Mozilla Foundation Security Advisory 2016-89

Security vulnerabilities fixed in Firefox 50

Announced November 15, 2016 Impact critical Products Firefox Fixed in Firefox 50

# CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1 Reporter Abhishek Arya Impact critical Description A heap-buffer-overflow in Cairo when processing SVG content caused by compiler optimization, resulting in a potentially exploitable crash. References Bug 1292443

# CVE-2016-5292: URL parsing causes crash Reporter Daniel Browning Impact high Description During URL parsing, a maliciously crafted URL can cause a potentially exploitable crash. References Bug 1288482

# CVE-2016-5293: Write to arbitrary file with Mozilla Updater and Maintenance Service using updater.log hardlink Reporter Holger Fuhrmannek Impact high Description When the Mozilla Updater is run, if the Updater's log file in the working directory points to a hardlink, data can be appended to an arbitrary local file. This vulnerability requires local system access.

Note: this issue only affects Windows operating systems. References Bug 1246945

# CVE-2016-5294: Arbitrary target directory for result files of update process Reporter Holger Fuhrmannek Impact high Description The Mozilla Updater can be made to choose an arbitrary target working directory for output files resulting from the update process. This vulnerability requires local system access.

Note: this issue only affects Windows operating systems. References Bug 1246972

# CVE-2016-5297: Incorrect argument length checking in JavaScript Reporter André Bargull Impact high Description An error in argument length checking in JavaScript, leading to potential integer overflows or other bounds checking issues. References Bug 1303678

# CVE-2016-9064: Add-ons update must verify IDs match between current and new versions Reporter Multiple people Impact high Description Add-on updates failed to verify that the add-on ID inside the signed package matched the ID of the add-on being updated. An attacker who could perform a man-in-the-middle attack on the user's connection to the update server and defeat the certificate pinning protection could provide a malicious signed add-on instead of a valid update. References Bug 1303418

# CVE-2016-9065: Firefox for Android location bar spoofing using fullscreen Reporter Raphael Impact high Description The location bar in Firefox for Android can be spoofed by forcing a user into fullscreen mode, blocking its exiting, and creating of a fake location bar without any user notification.

Note: This issue only affects Firefox for Android. Other versions and operating systems are unaffected. References Bug 1306696

# CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler Reporter Samuel Groß Impact high Description A buffer overflow resulting in a potentially exploitable crash due to memory allocation issues when handling large amounts of incoming data. References Bug 1299686

# CVE-2016-9068: heap-use-after-free in nsRefreshDriver Reporter Nils Impact high Description A use-after-free during web animations when working with timelines resulting in a potentially exploitable crash. References Bug 1302973

# CVE-2016-9072: 64-bit NPAPI sandbox isn't enabled on fresh profile Reporter Bob Owen Impact high Description When a new Firefox profile is created on 64-bit Windows installations, the sandbox for 64-bit NPAPI plugins is not enabled by default.

Note: This issue only affects 64-bit Windows. 32-bit Windows and other operating systems are unaffected. References Bug 1300083

# CVE-2016-9075: WebExtensions can access the mozAddonManager API and use it to gain elevated privileges Reporter Kris Maglione Impact high Description An issue where WebExtensions can use the mozAddonManager API to elevate privilege due to privileged pages being allowed in the permissions list. This allows a malicious extension to then install additional extensions without explicit user permission. References Bug 1295324

# CVE-2016-9077: Canvas filters allow feDisplacementMaps to be applied to cross-origin images, allowing timing attacks on them Reporter Markus Stange Impact high Description Canvas allows the use of the feDisplacementMap filter on images loaded cross-origin. The rendering by the filter is variable depending on the input pixel, allowing for timing attacks when the images are loaded from third party locations. References Bug 1298552

# CVE-2016-5291: Same-origin policy violation using local HTML file and saved shortcut file Reporter Yuyang Zhou Impact moderate Description A same-origin policy bypass with local shortcut files to load arbitrary local content from disk. References Bug 1292159

# CVE-2016-5295: Mozilla Maintenance Service: Ability to read arbitrary files as SYSTEM Reporter Holger Fuhrmannek Impact moderate Description This vulnerability allows an attacker to use the Mozilla Maintenance Service to escalate privilege by having the Maintenance Service invoke the Mozilla Updater to run malicious local files. This vulnerability requires local system access and is a variant of MFSA2013-44.

