10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.082 Low
EPSS
Percentile
93.7%
Gary Kwong, Christian Holler, and Byron Campen reported memory safety
problems and crashes that affect Firefox ESR 38.1 and Firefox 39.
Tyson Smith, Bobby Holley, Chris Coulson, Byron Campen, and Eric Rahm
reported memory safety problems and crashes that affect Firefox 39.
Security researcher Aki Helin used the Address Sanitizer tool to
discover an out-of-bounds read during playback of a malformed MP3 format
audio file which switches sample formats. This could trigger a
potentially exploitable crash or the reading of out-of-bounds memory
content in some circumstances.
Security researcher SkyLined reported a use-after-free issue in how
audio is handled through the Web Audio API during MediaStream playback
through interactions with the Web Audio API. This results in a
potentially exploitable crash.
Security researcher André Bargull reported non-configurable properties
on JavaScript objects can be redefined while parsing JSON in violation
of the ECMAScript 6 standard. This allows malicious web content to
bypass same-origin policy by editing these properties to arbitrary values.
An anonymous researcher reported, via TippingPoint’s Zero Day
Initiative, reported two integer overflows that could be triggered by a
malicious ‘saio’ chunk in an MPEG4 video, leading to potential arbitrary
code execution. This issue was independently reported by security
researcher laf.intel.
Security researcher Massimiliano Tomassoli discovered an integer
overflow issue when parsing an invalid MPEG4 video.
Security researcher Holger Fuhrmannek reported that if the Updater opens
a MAR format file with a specially crafted name, an out-of-bounds write
will occur. This can lead to a potentially exploitable crash but
requires that the malicious MAR format file be present on the local
system and the Updater to be run to use it.
Security researcher Masato Kinugawa reported that opening a target page
using a POST to the url prefixed with the feed: protocol disables the
mixed content blocker for that page. This could allow for the risk of a
man-in-the-middle (MITM) scripting attack on pages that accidentally
include insecure content which would otherwise be blocked.
Security researcher Jukka Jylänki reported a crash that occurs because
JavaScript, when using shared memory, does not properly gate access to
Atomics or SharedArrayBuffer views in some contexts. This leads to a
non-exploitable crash.
Security researcher Abhishek Arya (Inferno) of the Google Chrome
Security Team used the Address Sanitizer tool to discover two buffer
overflow issues in the Libvpx library used for WebM video when decoding
a malformed WebM video file. These buffer overflows result in
potentially exploitable crashes.
Security researcher Ronald Crane reported three vulnerabilities
affecting released code that were found through code inspection. These
included one use of unowned memory, one use of a deleted object, and one
memory safety bug. These do not all have clear mechanisms to be
exploited through web content but are vulnerable if a mechanism can be
found to trigger them.
Mozilla security engineer Christoph Kerschbaumer reported a discrepancy
in Mozilla’s implementation of Content Security Policy and the CSP
specification. The specification states that blob:, data:, and
filesystem: URLs should be excluded in case of a wildcard when matching
source expressions but Mozilla’s implementation allows these in the case
of an asterisk wildcard. This could allow for more permissive CSP usage
than expected by a web developer, possibly allowing for cross-site
scripting (XSS) attacks.
Security researcher Gustavo Grieco reported a heap overflow in
gdk-pixbuf affecting Linux systems using Gnome. This issue is triggered
by the scaling of a malformed bitmap format image and results in a
potentially exploitable crash.
Security researcher Looben Yang discovered a use-after-free
vulnerability when recursively calling .open() on an XMLHttpRequest in a
SharedWorker.
Mozilla security engineer Tyson Smith used the Address Sanitizer to find
a buffer overflow when parsing an MPEG4 video with an invalid size in an
ESDS chunk lead to memory corruption.
access.redhat.com/security/cve/CVE-2015-4473
access.redhat.com/security/cve/CVE-2015-4474
access.redhat.com/security/cve/CVE-2015-4475
access.redhat.com/security/cve/CVE-2015-4477
access.redhat.com/security/cve/CVE-2015-4478
access.redhat.com/security/cve/CVE-2015-4479
access.redhat.com/security/cve/CVE-2015-4480
access.redhat.com/security/cve/CVE-2015-4482
access.redhat.com/security/cve/CVE-2015-4483
access.redhat.com/security/cve/CVE-2015-4484
access.redhat.com/security/cve/CVE-2015-4485
access.redhat.com/security/cve/CVE-2015-4486
access.redhat.com/security/cve/CVE-2015-4487
access.redhat.com/security/cve/CVE-2015-4488
access.redhat.com/security/cve/CVE-2015-4489
access.redhat.com/security/cve/CVE-2015-4490
access.redhat.com/security/cve/CVE-2015-4491
access.redhat.com/security/cve/CVE-2015-4492
access.redhat.com/security/cve/CVE-2015-4493
www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox40