Date: 16 December 2009
References: ESB-2009.1646 ESB-2009.1651 ESB-2009.1671 ESB-2010.0041 ASB-2010.0021 ESB-2010.0435 ESB-2010.0533
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2009.1160
Multiple vulnerabilities in Firefox and SeaMonkey
17 December 2009
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Firefox 3.5.5 and prior
Firefox 3.0.15 and prior
SeaMonkey 2.0.0 and prior
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Unauthorised Access -- Remote with User Interaction
Access Privileged Data -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2009-3987 CVE-2009-3986 CVE-2009-3985
CVE-2009-3984 CVE-2009-3983 CVE-2009-3982
CVE-2009-3981 CVE-2009-3980 CVE-2009-3979
CVE-2009-3389 CVE-2009-3388
Member content until: Saturday, January 16 2010
Reference: ESB-2009.1651
ESB-2009.1646
OVERVIEW
Mozilla has released 7 advisories relating to Firefox and SeaMonkey
describing a total of 12 vulnerabilities. Mozilla has rated 3 of these
advisories as "Critical", 1 as "High", 2 as "Moderate" and 1 as "Low"
impact.
IMPACT
According to Mozilla, the vulnerabilities corrected in this update
are:
o MFSA 2009-65 (CVE-2009-3982, CVE-2009-3981, CVE-2009-3980,
CVE-2009-3979): "...fixed several stability bugs in the browser
engine used in Firefox and other Mozilla-based products. Some of
these crashes showed evidence of memory corruption under certain
circumstances and we presume that with enough effort at least
some of these could be exploited to run arbitrary code" [1]
o MFSA 2009-66 (CVE-2009-3388): "...several bugs in liboggplay which
posed potential memory safety issues. The bugs which were fixed
could potentially be used by an attacker to crash a victim's
browser and execute arbitrary code on their computer" [2]
o MFSA 2009-67 (CVE-2009-3389): "...an integer overflow in the
Theora video library. A video's dimensions were being multiplied
together and used in particular memory allocations. When the
video dimensions were sufficiently large, the multiplication could
overflow a 32-bit integer resulting in too small a memory buffer
being allocated for the video. An attacker could use a specially
crafted video to write data past the bounds of this buffer,
causing a crash and potentially running arbitrary code on a
victim's computer" [3]
o MFSA 2009-68 (CVE-2009-3983): "...Mozilla's NTLM implementation
was vulnerable to reflection attacks in which NTLM credentials
from one application could be forwarded to another arbitary
application via the browser. If an attacker could get a user to
visit a web page he controlled he could force NTLM authenticated
requests to be forwarded to another application on behalf of the
user" [4]
o MFSA 2009-69 (CVE-2009-3985, CVE-2009-3984): "...when a page
loaded over an insecure protocol, such as http: or file:, sets
its document.location to a https: URL which responds with a 204
status and empty response body, the insecure page will receive SSL
indicators near the location bar, but will not have its page
content modified in any way. This could lead to a user believing
they were on a secure page when in fact they were not" [5]
"...an issue similar to one fixed in mfsa2009-44 in which a web page
can set document.location to a URL that can't be displayed properly
and then inject content into the resulting blank page. An attacker
could use this vulnerability to place a legitimate-looking but
invalid URL in the location bar and inject HTML and JavaScript
into the body of the page, resulting in a spoofing attack" [5]
o MFSA 2009-70 (CVE-2009-3986): "...a content window which is opened
by a chrome window retains a reference to the chrome window via
the window.opener property. Using this reference, content in the
new window can access functions inside the chrome window, such as
eval, and use these functions to run arbitrary JavaScript code with
chrome privileges. In a stock Mozilla browser a remote attacker
can not cause these application dialogs to appear nor to
automatically load the attack code that takes advantage of this
flaw in window.opener. There may be add-ons which open potentially
hostile web-content in this way, and combined with such an add-on
the severity of this flaw could be upgraded to Critical" [6]
o MFSA 2009-71 (CVE-2009-3987): "...exception messages generated by
Mozilla's GeckoActiveXObject differ based on whether or not the
requested COM object's ProgID is present in the system registry.
A malicious site could use this vulnerability to enumerate a list
of COM objects installed on a user's system and create a profile
to track the user across browsing sessions" [7]
MITIGATION
These vulnerabilities have been fixed in Firefox 3.5.6,
Firefox 3.0.16 and SeaMonkey 2.0.1. Updated versions of these programs
are available from the Mozilla web site. [8][9]
While Firefox 3.0.16 contains fixes for these vulnerabilities, it
is recommended that users of Firefox upgrade to 3.5.6 if possible.
REFERENCES
[1] Mozilla Foundation Security Advisory 2009-65
http://www.mozilla.org/security/announce/2009/mfsa2009-65.html
[2] Mozilla Foundation Security Advisory 2009-66
http://www.mozilla.org/security/announce/2009/mfsa2009-66.html
[3] Mozilla Foundation Security Advisory 2009-67
http://www.mozilla.org/security/announce/2009/mfsa2009-67.html
[4] Mozilla Foundation Security Advisory 2009-68
http://www.mozilla.org/security/announce/2009/mfsa2009-68.html
[5] Mozilla Foundation Security Advisory 2009-69
http://www.mozilla.org/security/announce/2009/mfsa2009-69.html
[6] Mozilla Foundation Security Advisory 2009-70
http://www.mozilla.org/security/announce/2009/mfsa2009-70.html
[7] Mozilla Foundation Security Advisory 2009-71
http://www.mozilla.org/security/announce/2009/mfsa2009-71.html
[8] Mozilla Firefox web browser
http://www.mozilla.org/firefox
[9] SeaMonkey Project
http://www.seamonkey-project.org/
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFLKYvtNVH5XJJInbgRAgqsAJ4ncWFNEAClZ8AwuLxUSfwnmEn55wCeIE0P
tHhibM3V730aeZbdtIFAQ3w=
=RZm5
-----END PGP SIGNATURE-----
|