| Beschreibung: | Summary:
The remote host is missing an update for the 'firefox'
package(s) announced via the referenced advisory.
Vulnerability Insight:
Ben Turner, Bobby Holley, Jesse Ruderman, Christian Holler
and Christoph Diehl discovered multiple memory safety issues in Firefox. If
a user were tricked in to opening a specially crafted website, an attacker
could potentially exploit these to cause a denial of service via application
crash, or execute arbitrary code with the privileges of the user invoking
Firefox. (CVE-2013-5609, CVE-2013-5610)
Myk Melez discovered that the doorhanger notification for web app
installation could persist between page navigations. An attacker could
potentially exploit this to conduct clickjacking attacks. (CVE-2013-5611)
Masato Kinugawa discovered that pages with missing character set encoding
information can inherit character encodings across navigations from
another domain. An attacker could potentially exploit this to conduct
cross-site scripting attacks. (CVE-2013-5612)
Daniel Veditz discovered that a sandboxed iframe could use an object
element to bypass its own restrictions. (CVE-2013-5614)
Tyson Smith and Jesse Schwartzentruber discovered a use-after-free in
event listeners. An attacker could potentially exploit this to cause a
denial of service via application crash, or execute arbitrary code with
the privileges of the user invoking Firefox. (CVE-2013-5616)
A use-after-free was discovered in the table editing interface. An
attacker could potentially exploit this to cause a denial of service via
application crash, or execute arbitrary code with the privileges of the
user invoking Firefox. (CVE-2013-5618)
Dan Gohman discovered that binary search algorithms in Spidermonkey
used arithmetic prone to overflow in several places. However, this
is issue not believed to be exploitable. (CVE-2013-5619)
Tyson Smith and Jesse Schwartzentruber discovered a crash when inserting
an ordered list in to a document using script. An attacker could
potentially exploit this to execute arbitrary code with the privileges
of the user invoking Firefox. (CVE-2013-6671)
Vincent Lefevre discovered that web content could access clipboard data
under certain circumstances, resulting in information disclosure.
(CVE-2013-6672)
Sijie Xia discovered that trust settings for built-in EV root certificates
were ignored under certain circumstances, removing the ability for a user
to manually untrust certificates from specific authorities.
(CVE-2013-6673)
Tyson Smith, Jesse Schwartzentruber and Atte Kettunen discovered a
use-after-free in functions for synthetic mouse movement handling. An
attacker could potentially exploit this to cause a denial of service via
application crash, ...
Description truncated, please see the referenced URL(s) for more information.
Affected Software/OS:
firefox on Ubuntu 13.10,
Ubuntu 13.04,
Ubuntu 12.10,
Ubuntu 12.04 LTS
Solution:
Please Install the Updated Packages.
CVSS Score:
10.0
CVSS Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C
|
