Rapid7 Vulnerability & Exploit Database

Ubuntu: USN-3435-2: Firefox regression

Back to Search

Ubuntu: USN-3435-2: Firefox regression

Severity
4
CVSS
(AV:L/AC:M/Au:N/C:P/I:P/A:P)
Published
10/04/2017
Created
07/25/2018
Added
10/05/2017
Modified
07/09/2020

Description

USN-3435-1 fixed vulnerabilities in Firefox. The update caused the Flash plugin to crash in some circumstances. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to read uninitialized memory, obtain sensitive information, bypass phishing and malware protection, spoof the origin in modal dialogs, conduct cross-site scripting (XSS) attacks, cause a denial of service via application crash, or execute arbitrary code. (CVE-2017-7793,CVE-2017-7810,CVE-2017-7811,CVE-2017-7812, CVE-2017-7813,CVE-2017-7814,CVE-2017-7815,CVE-2017-7818,CVE-2017-7819, CVE-2017-7820,CVE-2017-7822,CVE-2017-7823,CVE-2017-7824) Martin Thomson discovered that NSS incorrectly generated handshake hashes. A remote attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code. (CVE-2017-7805) Multiple security issues were discovered in WebExtensions. If a user were tricked in to installing a specially crafted extension, an attacker could potentially exploit these to download and open non-executable files without interaction, or obtain elevated privileges. (CVE-2017-7816, CVE-2017-7821)

Solution(s)

  • ubuntu-upgrade-firefox

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;