===================================================================== CERT-Renater Note d'Information No. 2015/VULN058 _____________________________________________________________________ DATE : 22/04/2015 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Mozilla Firefox version prior to 37.0.2. ====================================================================== https://www.mozilla.org/en-US/security/advisories/mfsa2015-45/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-44/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-43/ ______________________________________________________________________ Mozilla Foundation Security Advisory 2015-45 Memory corruption during failed plugin initialization Announced April 20, 2015 Reporter Robert Kaiser Impact High Products Firefox Fixed in Firefox 37.0.2 Description Mozilla developer Robert Kaiser (Kairo) reported that a race condition when initialization of a plugin fails led to a potentially exploitable use-after-free vulnerability. References crash in AsyncPaintWaitEvent::AsyncPaintWaitEvent(nsIContent*, bool) (CVE-2015-2706) _______________________________________________________________________ Mozilla Foundation Security Advisory 2015-44 Certificate verification bypass through the HTTP/2 Alt-Svc header Announced April 3, 2015 Reporter Muneaki Nishimura Impact Critical Products Firefox Fixed in Firefox 37.0.1 Description Security researcher Muneaki Nishimura discovered a flaw in the Mozilla's HTTP Alternative Services implementation. If an Alt-Svc header is specified in the HTTP/2 response, SSL certificate verification can be bypassed for the specified alternate server. As a result of this, warnings of invalid SSL certificates will not be displayed and an attacker could potentially impersonate another site through a man-in-the-middle (MTIM), replacing the original certificate with their own. References Server certificate verification bypass with Alt-Svc (CVE-2015-0799) ______________________________________________________________________ Mozilla Foundation Security Advisory 2015-43 Loading privileged content through Reader mode Announced April 3, 2015 Reporter Armin Razmdjou Impact High Products Firefox Fixed in Firefox 37.0.1 Description Security researcher Armin Razmdjou reported a flaw in Reader mode on Firefox for Android. Reader mode reformats web content for easy readability and operates as unprivileged content that is the equivalent of the formatted content. When Reader mode is unable to process content, it displays the original web pages. Since it is unprivileged, there are no restrictions on pages linking to or framing Reader mode *content. The reported flaw is that privileged URLs can be passed to Reader mode and bypass the normal restrictions that prevent web pages from obtaining references to privileged contexts. If this issue was combined with another flaw that allowed for a violation of the same-origin policy, then the resulting combination could lead to arbitrary code execution. This flaw only affects Firefox for Android and pre-release versions of Desktop Firefox. The released version of desktop Firefox does not have reader mode and is not affected. References Privileged URLs processed by about:reader (CVE-2015-0798) ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================