Date: 20 October 2010
References: ESB-2010.0943 ESB-2010.0945 ESB-2010.0993 ESB-2010.0994 ESB-2010.1002 ESB-2010.1014 ESB-2010.1029 ESB-2010.1030 ESB-2010.1058 ESB-2011.1090.4
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2010.0229
Mozilla has released versions 3.6.11 and 3.5.14 of Firefox
20 October 2010
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Firefox
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Access Privileged Data -- Remote with User Interaction
Modify Arbitrary Files -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2010-3183 CVE-2010-3181 CVE-2010-3180
CVE-2010-3179 CVE-2010-3178 CVE-2010-3176
CVE-2010-3175 CVE-2010-3174 CVE-2010-3173
CVE-2010-3170
Member content until: Friday, November 19 2010
Reference: ESB-2010.0943
OVERVIEW
Mozilla has released versions 3.6.11 and 3.5.14 of the Firefox web
browser, correcting multiple security vulnerabilities.
IMPACT
The vendor has supplied the following information regarding these
vulnerabilities:
"Mozilla cryptographer Nelson Bolyard reported that the SSL
implementation was permitting servers to use Diffie-Hellman Ephemeral
mode (DHE) with too short of a minimum key length. DHE keys of such
lengths are trivially breakable on modern hardware so SSL servers
operating in this mode were providing very little effective security
for their clients." [1]
"Mozilla developer Ehsan Akhgari reported that a function used to load
external libraries on Windows platforms was using a relative path to a
DLL-loading application and was thus vulnerable to binary planting if
an attacker was able to place an executable of the same name in the
current working directory or any of the other locations that Windows
searches for executables.
Dmitri Gribenko reported that the script used to launch Mozilla
applications on Linux was effectively including the current working
directory in the LD_LIBRARY_PATH environment variable. If an attacker
was able to place into the current working directory a malicious
shared library with the same name as a library that the bootstrapping
script depends on the attacker could have their library loaded instead
of the legitimate library." [2]
"Security researcher Richard Moore reported that when an SSL
certificate was created with a common name containing a wildcard
followed by a partial IP address a valid SSL connection could be
established with a server whose IP address matched the wildcard range
by browsing directly to the IP address. It is extremely unlikely that
such a certificate would be issued by a Certificate Authority." [3]
"Security researcher Eduardo Vela Nava reported that if a web page
opened a new window and used a javascript: URL to make a modal call,
such as alert(), then subsequently navigated the page to a different
domain, once the modal call returned the opener of the window could
get access to objects in the navigated window. This is a violation of
the same-origin policy and could be used by an attacker to steal
information from another web site." [4]
"Google security researcher Robert Swiecki reported that functions used
by the Gopher parser to convert text to HTML tags could be exploited to
turn text into executable JavaScript. If an attacker could create a
file or directory on a Gopher server with the encoded script as part of
its name the script would then run in a victim's browser within the
context of the site." [5]
"Security researcher regenrecht reported via TippingPoint's Zero Day
Initiative that when window.__lookupGetter__ is called with no
arguments the code assumes the top JavaScript stack value is a property
name. Since there were no arguments passed into the function, the top
value could represent uninitialized memory or a pointer to a previously
freed JavaScript object. Under such circumstances the value is passed
to another subroutine which calls through the dangling pointer,
potentially executing attacker-controlled memory." [6]
"Security researcher Sergey Glazunov reported that it was possible to
access the locationbar property of a window object after it had been
closed. Since the closed window's memory could have been subsequently
reused by the system it was possible that an attempt to access the
locationbar property could result in the execution of attacker-
controlled memory." [7]
"Security researcher Alexander Miller reported that passing an
excessively long string to document.write could cause text rendering
routines to end up in an inconsistent state with sections of stack
memory being overwritten with the string data. An attacker could use
this flaw to crash a victim's browser and potentially run arbitrary
code on their computer." [8]
"Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort
at least some of these could be exploited to run arbitrary code." [9]
MITIGATION
It is recommended that users of Firefox upgrade to the latest version.
REFERENCES
[1] Mozilla Foundation Security Advisory 2010-72
http://www.mozilla.org/security/announce/2010/mfsa2010-72.html
[2] Mozilla Foundation Security Advisory 2010-71
http://www.mozilla.org/security/announce/2010/mfsa2010-71.html
[3] Mozilla Foundation Security Advisory 2010-70
http://www.mozilla.org/security/announce/2010/mfsa2010-70.html
[4] Mozilla Foundation Security Advisory 2010-69
http://www.mozilla.org/security/announce/2010/mfsa2010-69.html
[5] Mozilla Foundation Security Advisory 2010-68
http://www.mozilla.org/security/announce/2010/mfsa2010-68.html
[6] Mozilla Foundation Security Advisory 2010-67
http://www.mozilla.org/security/announce/2010/mfsa2010-67.html
[7] Mozilla Foundation Security Advisory 2010-66
http://www.mozilla.org/security/announce/2010/mfsa2010-66.html
[8] Mozilla Foundation Security Advisory 2010-65
http://www.mozilla.org/security/announce/2010/mfsa2010-65.html
[9] Mozilla Foundation Security Advisory 2010-64
http://www.mozilla.org/security/announce/2010/mfsa2010-64.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFMvnOQ/iFOrG6YcBERAjp5AKDCIP77S/PKGquiIvLzTxeXFPzKhwCfbdrI
4G9hIxNH4aN/hmPyidM8rr4=
=JF7v
-----END PGP SIGNATURE-----
|