Date: 21 July 2010
References: ESB-2010.0638 ESB-2010.0639 ESB-2010.0650 ESB-2010.0663 ESB-2010.0925 ESB-2010.0994 ESB-2010.1014 ESB-2010.1039.2 ESB-2010.1066 ASB-2011.0062
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2010.0175
Firefox 3.6.7 Released
21 July 2010
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Firefox
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Access Privileged Data -- Remote/Unauthenticated
Cross-site Scripting -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
Read-only Data Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2010-2754 CVE-2010-2753 CVE-2010-2752
CVE-2010-2751 CVE-2010-1215 CVE-2010-1214
CVE-2010-1213 CVE-2010-1212 CVE-2010-1211
CVE-2010-1210 CVE-2010-1209 CVE-2010-1208
CVE-2010-1207 CVE-2010-1206 CVE-2010-1205
CVE-2010-0654
Member content until: Friday, August 20 2010
OVERVIEW
Mozilla has released version 3.6.7 of the Firefox web browser,
correcting multiple security vulnerabilities.
IMPACT
The vendor has supplied the following information regarding these
vulnerabilities:
"Security researcher Soroush Dalili reported that potentially
sensitive URL parameters could be leaked across domains upon script
errors when the script filename and line number is included in the
error message." [1]
"Google security researcher Chris Evans reported that data can be
read across domains by injecting bogus CSS selectors into a target
site and then retrieving the data using JavaScript APIs. If an
attacker can inject opening and closing portions of a CSS selector
into points A and B of a target page, then the region between the
two injection points becomes readable to JavaScript through, for
example, the getComputedStyle() API." [2]
"Google security researcher Michal Zalewski reported two methods for
spoofing the contents of the location bar. The first method works by
opening a new window containing a resource that responds
with an HTTP 204 (no content) and then using the reference to the
new window to insert HTML content into the blank document. The
second location bar spoofing method does not require that the
resource opened in a new window respond with 204, as long as the
opener calls window.stop() before the document is loaded. In either
case a user could be mislead as to the correct location of the
document they are currently viewing.
Security researcher Jordi Chancel reported that the location bar
could be spoofed to look like a secure page when the current
document was served via plaintext. The vulnerability is triggered by
a server by first redirecting a request for a plaintext resource to
another resource behind a valid SSL/TLS certificate. A second
request made to the original plaintext resource which is responded
to not with a redirect but with JavaScript containing history.back()
and history.forward() will result in the plaintext
resource being displayed with valid SSL/TLS badging in the location
bar." [3]
"Security researcher O. Andersen reported that undefined positions
within various 8 bit character encodings are mapped to the sequence
U+FFFD which when displayed causes the immediately following
character to disappear from the text run. This could potentially
contribute to XSS problems on sites which expected extra characters
to be present within strings being sanitized on the server." [4]
"Mozilla developer Vladimir Vukicevic reported that a canvas element
can be used to read data from another site, violating the
same-origin policy. The read restriction placed on a canvas element
which has had cross-origin data rendered into it can be bypassed by
retaining a reference to the canvas element's context and deleting
the associated canvas node from the DOM." [5]
"Security researcher Yosuke Hasegawa reported that the Web Worker
method importScripts can read and parse resources from other domains
even when the content is not valid JavaScript. This is a violation
of the same-origin policy and could be used by an attacker to steal
information from other sites." [6]
"OUSPG researcher Aki Helin reported a buffer overflow in Mozilla
graphics code which consumes image data processed by libpng. A
malformed PNG file could be created which would cause libpng to
incorrectly report the size of the image to downstream consumers.
