Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title Firefox regression
Informations
Name USN-2102-2 First vendor Publication 2014-02-19
Vendor Ubuntu Last vendor Modification 2014-02-19
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 13.10 - Ubuntu 12.10 - Ubuntu 12.04 LTS

Summary:

USN-2102-1 introduced a regression in Firefox.

Software Description: - firefox: Mozilla Open Source web browser

Details:

USN-2102-1 fixed vulnerabilities in Firefox. The update introduced a regression which could make Firefox crash under some circumstances. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Christian Holler, Terrence Cole, Jesse Ruderman, Gary Kwong, Eric
Rescorla, Jonathan Kew, Dan Gohman, Ryan VanderMeulen, Carsten Book,
Andrew Sutherland, Byron Campen, Nicholas Nethercote, Paul Adenot, David
Baron, Julian Seward and Sotaro Ikeda discovered multiple memory safety
issues in Firefox. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit these to cause a
denial of service via application crash, or execute arbitrary code with
the privileges of the user invoking Firefox. (CVE-2014-1477,
CVE-2014-1478)

Cody Crews discovered a method to bypass System Only Wrappers. An attacker
could potentially exploit this to steal confidential data or execute code
with the privileges of the user invoking Firefox. (CVE-2014-1479)

Jordi Chancel discovered that the downloads dialog did not implement a
security timeout before button presses are processed. An attacker could
potentially exploit this to conduct clickjacking attacks. (CVE-2014-1480)

Fredrik Lönnqvist discovered a use-after-free in Firefox. An attacker
could potentially exploit this to cause a denial of service via
application crash, or execute arbitrary code with the priviliges of the
user invoking Firefox. (CVE-2014-1482)

Jordan Milne discovered a timing flaw when using document.elementFromPoint
and document.caretPositionFromPoint on cross-origin iframes. An attacker
could potentially exploit this to steal confidential imformation.
(CVE-2014-1483)

Frederik Braun discovered that the CSP implementation in Firefox did not
handle XSLT stylesheets in accordance with the specification, potentially
resulting in unexpected script execution in some circumstances
(CVE-2014-1485)

Arthur Gerkis discovered a use-after-free in Firefox. An attacker could
potentially exploit this to cause a denial of service via application
crash, or execute arbitrary code with the priviliges of the user invoking
Firefox. (CVE-2014-1486)

Masato Kinugawa discovered a cross-origin information leak in web worker
error messages. An attacker could potentially exploit this to steal
confidential information. (CVE-2014-1487)

Yazan Tommalieh discovered that web pages could activate buttons on the
default Firefox startpage (about:home) in some circumstances. An attacker
could potentially exploit this to cause data loss by triggering a session
restore. (CVE-2014-1489)

Soeren Balko discovered a crash in Firefox when terminating web workers
running asm.js code in some circumstances. An attacker could potentially
exploit this to execute arbitrary code with the priviliges of the user
invoking Firefox. (CVE-2014-1488)

Several issues were discovered with ticket handling in NSS. An attacker
could potentially exploit these to cause a denial of service or bypass
cryptographic protection mechanisms. (CVE-2014-1490, CVE-2014-1491)

Boris Zbarsky discovered that security restrictions on window objects
could be bypassed under certain circumstances. (CVE-2014-1481)

Update instructions:

The problem can be corrected by updating your system to the following package versions:

Ubuntu 13.10:
firefox 27.0.1+build1-0ubuntu0.13.10.1

Ubuntu 12.10:
firefox 27.0.1+build1-0ubuntu0.12.10.1

Ubuntu 12.04 LTS:
firefox 27.0.1+build1-0ubuntu0.12.04.1

After a standard system update you need to restart Firefox to make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2102-2
http://www.ubuntu.com/usn/usn-2102-1
https://launchpad.net/bugs/1274468

Package Information:
https://launchpad.net/ubuntu/+source/firefox/27.0.1+build1-0ubuntu0.13.10.1
https://launchpad.net/ubuntu/+source/firefox/27.0.1+build1-0ubuntu0.12.10.1
https://launchpad.net/ubuntu/+source/firefox/27.0.1+build1-0ubuntu0.12.04.1

