header value embedded in an icon file can be exploited to
corrupt
memory.
19) A use-after-free error when calling WebGL shaders after
being
destroyed can be exploited to dereference already freed memory.
20) An error in the Mesa drivers on Linux can be exploited to
corrupt
stack memory when using more than 16 sampler uniforms.
21) A signedness error in nsSVGFEMorphologyElement::Filter can
be
exploited to cause a heap-based buffer overflow.
22) A use-after-free error in nsTArray_base::Length can be
exploited
to dereference already freed memory when an element with a
"requiredFeatures" attribute is moved between documents.
23) Two errors in graphite2::Silf::readClassMap and
graphite2::Pass::readPass within the Graphite 2 library can be
exploited to corrupt memory.
24) An error in the DOMParser when used to parse text/html data
in a
Firefox extension causes linked resources to be loaded, which
may
leak information.
25) An error may cause SSL certificate information for a
previous
site to be displayed on the addressbar after another site has
been
loaded by firing two "onLocationChange" events in unexpected
order.
26) An error can be exploited to bypass checks for
nsLocation::CheckURL and load restricted content.
27) In certain places, __android_log_print is called insecurely
when
a web page uses a "dump()" statement with a specially crafted
string.
28) An error in the web console can be exploited to inject
arbitrary
code that will be executed with chrome privileges.
SOLUTION:
Upgrade to version 15.
ORIGINAL ADVISORY:
Mozilla:
http://www.mozilla.org/security/announce/2012/mfsa2012-57.html
http://www.mozilla.org/security/announce/2012/mfsa2012-58.html
http://www.mozilla.org/security/announce/2012/mfsa2012-59.html
http://www.mozilla.org/security/announce/2012/mfsa2012-60.html
http://www.mozilla.org/security/announce/2012/mfsa2012-61.html
http://www.mozilla.org/security/announce/2012/mfsa2012-62.html
http://www.mozilla.org/security/announce/2012/mfsa2012-63.html
http://www.mozilla.org/security/announce/2012/mfsa2012-64.html
http://www.mozilla.org/security/announce/2012/mfsa2012-65.html
http://www.mozilla.org/security/announce/2012/mfsa2012-66.html
http://www.mozilla.org/security/announce/2012/mfsa2012-67.html
http://www.mozilla.org/security/announce/2012/mfsa2012-68.html
http://www.mozilla.org/security/announce/2012/mfsa2012-69.html
http://www.mozilla.org/security/announce/2012/mfsa2012-70.html
http://www.mozilla.org/security/announce/2012/mfsa2012-71.html
http://www.mozilla.org/security/announce/2012/mfsa2012-72.html
=========================
The list's FAQ's can be seen by sending an email to
PCWorks-request@xxxxxxxxxxxxx with FAQ in the subject line.
To unsubscribe, subscribe, set Digest or Vacation to on or off, go to
//www.freelists.org/list/pcworks . You can also send an email to
PCWorks-request@xxxxxxxxxxxxx with Unsubscribe in the subject line. Your
member list settings can be found at
//www.freelists.org/cgi-bin/lsg2.cgi/l=pcworks . Once logged in, you have
access to numerous other email options.
The list archives are located at //www.freelists.org/archives/pcworks/ .
All email posted to the list will be placed there in the event anyone needs to
look for previous posts.
-zxdjhu-
Other related posts:
