Multiple vulnerabilities have been identified in Mozilla Firefox and Firefox ESR, which could allow for arbitrary code execution. Mozilla Firefox is a web browser used to access the Internet. Mozilla Firefox ESR is a version of the web browser intended to be deployed in large organizations. Exploitation of these issues could allow an attacker to bypass same-origin policy restrictions to access data, and execute arbitrary code in the context of the affected application.
- Mozilla Firefox versions prior to 44.0.2
- Mozilla Firefox ESR versions prior to 38.6.1
Mozilla has confirmed multiple vulnerabilities in Firefox and Firefox ESR. Exploitation of these vulnerabilities could allow for arbitrary code execution, bypass the same-origin policy and other security restrictions, and perform unauthorized actions. These vulnerabilities could be exploited if a user visits or is redirected to a specially-crafted webpage or opens a specially-crafted file. Details of these vulnerabilities are as follows:
- A Same-Origin-Bypass vulnerability occurs because service workers intercept responses to plugin network requests made through the browser. (CVE-2016-1949)
- Multiple vulnerabilities in the Graphite 2 "smart font" library could allow for arbitrary code execution in Firefox ESR by using a special CNTXT_ITEM instruction.(CVE-2016-1523)
- Apply appropriate updates provided by Mozilla to vulnerable systems, immediately after appropriate testing.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
- Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
- Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.