Original Source

Url : http://www.ubuntu.com/usn/USN-2102-2

CWE : Common Weakness Enumeration

% Id Name
29 % CWE-787 Out-of-bounds Write (CWE/SANS Top 25)
14 % CWE-416 Use After Free
14 % CWE-362 Race Condition
14 % CWE-346 Origin Validation Error
14 % CWE-326 Inadequate Encryption Strength
14 % CWE-264 Permissions, Privileges, and Access Controls

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:21707
 
Oval ID: oval:org.mitre.oval:def:21707
Title: RHSA-2014:0133: thunderbird security update (Important)
Description: The Web workers implementation in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 allows remote attackers to bypass the Same Origin Policy and obtain sensitive authentication information via vectors involving error messages.
Family: unix Class: patch
Reference(s): RHSA-2014:0133-00
CESA-2014:0133
CVE-2014-1477
CVE-2014-1479
CVE-2014-1481
CVE-2014-1482
CVE-2014-1486
CVE-2014-1487
Version: 55
Platform(s): Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
CentOS Linux 5
CentOS Linux 6
Product(s): thunderbird
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22218
 
Oval ID: oval:org.mitre.oval:def:22218
Title: USN-2102-1 -- firefox vulnerabilities
Description: Firefox could be made to crash or run programs as your login if it opened a malicious website.
Family: unix Class: patch
Reference(s): USN-2102-1
CVE-2014-1477
CVE-2014-1478
CVE-2014-1479
CVE-2014-1480
CVE-2014-1482
CVE-2014-1483
CVE-2014-1485
CVE-2014-1486
CVE-2014-1487
CVE-2014-1489
CVE-2014-1488
CVE-2014-1490
CVE-2014-1491
CVE-2014-1481
Version: 5
Platform(s): Ubuntu 13.10
Ubuntu 12.10
Ubuntu 12.04
Product(s): firefox
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22486
 
Oval ID: oval:org.mitre.oval:def:22486
Title: DSA-2858-1 iceweasel - several
Description: Multiple security issues have been found in Iceweasel, Debian's version of the Mozilla Firefox web browser: Multiple memory safety errors, use-after-frees, too-verbose error messages and missing permission checks may lead to the execution of arbitrary code, the bypass of security checks or information disclosure. This update also addresses security issues in the bundled version of the NSS crypto library.
Family: unix Class: patch
Reference(s): DSA-2858-1
CVE-2014-1477
CVE-2014-1479
CVE-2014-1481
CVE-2014-1482
CVE-2014-1486
CVE-2014-1487
CVE-2014-1490
CVE-2014-1491
Version: 5
Platform(s): Debian GNU/Linux 7
Debian GNU/kFreeBSD 7
Product(s): iceweasel
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22534
 
Oval ID: oval:org.mitre.oval:def:22534
Title: RHSA-2014:0132: firefox security update (Critical)
Description: The Web workers implementation in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 allows remote attackers to bypass the Same Origin Policy and obtain sensitive authentication information via vectors involving error messages.
Family: unix Class: patch
Reference(s): RHSA-2014:0132-00
CESA-2014:0132
CVE-2014-1477
CVE-2014-1479
CVE-2014-1481
CVE-2014-1482
CVE-2014-1486
CVE-2014-1487
Version: 55
Platform(s): Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 5
CentOS Linux 5
CentOS Linux 6
Product(s): firefox
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23381
 
Oval ID: oval:org.mitre.oval:def:23381
Title: DEPRECATED: ELSA-2014:0133: thunderbird security update (Important)
Description: The Web workers implementation in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 allows remote attackers to bypass the Same Origin Policy and obtain sensitive authentication information via vectors involving error messages.
Family: unix Class: patch
Reference(s): ELSA-2014:0133-00
CVE-2014-1477
CVE-2014-1479
CVE-2014-1481
CVE-2014-1482
CVE-2014-1486
CVE-2014-1487
Version: 30
Platform(s): Oracle Linux 5
Oracle Linux 6
Product(s): thunderbird
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23452
 