Note: this issue only affects Windows operating systems. References Bug 1247239

MFSA2013-44 - Local privilege escalation through Mozilla Maintenance Service

# CVE-2016-5298: SSL indicator can mislead the user about the real URL visited Reporter Jordi Chancel Impact moderate Description A mechanism where disruption of the loading of a new web page can cause the previous page's favicon and SSL indicator to not be reset when the new page is loaded.

Note: this issue only affects Firefox for Android. Desktop Firefox is unaffected. References Bug 1227538

# CVE-2016-5299: Firefox AuthToken in broadcast protected with signature-level permission can be accessed by an application installed beforehand that defines the same permissions Reporter Ken Okuyama Impact moderate Description A previously installed malicious Android application with same signature-level permissions as Firefox can intercept AuthTokens meant for Firefox only.

Note: This issue only affects Firefox for Android. Other versions and operating systems are unaffected. References Bug 1245791

# CVE-2016-9061: API key (glocation) in broadcast protected with signature-level permission can be accessed by an application installed beforehand that defines the same permissions Reporter Ken Okuyama Impact moderate Description A previously installed malicious Android application which defines a specific signature-level permissions used by Firefox can access API keys meant for Firefox only.

Note: This issue only affects Firefox for Android. Other versions and operating systems are unaffected. References Bug 1245795

# CVE-2016-9062: Private browsing browser traces (Android) in browser.db and wal file Reporter Daniel D. Impact moderate Description Private browsing mode leaves metadata information, such as URLs, for sites visited in browser.db and browser.db-wal files within the Firefox profile after the mode is exited.

Note: This issue only affects Firefox for Android. Other versions and operating systems are unaffected. References Bug 1294438

# CVE-2016-9070: Sidebar bookmark can have reference to chrome window Reporter Abdulrahman Alqabandi Impact moderate Description A maliciously crafted page loaded to the sidebar through a bookmark can reference a privileged chrome window and engage in limited JavaScript operations violating cross-origin protections. References Bug 1281071

# CVE-2016-9073: windows.create schema doesn't specify "format": "relativeUrl" Reporter Will Bamberg Impact moderate Description WebExtensions can bypass security checks to load privileged URLs and potentially escape the WebExtension sandbox. References Bug 1289273

# CVE-2016-9074: Insufficient timing side-channel resistance in divSpoiler Reporter Franziskus Kiefer Impact moderate Description An existing mitigation of timing side-channel attacks is insufficient in some circumstances. This issue is addressed in Network Security Services (NSS) 3.26.1. References Bug 1293334

# CVE-2016-9076: select dropdown menu can be used for URL bar spoofing on e10s Reporter Mats Palmgren Impact moderate Description An issue where a <select> dropdown menu can be used to cover location bar content, resulting in potential spoofing attacks. This attack requires e10s to be enabled in order to function. References Bug 1276976

# CVE-2016-9063: Possible integer overflow to fix inside XML_Parse in Expat Reporter Gustavo Grieco Impact low Description An integer overflow during the parsing of XML using the Expat library. References Bug 1274777

# CVE-2016-9071: Probe browser history via HSTS/301 redirect + CSP Reporter Xiaoyin Liu Impact low Description Content Security Policy combined with HTTP to HTTPS redirection can be used by malicious server to verify whether a known site is within a user's browser history. References Bug 1285003

# CVE-2016-5289: Memory safety bugs fixed in Firefox 50 Reporter Mozilla developers Impact critical Description Mozilla developers and community members Christian Holler, Andrew McCreight, Dan Minor, Tyson Smith, Jon Coppeard, Jan-Ivar Bruaroey, Jesse Ruderman, and Markus Stange reported memory safety bugs present in Firefox 49. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. References Memory safety bugs fixed in Firefox 50