Multiple Vulnerabilities in Mozilla Firefox Could Allow for Arbitrary Code Execution

ITS Advisory Number: 
2016-030
Date(s) Issued: 
Friday, February 12, 2016
Subject: 
Multiple Vulnerabilities in Mozilla Firefox Could Allow for Arbitrary Code Execution
Overview: 

Multiple vulnerabilities have been identified in Mozilla Firefox and Firefox ESR, which could allow for arbitrary code execution. Mozilla Firefox is a web browser used to access the Internet. Mozilla Firefox ESR is a version of the web browser intended to be deployed in large organizations. Exploitation of these issues could allow an attacker to bypass same-origin policy restrictions to access data, and execute arbitrary code in the context of the affected application. 

Systems Affected: 
  • Mozilla Firefox versions prior to 44.0.2
  • Mozilla Firefox ESR versions prior to 38.6.1
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High
Description: 

Mozilla has confirmed multiple vulnerabilities in Firefox and Firefox ESR. Exploitation of these vulnerabilities could allow for arbitrary code execution, bypass the same-origin policy and other security restrictions, and perform unauthorized actions. These vulnerabilities could be exploited if a user visits or is redirected to a specially-crafted webpage or opens a specially-crafted file. Details of these vulnerabilities are as follows:

  • A Same-Origin-Bypass vulnerability occurs because service workers intercept responses to plugin network requests made through the browser. (CVE-2016-1949)
  • Multiple vulnerabilities in the Graphite 2 "smart font" library could allow for arbitrary code execution in Firefox ESR by using a special CNTXT_ITEM instruction.(CVE-2016-1523)
Actions: 
  • Apply appropriate updates provided by Mozilla to vulnerable systems, immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.