Oval ID: oval:org.mitre.oval:def:23452
Title: DEPRECATED: ELSA-2014:0132: firefox security update (Critical)
Description: The Web workers implementation in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 allows remote attackers to bypass the Same Origin Policy and obtain sensitive authentication information via vectors involving error messages.
Family: unix Class: patch
Reference(s): ELSA-2014:0132-00
CVE-2014-1477
CVE-2014-1479
CVE-2014-1481
CVE-2014-1482
CVE-2014-1486
CVE-2014-1487
Version: 30
Platform(s): Oracle Linux 6
Oracle Linux 5
Product(s): firefox
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23545
 
Oval ID: oval:org.mitre.oval:def:23545
Title: Mozilla Firefox before 27.0 does not properly restrict access to about:home buttons by script on other pages, which allows user-assisted remote attackers to cause a denial of service (session restore) via a crafted web site
Description: Mozilla Firefox before 27.0 does not properly restrict access to about:home buttons by script on other pages, which allows user-assisted remote attackers to cause a denial of service (session restore) via a crafted web site.
Family: windows Class: vulnerability
Reference(s): CVE-2014-1489
Version: 8
Platform(s): Microsoft Windows 8
Microsoft Windows 7
Microsoft Windows Vista
Microsoft Windows Server 2003
Microsoft Windows XP
Microsoft Windows 2000
Product(s): Mozilla Firefox
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23732
 
Oval ID: oval:org.mitre.oval:def:23732
Title: USN-2102-2 -- firefox regression
Description: USN-2102-1 introduced a regression in Firefox.
Family: unix Class: patch
Reference(s): USN-2102-2
CVE-2014-1477
CVE-2014-1478
CVE-2014-1479
CVE-2014-1480
CVE-2014-1482
CVE-2014-1483
CVE-2014-1485
CVE-2014-1486
CVE-2014-1487
CVE-2014-1489
CVE-2014-1488
CVE-2014-1490
CVE-2014-1491
CVE-2014-1481
Version: 5
Platform(s): Ubuntu 13.10
Ubuntu 12.10
Ubuntu 12.04
Product(s): firefox
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23759
 
Oval ID: oval:org.mitre.oval:def:23759
Title: The Web workers implementation in Mozilla Firefox before 27.0 and SeaMonkey before 2.24 allows remote attackers to execute arbitrary code via vectors involving termination of a worker process that has performed a cross-thread object-passing operation in conjunction with use of asm.js
Description: The Web workers implementation in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 allows remote attackers to bypass the Same Origin Policy and obtain sensitive authentication information via vectors involving error messages.
Family: windows Class: vulnerability
Reference(s): CVE-2014-1487
Version: 9
Platform(s): Microsoft Windows 8
Microsoft Windows 7
Microsoft Windows Vista
Microsoft Windows Server 2003
Microsoft Windows XP
Microsoft Windows 2000
Product(s): Mozilla Firefox
Mozilla Firefox ESR
Mozilla SeaMonkey
Mozilla Thunderbird
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23766
 
Oval ID: oval:org.mitre.oval:def:23766
Title: ELSA-2014:0132: firefox security update (Critical)
Description: The Web workers implementation in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 allows remote attackers to bypass the Same Origin Policy and obtain sensitive authentication information via vectors involving error messages.
Family: unix Class: patch
Reference(s): ELSA-2014:0132-00
CVE-2014-1477
CVE-2014-1479
CVE-2014-1481
CVE-2014-1482
CVE-2014-1486
CVE-2014-1487
Version: 29
Platform(s): Oracle Linux 6
Oracle Linux 5
Product(s): firefox
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23821
 
