CVE-2017-7764: Input Validation
First published: Tue Jun 13 2017(Updated: )
Characters from the "Canadian Syllabics" unicode block can be mixed with characters from other unicode blocks in the addressbar instead of being rendered as their raw "punycode" form, allowing for domain name spoofing attacks through character confusion. The current Unicode standard allows characters from "Aspirational Use Scripts" such as Canadian Syllabics to be mixed with Latin characters in the "moderately restrictive" IDN profile. We have changed Firefox behavior to match the upcoming Unicode version 10.0 which removes this category and treats them as "Limited Use Scripts."
Credit: security@mozilla.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/firefox | 118.0.2-1 | |
| debian/firefox-esr | 91.12.0esr-1~deb10u1 115.3.1esr-1~deb10u1 102.15.0esr-1~deb11u1 115.3.1esr-1~deb11u1 102.15.1esr-1~deb12u1 115.3.0esr-1~deb12u1 115.3.0esr-1 | |
| Thunderbird | <52.2 | 52.2 |
| Firefox | <54.0 | |
| Firefox ESR | <52.2.0 | |
| Thunderbird | <52.2.0 | |
| Debian | =8.0 | |
| Debian | =9.0 | |
| Firefox | <54 | 54 |
| Firefox ESR | <52.2 | 52.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.mozilla.org/show_bug.cgi?id=1364283
- http://www.unicode.org/reports/tr31/tr31-26.html#Aspirational_Use_Scripts
- https://www.mozilla.org/en-US/security/advisories/mfsa2017-17/
- https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/
- https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/
- http://www.securityfocus.com/bid/99057
- http://www.securitytracker.com/id/1038689
- https://access.redhat.com/errata/RHSA-2017:1440
- https://access.redhat.com/errata/RHSA-2017:1561
- https://www.debian.org/security/2017/dsa-3881
- https://www.debian.org/security/2017/dsa-3918
- https://www.mozilla.org/security/advisories/mfsa2017-15/
- https://www.mozilla.org/security/advisories/mfsa2017-16/
- https://www.mozilla.org/security/advisories/mfsa2017-17/
- https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/#CVE-2017-7764
- https://bugzilla.redhat.com/show_bug.cgi?id=1461262
- https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7764
- https://www.mozilla.org/en-US/security/advisories/mfsa2017-17/#CVE-2017-7764
- https://security-tracker.debian.org/tracker/CVE-2017-7764
Peer vulnerabilities
(Found alongside the following vulnerabilities)
- CVE-2017-5472
- CVE-2017-7749
- CVE-2017-7750
- CVE-2017-7751
- CVE-2017-7755
- CVE-2017-7752
- CVE-2017-7754
- CVE-2017-7756
- CVE-2017-7757
- CVE-2017-7778
- CVE-2017-7758
- CVE-2017-7763
- CVE-2017-7764
- CVE-2017-7765
- CVE-2017-5470
- CVE-2017-7759
- CVE-2017-7760
- CVE-2017-7761
- CVE-2017-7762
- CVE-2017-7766
- CVE-2017-7767
- CVE-2017-7768
- CVE-2017-7770
- CVE-2017-5471
Frequently Asked Questions
What is the severity of CVE-2017-7764?
CVE-2017-7764 has a moderate severity level, potentially allowing domain name spoofing attacks.
How do I fix CVE-2017-7764?
To fix CVE-2017-7764, update your affected Mozilla products to the latest versions recommended by Mozilla.
Which products are affected by CVE-2017-7764?
CVE-2017-7764 affects Mozilla Firefox versions up to 54, Firefox ESR up to 52.2, and Thunderbird up to 52.2.
Can CVE-2017-7764 allow for phishing attacks?
Yes, CVE-2017-7764 can potentially be exploited for phishing attacks due to character confusion in the address bar.
Is there a workaround for CVE-2017-7764?
There is no documented workaround for CVE-2017-7764, so it is critical to apply the necessary updates.
- collector/security-tracker-debian
- agent/type
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2017-7764
- agent/weakness
- agent/references
- agent/severity
- agent/author
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- collector/mozilla-advisory
- agent/software-canonical-lookup-request
- source/Mozilla
- agent/software-canonical-lookup
- collector/nvd-index
- agent/softwarecombine
- agent/tags
- package-manager/debian
- vendor/mozilla
- canonical/thunderbird
- canonical/firefox
- canonical/firefox esr
- vendor/debian
- canonical/debian
- version/debian/8.0
- version/debian/9.0