Business

News

 
More...

Alerts

 
More...

Events

 
More...
 
     
 

Multiple Vulnerabilities in Mozilla

 

Systems Affected


Mozilla Firefox versions prior to 37.0.1

Threat Level


High


Overview


Multiple vulnerabilities have been reported in the Mozilla which could be exploited by a remote attacker to bypass certificate verification and cause remote code execution attacks.


Description


1.Privilege Escalation Vulnerability (CVE-2015-0798)
This vulnerability is caused due to insufficient handling of privileged URLs, in Mozilla browser at Reader mode which bypasses the restrictions that prevent web pages from obtaining references to privileged contexts. A remote attacker can exploit this vulnerability by enticing a user to visit a malicious web page to bypass same origin policy that causes arbitrary code execution.

2.Server Certificate Verification Bypass Vulnerability (CVE-2015-0799)
This vulnerability exist in the Mozilla's HTTP Alternative Services implementation when Alt-Svc header is specified in the HTTP/2 response resulting in the bypass of SSL certificate for the specified alternate server, causing the warnings of invalid SSL certificates to not getting displayed. A remote man-in-the-middle attacker could exploit this vulnerability by hosting a malicious SSL server with impersonated certificate and responding with a crafted HTTP/2 response containing Alt-Svc header.


Impact



Solution/ Workarounds


Apply the appropriate fix/patch as mentioned in Mozilla Security Advisory

https://www.mozilla.org/en-US/security/advisories/mfsa2015-43/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-44/


References


http://www.cert-in.org.in/


Disclaimer


The information provided herein is on "as is" basis, without warranty of any kind.


 
     

© Copyright Sri Lanka CERT|CC. All Rights Reserved.