Oval ID: oval:org.mitre.oval:def:23821
Title: RasterImage.cpp in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 does not prevent access to discarded data, which allows remote attackers to execute arbitrary code or cause a denial of service (incorrect write operations) via crafted image data, as demonstrated by Goo Create
Description: RasterImage.cpp in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 does not prevent access to discarded data, which allows remote attackers to execute arbitrary code or cause a denial of service (incorrect write operations) via crafted image data, as demonstrated by Goo Create.
Family: windows Class: vulnerability
Reference(s): CVE-2014-1482
Version: 8
Platform(s): Microsoft Windows 8
Microsoft Windows 7
Microsoft Windows Vista
Microsoft Windows Server 2003
Microsoft Windows XP
Microsoft Windows 2000
Product(s): Mozilla Firefox
Mozilla Firefox ESR
Mozilla SeaMonkey
Mozilla Thunderbird
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23934
 
Oval ID: oval:org.mitre.oval:def:23934
Title: Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors
Description: Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
Family: windows Class: vulnerability
Reference(s): CVE-2014-1477
Version: 8
Platform(s): Microsoft Windows 8
Microsoft Windows 7
Microsoft Windows Vista
Microsoft Windows Server 2003
Microsoft Windows XP
Microsoft Windows 2000
Product(s): Mozilla Firefox
Mozilla Firefox ESR
Mozilla SeaMonkey
Mozilla Thunderbird
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23990
 
Oval ID: oval:org.mitre.oval:def:23990
Title: The file-download implementation in Mozilla Firefox before 27.0 and SeaMonkey before 2.24 does not properly restrict the timing of button selections, which allows remote attackers to conduct clickjacking attacks, and trigger unintended launching of a downloaded file, via a crafted web site
Description: The file-download implementation in Mozilla Firefox before 27.0 and SeaMonkey before 2.24 does not properly restrict the timing of button selections, which allows remote attackers to conduct clickjacking attacks, and trigger unintended launching of a downloaded file, via a crafted web site.
Family: windows Class: vulnerability
Reference(s): CVE-2014-1480
Version: 8
Platform(s): Microsoft Windows 8
Microsoft Windows 7
Microsoft Windows Vista
Microsoft Windows Server 2003
Microsoft Windows XP
Microsoft Windows 2000
Product(s): Mozilla Firefox
Mozilla SeaMonkey
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23996
 
Oval ID: oval:org.mitre.oval:def:23996
Title: Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24 does not properly restrict public values in Diffie-Hellman key exchanges
Description: Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, does not properly restrict public values in Diffie-Hellman key exchanges, which makes it easier for remote attackers to bypass cryptographic protection mechanisms in ticket handling by leveraging use of a certain value.
Family: windows Class: vulnerability
Reference(s): CVE-2014-1491
Version: 12
Platform(s): Microsoft Windows 8
Microsoft Windows 7
Microsoft Windows Vista
Microsoft Windows Server 2003
Microsoft Windows XP
Microsoft Windows 2000
Product(s): Mozilla Firefox
Mozilla Firefox ESR
Mozilla SeaMonkey
Mozilla Thunderbird
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24030
 
Oval ID: oval:org.mitre.oval:def:24030
Title: Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 allow remote attackers to bypass intended restrictions on window objects by leveraging inconsistency in native getter methods across different JavaScript engines
Description: Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 allow remote attackers to bypass intended restrictions on window objects by leveraging inconsistency in native getter methods across different JavaScript engines.
Family: windows Class: vulnerability
Reference(s): CVE-2014-1481
Version: 8
Platform(s): Microsoft Windows 8
Microsoft Windows 7
Microsoft Windows Vista
Microsoft Windows Server 2003
Microsoft Windows XP
Microsoft Windows 2000
Product(s): Mozilla Firefox
Mozilla Firefox ESR
Mozilla SeaMonkey
Mozilla Thunderbird
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24056
 
