KLA11153 Multiple vulnerabilities in Mozilla Firefox and Firefox ESR

Multiple serious vulnerabilities have been found in Mozilla Firefox. Malicious users can exploit these vulnerabilities to cause denial of service and obtain sensitive information.

1. A buffer overflow vulnerability in Direct 3D 9 component can be exploited remotely to cause denial of service;
2. A vulnerability in IndexedDB component can be exploited remotely to obtain sensitive information;

Technical details

Vulnerability(1) is related to Firefox and Firefox ESR for Windows OS, other operating systems are unaffected.

Vulnerability(2) is related to Mozilla Firefox ESR

Original advisories

Mozilla Foundation Security Advisory 2017-29

Mozilla Foundation Security Advisory 2017-28

Related products

Mozilla-Firefox

Mozilla-Firefox-ESR

CVE list

CVE-2017-7843 warning

CVE-2017-7845 critical

KB list

Solution

Update to latest version

Download Mozilla Firefox

Impacts

• ACE

Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.

• OSI

Obtain sensitive information. Exploitation of vulnerabilities with this impact can lead to capturing by abuser information, critical for user or system.

• DoS

Denial of service. Exploitation of vulnerabilities with this impact can lead to loss of system availability or critical functional fault.

• CI

Code injection. Exploitation of vulnerabilities with this impact can lead to changes in target code.

• SUI

Spoof user interface. Exploitation of vulnerabilities with this impact can lead to changes in user interface to beguile user into inaccurate behavior.

Affected Products

• Mozilla Firefox versions earlier then 57.0.2Mozilla Firefox ESR versions earlier then 52.5.2