MyCERT Advisories


MyCERT Advisories, Alerts and Summaries for the year 2017

MA-646.012017: MyCERT Advisory - Mozilla Releases Security Updates
Date first published: 26/1/2017


1.0 Introduction
Mozilla has released security updates to address multiple vulnerabilities in Firefox and Firefox ESR. Exploitation of one of these vulnerabilities may allow a remote attacker to take control of an affected system.

2.0 Impact
Some of the critical vulnerabilities impacting the softwares are listed below:

Firefox
•    CVE-2017-5375: Excessive JIT code allocation allows bypass of ASLR and DEP
JIT code allocation can allow for a bypass of ASLR and DEP protections leading to potential memory corruption attacks.
•    CVE-2017-5376: Use-after-free in XSL
Use-after-free while manipulating XSL in XSLT documents
•    CVE-2017-5377: Memory corruption with transforms to create gradients in Skia
A memory corruption vulnerability in Skia that can occur when using transforms to make gradients, resulting in a potentially exploitable crash.

Firefox ESR
•    CVE-2017-5375: Excessive JIT code allocation allows bypass of ASLR and DEP
JIT code allocation can allow for a bypass of ASLR and DEP protections leading to potential memory corruption attacks.
•    CVE-2017-5376: Use-after-free in XSL
Use-after-free while manipulating XSL in XSLT documents

3.0 Affected Products
•    Prior to Firefox 51
•    Prior to Firefox ESR 45.7

4.0 Recommendation
MyCERT highly recommended users of these applications to upgrade to the latest version of the affected products. The following updates are available:

4.1 Mozilla Firefox
Advisories:
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/
Download:
https://www.mozilla.org/en-GB/firefox/new/

4.2 Mozilla Firefox ESR
Advisories:
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
Download:
https://www.mozilla.org/en-US/firefox/organizations/all/

Generally, MyCERT advises the users of this software to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, please contact MyCERT through the following channels:
E-mail: cyber999@cybersecurity.my or mycert@mycert.org.my
Phone: 1-300-88-2999 (monitored during business hours)
Fax: +603 89453442
Handphone: +60 19 2665850 (24x7 call incident reporting)
SMS: CYBER999 REPORT EMAIL COMPLAINT to 15888
Business Hours: Mon - Fri 09:00 AM - 18:00 PM MYT
Web: http://www.mycert.org.my
Twitter: http://www.twitter.com/mycert
Facebook: http://www.facebook.com/mycert.org.my
Cyber999 Mobile Apps: IOS Users or Android Users
 
5.0 References
•    https://www.us-cert.gov/ncas/current-activity/2017/01/24/Mozilla-Releases-Security-Updates
•    https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/
•    https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/