Oval ID: oval:org.mitre.oval:def:24056
Title: The System Only Wrapper (SOW) implementation in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 does not prevent certain cloning operations, which allows remote attackers to bypass intended restrictions on XUL content via vectors involving XBL content scopes
Description: The System Only Wrapper (SOW) implementation in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 does not prevent certain cloning operations, which allows remote attackers to bypass intended restrictions on XUL content via vectors involving XBL content scopes.
Family: windows Class: vulnerability
Reference(s): CVE-2014-1479
Version: 8
Platform(s): Microsoft Windows 8
Microsoft Windows 7
Microsoft Windows Vista
Microsoft Windows Server 2003
Microsoft Windows XP
Microsoft Windows 2000
Product(s): Mozilla Firefox
Mozilla Firefox ESR
Mozilla SeaMonkey
Mozilla Thunderbird
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24084
 
Oval ID: oval:org.mitre.oval:def:24084
Title: Mozilla Firefox before 27.0 and SeaMonkey before 2.24 allow remote attackers to bypass the Same Origin Policy and obtain sensitive information by using an IFRAME element in conjunction with certain timing measurements involving the document.caretPositionFromPoint and document.elementFromPoint functions
Description: Mozilla Firefox before 27.0 and SeaMonkey before 2.24 allow remote attackers to bypass the Same Origin Policy and obtain sensitive information by using an IFRAME element in conjunction with certain timing measurements involving the document.caretPositionFromPoint and document.elementFromPoint functions.
Family: windows Class: vulnerability
Reference(s): CVE-2014-1483
Version: 8
Platform(s): Microsoft Windows 8
Microsoft Windows 7
Microsoft Windows Vista
Microsoft Windows Server 2003
Microsoft Windows XP
Microsoft Windows 2000
Product(s): Mozilla Firefox
Mozilla SeaMonkey
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24103
 
Oval ID: oval:org.mitre.oval:def:24103
Title: Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 27.0 and SeaMonkey before 2.24 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to the MPostWriteBarrier class in js/src/jit/MIR.h and stack alignment in js/src/jit/AsmJS.cpp in OdinMonkey, and unknown other vectors
Description: Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 27.0 and SeaMonkey before 2.24 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to the MPostWriteBarrier class in js/src/jit/MIR.h and stack alignment in js/src/jit/AsmJS.cpp in OdinMonkey, and unknown other vectors.
Family: windows Class: vulnerability
Reference(s): CVE-2014-1478
Version: 8
Platform(s): Microsoft Windows 8
Microsoft Windows 7
Microsoft Windows Vista
Microsoft Windows Server 2003
Microsoft Windows XP
Microsoft Windows 2000
Product(s): Mozilla Firefox
Mozilla SeaMonkey
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24156
 
Oval ID: oval:org.mitre.oval:def:24156
Title: ELSA-2014:0133: thunderbird security update (Important)
Description: The Web workers implementation in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 allows remote attackers to bypass the Same Origin Policy and obtain sensitive authentication information via vectors involving error messages.
Family: unix Class: patch
Reference(s): ELSA-2014:0133-00
CVE-2014-1477
CVE-2014-1479
CVE-2014-1481
CVE-2014-1482
CVE-2014-1486
CVE-2014-1487
Version: 29
Platform(s): Oracle Linux 5
Oracle Linux 6
Product(s): thunderbird
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24164
 
Oval ID: oval:org.mitre.oval:def:24164
Title: The Content Security Policy (CSP) implementation in Mozilla Firefox before 27.0 and SeaMonkey before 2.24 operates on XSLT stylesheets according to style-src directives instead of script-src directives, which might allow remote attackers to execute arbitrary XSLT code by leveraging insufficient style-src restrictions
Description: The Content Security Policy (CSP) implementation in Mozilla Firefox before 27.0 and SeaMonkey before 2.24 operates on XSLT stylesheets according to style-src directives instead of script-src directives, which might allow remote attackers to execute arbitrary XSLT code by leveraging insufficient style-src restrictions.
Family: windows Class: vulnerability
Reference(s): CVE-2014-1485
Version: 8
Platform(s): Microsoft Windows 8
Microsoft Windows 7
Microsoft Windows Vista
Microsoft Windows Server 2003
Microsoft Windows XP
Microsoft Windows 2000
Product(s): Mozilla Firefox
Mozilla SeaMonkey
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24194
 
Oval ID: oval:org.mitre.oval:def:24194
Title: Race condition in libssl in Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via vectors involving a resumption handshake that triggers incorrect replacement of a session ticket
Description: Race condition in libssl in Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via vectors involving a resumption handshake that triggers incorrect replacement of a session ticket.
Family: windows Class: vulnerability
Reference(s): CVE-2014-1490
Version: 12
Platform(s): Microsoft Windows 8
Microsoft Windows 7
Microsoft Windows Vista
Microsoft Windows Server 2003
Microsoft Windows XP
Microsoft Windows 2000
Product(s): Mozilla Firefox
Mozilla Firefox ESR
Mozilla SeaMonkey
Mozilla Thunderbird
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24205
 
Oval ID: oval:org.mitre.oval:def:24205
Title: Use-after-free vulnerability in the imgRequestProxy function in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 allows remote attackers to execute arbitrary code via vectors involving unspecified Content-Type values for image data
Description: Use-after-free vulnerability in the imgRequestProxy function in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 allows remote attackers to execute arbitrary code via vectors involving unspecified Content-Type values for image data.
Family: windows Class: vulnerability
Reference(s): CVE-2014-1486
Version: 8
Platform(s): Microsoft Windows 8
Microsoft Windows 7
Microsoft Windows Vista
Microsoft Windows Server 2003
Microsoft Windows XP
Microsoft Windows 2000
Product(s): Mozilla Firefox
Mozilla Firefox ESR
Mozilla SeaMonkey
Mozilla Thunderbird
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24209
 
Oval ID: oval:org.mitre.oval:def:24209
Title: The Web workers implementation in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 allows remote attackers to bypass the Same Origin Policy and obtain sensitive authentication information via vectors involving error messages
Description: The Web workers implementation in Mozilla Firefox before 27.0 and SeaMonkey before 2.24 allows remote attackers to execute arbitrary code via vectors involving termination of a worker process that has performed a cross-thread object-passing operation in conjunction with use of asm.js.
Family: windows Class: vulnerability
Reference(s): CVE-2014-1488
Version: 9
Platform(s): Microsoft Windows 8
Microsoft Windows 7
Microsoft Windows Vista
Microsoft Windows Server 2003
Microsoft Windows XP
Microsoft Windows 2000
Product(s): Mozilla Firefox
Mozilla Firefox ESR
Mozilla SeaMonkey
Mozilla Thunderbird
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24736
 
Oval ID: oval:org.mitre.oval:def:24736
Title: SUSE-SU-2014:0248-1 -- Security update for MozillaFirefox
Description: This updates the Mozilla Firefox browser to the 24.3.0ESR security release. The Mozilla NSS libraries are now on version 3.15.4.
Family: unix Class: patch
Reference(s): SUSE-SU-2014:0248-1
CVE-2014-1477
CVE-2014-1479
CVE-2014-1480
CVE-2014-1482
CVE-2014-1483
CVE-2014-1484
CVE-2014-1485
CVE-2014-1486
CVE-2014-1487
CVE-2014-1489
CVE-2014-1488
CVE-2014-1490
CVE-2014-1491
CVE-2014-1481
Version: 5
Platform(s): SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Desktop 11
Product(s): MozillaFirefox
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25463
 
Oval ID: oval:org.mitre.oval:def:25463
Title: SUSE-SU-2014:0248-2 -- Security update for Mozilla Firefox
Description: Mozilla Firefox was updated to the 24.3.0ESR security release.
Family: unix Class: patch
Reference(s): SUSE-SU-2014:0248-2
CVE-2014-1477
CVE-2014-1479
CVE-2014-1480
CVE-2014-1482
CVE-2014-1483
CVE-2014-1484
CVE-2014-1485
CVE-2014-1486
CVE-2014-1487
CVE-2014-1489
CVE-2014-1488
CVE-2014-1490
CVE-2014-1491
CVE-2014-1481
Version: 5
Platform(s): SUSE Linux Enterprise Server 11
Product(s): Mozilla Firefox
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27286
 
