search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Mozilla Firefox SVG animation nsSMILTimeContainer use-after-free vulnerability

Vulnerability Note VU#791496

Original Release Date: 2016-11-30 | Last Revised: 2016-12-02

Overview

Mozilla Firefox contains a use-after-free vulnerability in the SVG animation functionality, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description

Mozilla Firefox supports SVG animation through the use of SMIL. The nsSMILTimeContainer object contains a use-after-free vulnerability, which can allow arbitrary code execution.

Exploit code for this vulnerability is publicly available, which specifically targets the Tor Browser Bundle.

Impact

By convincing a use to view specially-crafted web content, a remote-unauthenticated attacker may be able to execute arbitrary code on an affected system.

Solution

Apply an update

This issue is addressed in Tor Browser 6.0.7 and Mozilla Firefox versions 50.0.2 and 45.5.1 ESR, as well as Thunderbird 45.5.1.

Disable JavaScript

This vulnerability can be mitigated by disabling JavaScript. This can be accomplished through use of the NoScript Firefox add-on.

Use the Microsoft Enhanced Mitigation Experience Toolkit

The Microsoft Enhanced Mitigation Experience Toolkit (EMET) can be used to help prevent exploitation of this and other vulnerabilities. Limited testing has shown that the following mitigations present in EMET 4.0 and later blog the public exploit for this vulnerability:

    • StackPivot
    • EAF
    • Caller

Vendor Information

791496
Expand all

Mozilla

Updated:  November 30, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://www.mozilla.org/en-US/security/advisories/mfsa2016-92/

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Tor

Updated:  November 30, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://blog.torproject.org/blog/tor-browser-607-released

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal 6.5 E:H/RL:OF/RC:C
Environmental 6.5 CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

Credit

This document was written by Will Dormann.

Other Information

CVE IDs: CVE-2016-9079
Date Public: 2016-11-29
Date First Published: 2016-11-30
Date Last Updated: 2016-12-02 19:56 UTC
Document Revision: 14

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.