Denial of service in Mozilla Firefox

1) Denial of service

EUVDB-ID: #VU1018

Risk: Medium

CVSSv3.1: 7.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-1954

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote unauthenticated user to cause DoS conditions on the target system.
The weakness is due to improper input validation. By convincing a victim to visit a malicious website, attackers can overwrite an add-on resource that may lead to denial of service or privilege escalation.
Successful exploitation of the vulnerability will result in denial of service on the vulnerable system.

Mitigation

Update Firefox to version 45.
Update Firefox ESR to version 38.7.
Update Thunderbird to version 38.7 or 45.

Vulnerable software versions

Mozilla Firefox: 40.0 - 44.0

Firefox ESR: 38.0 - 38.6.0

Mozilla Thunderbird: 34.0 - 38.6

Oracle Solaris: 11.3

Oracle Linux: 5 - 7

External links

http://tools.cisco.com/security/center/viewAlert.x?alertId=43941
http://www.mozilla.org/en-US/security/advisories/mfsa2016-17/
http://www.oracle.com/technetwork/topics/security/bulletinoct2016-3090566.html
http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.