Oval ID: oval:org.mitre.oval:def:27286
Title: DEPRECATED: ELSA-2014-0132 -- firefox security update (critical)
Description: [24.3.0-2.0.1.el6_5] - Add firefox-oracle-default-prefs.js and remove the corresponding Red Hat one - Build with nspr-devel >= 4.10.0 to fix build failure [24.3.0-2] - Update to 24.3.0 ESR Build 2 [24.3.0-1] - Update to 24.3.0 ESR
Family: unix Class: patch
Reference(s): ELSA-2014-0132
CVE-2014-1477
CVE-2014-1479
CVE-2014-1481
CVE-2014-1482
CVE-2014-1486
CVE-2014-1487
Version: 4
Platform(s): Oracle Linux 5
Oracle Linux 6
Product(s): firefox
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27369
 
Oval ID: oval:org.mitre.oval:def:27369
Title: DEPRECATED: ELSA-2014-0133 -- thunderbird security update (important)
Description: [24.3.0-2.0.1.el6_5] - Replaced thunderbird-redhat-default-prefs.js with thunderbird-oracle-default-prefs.js - Make sure build with nspr-devel >= 4.10.0 [24.3.0-2] - Update to 24.3.0 ESR Build 2 [24.3.0-1] - Update to 24.3.0 [24.2.0-2] - Fixed requested nspr/nss versions
Family: unix Class: patch
Reference(s): ELSA-2014-0133
CVE-2014-1477
CVE-2014-1479
CVE-2014-1481
CVE-2014-1482
CVE-2014-1486
CVE-2014-1487
Version: 4
Platform(s): Oracle Linux 5
Oracle Linux 6
Product(s): thunderbird
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 353
Application 36
Application 68
Application 207
Application 246
Application 7
Application 1
Application 1
Os 4
Os 2
Os 2
Os 3
Os 1
Os 1
Os 1
Os 2
Os 1
Os 2
Os 1
Os 1
Os 1
Os 2
Os 1
Os 2
Os 1
Os 1
Os 2

Information Assurance Vulnerability Management (IAVM)

Date Description
2014-02-06 IAVM : 2014-A-0021 - Multiple Vulnerabilities in Mozilla Products
Severity : Category I - VMSKEY : V0043921

