MS-ISAC CYBERSECURITY ADVISORIES

MS-ISAC ADVISORY NUMBER:
2016-032

DATE(S) ISSUED:
02/12/2016

SUBJECT:
Multiple Vulnerabilities in Mozilla Firefox Could Allow for Arbitrary Code Execution

OVERVIEW:

Multiple vulnerabilities have been identified in Mozilla Firefox and Firefox ESR, which could allow for arbitrary code execution. Mozilla Firefox is a web browser used to access the Internet. Mozilla Firefox ESR is a version of the web browser intended to be deployed in large organizations. Exploitation of these issues could allow an attacker to bypass same-origin policy restrictions to access data, and execute arbitrary code in the context of the affected application.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • Mozilla Firefox versions prior to 44.0.2

  • Mozilla Firefox ESR versions prior to 38.6.1

RISK:

Government:

  • Large and medium government entities: High

  • Small government entities: Medium

Businesses:

  • Large and medium business entities: High

  • Small business entities: Medium

Home users:Low

TECHNICAL SUMMARY:

Mozilla has confirmed multiple vulnerabilities in Firefox and Firefox ESR. Exploitation of these vulnerabilities could allow for arbitrary code execution, bypass the same-origin policy and other security restrictions, and perform unauthorized actions. These vulnerabilities could be exploited if a user visits or is redirected to a specially-crafted webpage or opens a specially-crafted file. Details of these vulnerabilities are as follows:

  • A Same-Origin-Bypass vulnerability occurs because service workers intercept responses to plugin network requests made through the browser. (CVE-2016-1949)

  • Multiple vulnerabilities in the Graphite 2 “smart font” library could allow for arbitrary code execution in Firefox ESR by using a special CNTXT_ITEM instruction.(CVE-2016-1523)

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate updates provided by Mozilla to vulnerable systems, immediately after appropriate testing.

  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.

REFERENCES:

Mozilla:

https://www.mozilla.org/en-US/security/advisories/mfsa2016-13

https://www.mozilla.org/en-US/security/advisories/mfsa2016-14

CVE:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1949

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1523