CVE-2016-9079
Published: 11 June 2018
Summary
CVE-2016-9079 is a high-severity Use After Free (CWE-416) vulnerability in Microsoft Windows. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 0.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
A use-after-free vulnerability, tracked as CVE-2016-9079 and assigned CWE-416, exists in the SVG Animation component of Mozilla products. It affects Firefox versions prior to 50.0.2, Firefox ESR versions prior to 45.5.1, and Thunderbird versions prior to 45.5.1. The flaw received a CVSS 3.1 base score of 7.5, reflecting network attack vector, low complexity, and no required privileges or user interaction for a confidentiality impact.
An attacker can exploit the issue remotely by serving malicious web content containing crafted SVG animations. Public reporting indicates that working exploits were found in the wild, specifically targeting Firefox and Tor Browser users on Windows, enabling unauthorized disclosure of sensitive information from the affected process.
Red Hat Security Advisories RHSA-2016-2843 and RHSA-2016-2850, along with the referenced Mozilla bug 1321066, address the issue through updated packages that correct the use-after-free condition in SVG handling. Applying these updates to reach the fixed versions eliminates the vulnerability for supported deployments.
The vulnerability is notable for confirmed real-world exploitation prior to widespread patching, underscoring the need for rapid update deployment on Windows endpoints running the affected Mozilla software.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2016-9900
Vulnerability details
A use-after-free vulnerability in SVG Animation has been discovered. An exploit built on this vulnerability has been discovered in the wild targeting Firefox and Tor Browser users on Windows. This vulnerability affects Firefox < 50.0.2, Firefox ESR < 45.5.1, and…
more
Thunderbird < 45.5.1.
- CWE(s)
- KEV Date Added
- 22 June 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying vendor patches that eliminate the use-after-free condition in SVG Animation for Firefox < 50.0.2 and ESR < 45.5.1.
Enforces malicious-code detection and blocking mechanisms that can intercept crafted SVG animation payloads delivered over the network before they trigger the flaw.
Requires continuous vulnerability scanning to identify unpatched Mozilla instances susceptible to CVE-2016-9079 before exploitation occurs.