MS-ISAC CYBERSECURITY ADVISORIES

MS-ISAC ADVISORY NUMBER:
2017-009

DATE(S) ISSUED:
01/27/2017 - Updated

SUBJECT:
January 27 – UPDATED SUBJECT:Multiple Vulnerabilities in Mozilla Products Could Allow for Arbitrary Code Execution

ORIGINAL OVERVIEW:

Multiple vulnerabilities have been identified in Mozilla Firefox and Firefox Extended Support Release (ESR), which could allow for arbitrary code execution. Mozilla Firefox is a web browser used to access the Internet. Mozilla Firefox ESR is a version of the web browser intended to be deployed in large organizations. Successful exploitation of these vulnerabilities could allow an attacker to bypass same-origin policy restrictions to access data, and execute arbitrary code in the context of the user running the affected application. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

January 27 – UPDATED OVERVIEW:
Multiple vulnerabilities have been identified in Mozilla Thunderbird, Firefox and Firefox Extended Support Release (ESR), which could allow for arbitrary code execution. Mozilla Firefox is a web browser used to access the Internet. Mozilla Firefox ESR is a version of the web browser intended to be deployed in large organizations. Mozilla Thunderbird is an email client. Successful exploitation of these vulnerabilities could allow an attacker to bypass same-origin policy restrictions to access data, and execute arbitrary code in the context of the user running the affected application. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative
user rights.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • Mozilla Firefox versions prior to 51
  • Mozilla Firefox ESR versions prior to 45.7

January 27 – UPDATED SYSTEMS AFFECTED:
Mozilla Thunderbird versions prior to 45.7

RISK:

Government:

  • Large and medium government entities:High
  • Small government entities:Medium

Businesses:

  • Large and medium business entities:High
  • Small business entities:Medium

Home users: Low

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Firefox and Firefox Extended Support Release (ESR). The most severe of these vulnerabilities could allow for arbitrary code execution. These vulnerabilities could be exploited if a user visits or is redirected to a specially-crafted webpage or opens a specially-crafted file. Details of these vulnerabilities are as follows:

  • Memory safety bugs fixed in Firefox 51 and Firefox ESR 45.7. (CVE-2017-5373)
  • JIT code allocation can allow for a bypass of ASLR and DEP protections leading to potential memory corruption attacks. (CVE-2017-5375)
  • A Use-after-free vulnerability exists while manipulating XSL in XSLT documents (CVE-2017-5376)
  • A memory corruption vulnerability in Skia that can occur when using transforms to make gradients, resulting in a potentially exploitable crash. (CVE-2017-5377)
  • Pointer and frame data leakage of Javascript objects. (CVE-2017-5378)
  • A Use-after-free vulnerability exists in Web Animations when interacting with cycle collection found through fuzzing. (CVE-2017-5379)
  • A potential use-after-free vulnerability found through fuzzing during DOM manipulation of SVG content. (CVE-2017-5380)
  • URLs containing certain unicode glyphs for alternative hyphens and quotes do not properly trigger punycode display, allowing for domain name spoofing attacks in the location bar. (CVE-2017-5383)
  • WebExtension scripts can use the data: protocol to affect pages loaded by other web extensions using this protocol, leading to potential data disclosure or privilege escalation in affected extensions. (CVE-2017-5386)
  • WebExtensions can install additional add-ons via modified host requests. (CVE-2017-5389)
  • The JSON viewer in the Developer Tools uses insecure methods to create a communication channel for copying and viewing JSON or HTTP headers data, allowing for potential privilege escalation. (CVE-2017-5390)
  • A use-after-free vulnerability exists in the Media Decoder when working with media files when some events are fired after the media elements are freed from memory. (CVE-2017-5396)
  • The "export" function in the Certificate Viewer can force local filesystem navigation when the "common name" in a certificate contains slashes, allowing certificate content to be saved in unsafe locations with an arbitrary filename. (CVE-2017-5381)
  • Feed preview for RSS feeds can be used to capture errors and exceptions generated by privileged content, allowing for the exposure of internal information not meant to be seen by web content. (CVE-2017-5382)
  • Proxy Auto-Config (PAC) files can specify a JavaScript function called for all URL requests with the full URL path which exposes more information than would be sent to the proxy itself in the case of HTTPS. Normally the Proxy Auto-Config file is specified by the user or machine owner and presumed to be non-malicious, but if a user has enabled Web Proxy Auto Detect (WPAD) this file can be served remotely. (CVE-2017-5384)
  • Data sent within multipart channels, such as the multipart/x-mixed-replace MIME type, will ignore the referrer-policy response header, leading to potential information disclosure for sites using this header. (CVE-2017-5385)
  • Special “about:” pages used by web content, such as RSS feeds, can load privileged about: pages in an iframe. If a content-injection bug were found in one of those pages this could allow for potential privilege escalation. (CVE-2017-5391)
  • The “mozAddonManager” allows for the installation of extensions from the CDN for addons.mozilla.org, a publicly accessible site. This could allow malicious extensions to install additional extensions from the CDN in combination with an XSS attack on Mozilla AMO sites. (CVE-2017-5393)
  • The existence of a specifically requested local file can be found due to the double firing of the onerror when the source attribute on a <track> tag refers to a file that does not exist if the source page is loaded locally. (CVE-2017-5387)
  • A STUN server in conjunction with a large number of webkitRTCPeerConnection objects can be used to send large STUN packets in a short period of time due to a lack of rate limiting being applied on e10s systems, allowing for a denial of service attack. (CVE-2017-5388)
  • A memory corruption that could be exploited to run arbitrary code. (CVE-2017-5374)
  • Weak proxy objects have weak references on multiple threads when they should only have them on one, resulting in incorrect memory usage and corruption, which leads to potentially exploitable crashes. (CVE-2017-5392)
  • A location bar spoofing attack exists where the location bar of loaded page will be shown over the content of another tab due to a series of JavaScript events combined with fullscreen mode. (CVE-2017-5394)
  • Malicious sites can display a spoofed location bar on a subsequently loaded page when the existing location bar on the new page is scrolled out of view if navigations between pages can be timed correctly. (CVE-2017-5395)

Successful exploitation of these vulnerabilities could allow an attacker to bypass same-origin policy restrictions to access data and execute arbitrary code in the context of the user running the affected application. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate updates provided by Mozilla to vulnerable systems, immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
  • Apply the Principle of Least Privilege to all systems and services.

REFERENCES:

Mozilla:

https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/

https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/

CVE:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5373

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5374

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5375

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5376

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5377

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5378

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5379

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5380

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5381

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5382

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5383

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5384

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5385

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5386

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5387

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5388

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5389

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5390

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5391

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5392

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5393

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5394

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5395

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5396

 

January 27 – UPDATED REFERENCES:
Mozilla:

https://www.mozilla.org/en-US/security/advisories/mfsa2017-03/