When the dimensions of such images are underreported, the Mozilla
code responsible for displaying the graphic will allocate too small
a memory buffer to contain the image data and will wind up writing
data past the end of the buffer. This could result in the execution
of attacker-controlled memory." [7]
"Security researcher regenrecht reported via TippingPoint's Zero Day
Initiative an integer overflow vulnerability in the implementation
of the XUL <tree> element's selection attribute. When the size of a
new selection is sufficiently large the integer used in calculating
the length of the selection can overflow, resulting in a bogus range
being marked selected. When adjustSelection is then called on the
bogus range the range is deleted leaving dangling references to the
ranges which could be used by an attacker to call into deleted
memory and run arbitrary code on a victim's computer." [8]
"Security researcher J23 reported via TippingPoint's Zero Day
Initiative that an array class used to store CSS values contained an
integer overflow vulnerability. The 16 bit integer value used in
allocating the size of the array could overflow, resulting in too
small a memory buffer being created. When the array was later
populated with CSS values data would be written past the end of the
buffer potentially resulting in the execution of attacker-controlled
memory." [9]
"Mozilla security researcher moz_bug_r_a4 reported that when content
script which is running in a chrome context accesses a content
object via SJOW, the content code can gain access to an object from
the chrome scope and use that object to run arbitrary JavaScript
with chrome privileges.
Note: Firefox 3.5 and other Mozilla products built from Gecko 1.9.1
were not affected by this issue." [10]
"Security researcher J23 reported via TippingPoint's Zero Day
Initiative an error in the code used to store the names and values
of plugin parameter elements. A malicious page could embed plugin
content containing a very large number of parameter elements which
would cause an overflow in the integer value counting them. This
integer is later used in allocating a memory buffer used to store
the plugin parameters. Under such conditions, too small a buffer
would be created and attacker-controlled data could be written past
the end of the buffer, potentially resulting in code execution." [11]
"Security researcher regenrecht reported via TippingPoint's Zero Day
Initiative an error in Mozilla's implementation of NodeIterator in
which a malicious NodeFilter could be created which would detach
nodes from the DOM tree while it was being traversed. The use of a
detached and subsequently deleted node could result in the execution
of attacker-controlled memory." [12]
"Security researcher regenrecht reported via TippingPoint's Zero Day
Initiative an error in the DOM attribute cloning routine where under
certain circumstances an event attribute node can be deleted while
another object still contains a reference to it. This reference
could subsequently be accessed, potentially causing the execution of
attacker controlled memory." [13]
"Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort
at least some of these could be exploited to run arbitrary code." [14]
MITIGATION
It is recommended that users of Firefox upgrade to version 3.6.7.
REFERENCES
[1] Mozilla Foundation Security Advisory 2010-47
http://www.mozilla.org/security/announce/2010/mfsa2010-47.html
[2] Mozilla Foundation Security Advisory 2010-46
http://www.mozilla.org/security/announce/2010/mfsa2010-46.html
[3] Mozilla Foundation Security Advisory 2010-45
http://www.mozilla.org/security/announce/2010/mfsa2010-45.html
[4] Mozilla Foundation Security Advisory 2010-44
http://www.mozilla.org/security/announce/2010/mfsa2010-44.html
[5] Mozilla Foundation Security Advisory 2010-43
http://www.mozilla.org/security/announce/2010/mfsa2010-43.html
[6] Mozilla Foundation Security Advisory 2010-42
http://www.mozilla.org/security/announce/2010/mfsa2010-42.html
[7] Mozilla Foundation Security Advisory 2010-41
http://www.mozilla.org/security/announce/2010/mfsa2010-41.html
[8] Mozilla Foundation Security Advisory 2010-40
http://www.mozilla.org/security/announce/2010/mfsa2010-40.html
[9] Mozilla Foundation Security Advisory 2010-39
http://www.mozilla.org/security/announce/2010/mfsa2010-39.html
[10] Mozilla Foundation Security Advisory 2010-38
http://www.mozilla.org/security/announce/2010/mfsa2010-38.html
[11] Mozilla Foundation Security Advisory 2010-37
http://www.mozilla.org/security/announce/2010/mfsa2010-37.html
[12] Mozilla Foundation Security Advisory 2010-36
http://www.mozilla.org/security/announce/2010/mfsa2010-36.html
[13] Mozilla Foundation Security Advisory 2010-35
http://www.mozilla.org/security/announce/2010/mfsa2010-35.html
[14] Mozilla Foundation Security Advisory 2010-34
http://www.mozilla.org/security/announce/2010/mfsa2010-34.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFMRj6l/iFOrG6YcBERAgK4AJ9vnXoN6CeQR8RNFUUwdVMR/ntJGQCggjE5
TS2sjSrbk+1daneuLfoFkEg=
=BN8/
-----END PGP SIGNATURE-----
|