Date: 30 March 2009
References: AA-2009.0069 ESB-2009.0291 ESB-2009.0295 AU-2009.0014 AU-2009.0015 ESB-2009.0381
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AA-2009.0070 AUSCERT Advisory
[Win][UNIX/Linux]
Mozilla Firefox and SeaMonkey: Execute Arbitrary Code
(firefox patch available)
30 March 2009
- ---------------------------------------------------------------------------
AusCERT Advisory Summary
------------------------
Product: Firefox 3.0.7 and prior
SeaMonkey 1.1.15
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
CVE Names: CVE-2009-1044 CVE-2009-1169
Member content until: Monday, April 27 2009
Ref: AA-2009.0069
Comment: This update to Firefox was previously slated to be released on
April 1st, however Mozilla has released the update early.
OVERVIEW:
Two critical vulnerabilities have been corrected in Firefox 3.0.8.
Users of 3.0.7 and prior (as well as SeaMonkey), and all users of
older versions of Firefox should upgrade. [1]
IMPACT:
The two vulnerabilities are both rated as critical and allow remote
code execution. [1,2]
The first vulnerability (MFSA 2009-12) has public exploit code
available. It will only be a matter of time before exploits using
this vulnerability are found in the wild. [3]
The second vulnerability (MFSA 2009-13) is the one used to win the
2009 CanSecWest Pwn2Own contest. [2]
MITIGATION:
Users should upgrade to Firefox 3.0.8 available from the Mozilla
website or using "Check for Updates" from the "Help" menu. [4]
Currently there is no update for SeaMonkey on their download site.
When one is released it should be listed on their download site.
[5]
REFERENCES:
[1] Mozilla Foundation Security Advisory 2009-12
http://www.mozilla.org/security/announce/2009/mfsa2009-12.html
[2] Mozilla Foundation Security Advisory 2009-13
http://www.mozilla.org/security/announce/2009/mfsa2009-13.html
[3] http://milw0rm.com/exploits/8285
[4] Firefox web browser | Faster, more secure, & customizable
http://www.mozilla.org/en/firefox/
[5] The SeaMonkey Project
http://www.seamonkey-project.org/
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFJ0AfRNVH5XJJInbgRAlowAJ4oICYkO/SXNzKmVrGz6AmubeuhIQCfRp27
Jrf9Uk5tQb9RcQYlsJJADsU=
=24O0
-----END PGP SIGNATURE-----
|