Nessus® Vulnerability Scanner

Date Description
2016-05-18 Name : The remote device is missing a vendor-supplied security patch.
File : f5_bigip_SOL16716.nasl - Type : ACT_GATHER_INFO
2015-04-08 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201504-01.nasl - Type : ACT_GATHER_INFO
2015-03-26 Name : The remote Debian host is missing a security update.
File : debian_DLA-23.nasl - Type : ACT_GATHER_INFO
2014-11-08 Name : The remote Red Hat host is missing a security update.
File : redhat-RHSA-2014-0979.nasl - Type : ACT_GATHER_INFO
2014-10-31 Name : The remote host is affected by multiple vulnerabilities.
File : oracle_opensso_agent_cpu_oct_2014.nasl - Type : ACT_GATHER_INFO
2014-10-01 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2014-1246.nasl - Type : ACT_GATHER_INFO
2014-09-29 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20140916_nss_and_nspr_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2014-09-18 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2014-1246.nasl - Type : ACT_GATHER_INFO
2014-09-16 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2014-1246.nasl - Type : ACT_GATHER_INFO
2014-08-01 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2994.nasl - Type : ACT_GATHER_INFO
2014-07-31 Name : The remote host is running software with multiple vulnerabilities.
File : oracle_traffic_director_july_2014_cpu.nasl - Type : ACT_GATHER_INFO
2014-07-23 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20140722_nss_and_nspr_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2014-07-23 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2014-0917.nasl - Type : ACT_GATHER_INFO
2014-07-23 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2014-0917.nasl - Type : ACT_GATHER_INFO
2014-07-23 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2014-0917.nasl - Type : ACT_GATHER_INFO
2014-07-18 Name : The remote web server is affected by multiple vulnerabilities.
File : sun_java_web_server_7_0_20.nasl - Type : ACT_GATHER_INFO
2014-07-18 Name : A web proxy server on the remote host is affected by multiple vulnerabilities.
File : iplanet_web_proxy_4_0_24.nasl - Type : ACT_GATHER_INFO
2014-07-18 Name : The remote web server is affected by multiple vulnerabilities.
File : glassfish_cpu_jul_2014.nasl - Type : ACT_GATHER_INFO
2014-06-13 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2014-119.nasl - Type : ACT_GATHER_INFO
2014-03-02 Name : The remote Fedora host is missing a security update.
File : fedora_2014-2083.nasl - Type : ACT_GATHER_INFO
2014-02-20 Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-2119-1.nasl - Type : ACT_GATHER_INFO
2014-02-20 Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-2102-2.nasl - Type : ACT_GATHER_INFO
2014-02-18 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_firefox-201402-140207.nasl - Type : ACT_GATHER_INFO
2014-02-12 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2858.nasl - Type : ACT_GATHER_INFO
2014-02-11 Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-2102-1.nasl - Type : ACT_GATHER_INFO
2014-02-07 Name : The remote Fedora host is missing a security update.
File : fedora_2014-2041.nasl - Type : ACT_GATHER_INFO
2014-02-06 Name : The remote CentOS host is missing a security update.
File : centos_RHSA-2014-0133.nasl - Type : ACT_GATHER_INFO
2014-02-06 Name : The remote CentOS host is missing a security update.
File : centos_RHSA-2014-0132.nasl - Type : ACT_GATHER_INFO
2014-02-05 Name : The remote Windows host contains a web browser that is potentially affected b...
File : seamonkey_2_24.nasl - Type : ACT_GATHER_INFO
2014-02-05 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2014-0133.nasl - Type : ACT_GATHER_INFO
2014-02-05 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2014-0132.nasl - Type : ACT_GATHER_INFO
2014-02-05 Name : The remote Oracle Linux host is missing a security update.
File : oraclelinux_ELSA-2014-0133.nasl - Type : ACT_GATHER_INFO
2014-02-05 Name : The remote Oracle Linux host is missing a security update.
File : oraclelinux_ELSA-2014-0132.nasl - Type : ACT_GATHER_INFO
2014-02-05 Name : The remote Windows host contains a mail client that is potentially affected b...
File : mozilla_thunderbird_24_3.nasl - Type : ACT_GATHER_INFO
2014-02-05 Name : The remote Windows host contains a web browser that is potentially affected b...
File : mozilla_firefox_27.nasl - Type : ACT_GATHER_INFO
2014-02-05 Name : The remote Windows host contains a web browser that is potentially affected b...
File : mozilla_firefox_24_3_esr.nasl - Type : ACT_GATHER_INFO
2014-02-05 Name : The remote Mac OS X host contains a mail client that is potentially affected ...
File : macosx_thunderbird_24_3.nasl - Type : ACT_GATHER_INFO
2014-02-05 Name : The remote Mac OS X host contains a web browser that is potentially affected ...
File : macosx_firefox_27.nasl - Type : ACT_GATHER_INFO
2014-02-05 Name : The remote Mac OS X host contains a web browser that is potentially affected ...
File : macosx_firefox_24_3_esr.nasl - Type : ACT_GATHER_INFO
2014-02-05 Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_1753f0ff8dd511e39b45b4b52fce4ce8.nasl - Type : ACT_GATHER_INFO
2014-02-05 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20140204_firefox_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2014-02-05 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20140204_thunderbird_on_SL5_x.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
Date Informations
2016-01-22 09:26:52
  • Multiple Updates
2014-02-21 13:21:13
  • Multiple Updates
2014-02-19 21:19:48
  • First insertion