Summary
The host is installed with Mozilla firefox and is prone to multiple vulnerabilities.
Impact
Successful exploitation will let attackers to conduct cross site scripting attacks, cause a denial of service memory corruption and application crash or possibly execute arbitrary code via unspecified vectors.
Impact Level: System/Application
Solution
Upgrade to Mozilla Firefox version 16.0 or later,
For updates refer to http://www.mozilla.com/en-US/firefox/all.html
Insight
The flaws are due to
- memory corruption issues
- An error within Chrome Object Wrapper (COW) when handling the 'InstallTrigger' object can be exploited to access certain privileged functions and properties.
- Use-after-free in the IME State Manager code.
- combination of invoking full screen mode and navigating backwards in history could, in some circumstances, cause a hang or crash due to a timing dependent use-after-free pointer reference.
- Several methods of a feature used for testing (DOMWindowUtils) are not protected by existing security checks, allowing these methods to be called through script by web pages.
- An error when GetProperty function is invoked through JSAPI, security checking can be bypassed when getting cross-origin properties.
- An issue with spoofing of the location property.
- Use-after-free, buffer overflow, and out of bounds read issues.
- The location property can be accessed by binary plugins through top.location and top can be shadowed by Object.define Property as well.
This can allow for possible XSS attacks through plugins.
- several memory safety bugs in the browser engine used in mozilla products.
Affected
Mozilla Firefox versions before 16.0 on Windows
References
- http://secunia.com/advisories/50856
- http://secunia.com/advisories/50935
- http://www.mozilla.org/security/announce/2012/mfsa2012-74.html
- http://www.mozilla.org/security/announce/2012/mfsa2012-77.html
- http://www.mozilla.org/security/announce/2012/mfsa2012-79.html
- http://www.mozilla.org/security/announce/2012/mfsa2012-81.html
- http://www.mozilla.org/security/announce/2012/mfsa2012-82.html
- http://www.mozilla.org/security/announce/2012/mfsa2012-83.html
- http://www.mozilla.org/security/announce/2012/mfsa2012-84.html
- http://www.mozilla.org/security/announce/2012/mfsa2012-85.html
- http://www.mozilla.org/security/announce/2012/mfsa2012-86.html
- http://www.mozilla.org/security/announce/2012/mfsa2012-87.html
Updated on 2015-03-25
Severity
Classification
-
CVSS Base Score: 10.0
AV:N/AC:L/Au:N/C:C/I:C/A:C
Related Vulnerabilities
- Adobe Air Remote Code Execution Vulnerability -June13 (Mac OS X)
- Adobe Flash Player 'SWF' File Multiple Code Execution Vulnerability - Mac OS X
- Adobe Acrobat Out-of-bounds Vulnerability Feb15 (Mac OS X)
- Adobe Air and Flash Player Multiple Vulnerabilities August-2011 (Windows)
- Adobe Acrobat and Reader Multiple Vulnerabilities -July10 (Windows)