Date: 18 July 2012
References: ESB-2012.0684 ESB-2012.0686
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2012.0104
New versions of Mozilla Firefox, Thunderbird, and SeaMonkey
18 July 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Firefox
Thunderbird
SeaMonkey
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Access Privileged Data -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2012-1967 CVE-2012-1966 CVE-2012-1965
CVE-2012-1964 CVE-2012-1963 CVE-2012-1962
CVE-2012-1961 CVE-2012-1960 CVE-2012-1959
CVE-2012-1958 CVE-2012-1957 CVE-2012-1955
CVE-2012-1954 CVE-2012-1953 CVE-2012-1952
CVE-2012-1951 CVE-2012-1950 CVE-2012-1949
CVE-2012-1948
Member content until: Friday, August 17 2012
OVERVIEW
Multiple vulnerabilities have been fixed in Mozilla Firefox,
Thunderbird and in SeaMonkey. [1]
IMPACT
The vendor has provided the following details about the vulnerabilities:
"Mozilla developers identified and fixed several memory safety bugs in
the browser engine used in Firefox and other Mozilla-based products.
Some of these bugs showed evidence of memory corruption under certain
circumstances, and we presume that with enough effort at least some of
these could be exploited to run arbitrary code." MFSA 2012-42 [2]
"Security researcher Mario Gomes andresearch firm Code Audit Labs
reported a mechanism to short-circuit page loads through drag and drop
to the addressbar by canceling the page load. This causes the address
of the previously site entered to be displayed in the addressbar
instead of the currently loaded page. This could lead to potential
phishing attacks on users." MFSA 2012-43 [3]
"Google security researcher Abhishek Arya used the Address Sanitizer
tool to uncover four issues: two use-after-free problems, one out of
bounds read bug, and a bad cast. The first use-after-free problem is
caused when an array of nsSMILTimeValueSpec objects is destroyed but
attempts are made to call into objects in this array later. The second
use-after-free problem is in nsDocument::AdoptNode when it adopts into
an empty document and then adopts into another document, emptying the
first one. The heap buffer overflow is in ElementAnimations when data
is read off of end of an array and then pointers are dereferenced. The
bad cast happens when nsTableFrame::InsertFrames is called with frames
in aFrameList that are a mix of row group frames and column group
frames. AppendFrames is not able to handle this mix." MFSA 2012-44 [4]
"Security researcher Mariusz Mlynski reported an issue with spoofing of
the location property. In this issue, calls to history.forward and
history.back are used to navigate to a site while displaying the
previous site in the addressbar but changing the baseURI to the newer
site. This can be used for phishing by allowing the user input form or
other data on the newer, attacking, site while appearing to be on the
older, displayed site." MFSA 2012-45 [5]
"Mozilla security researcher moz_bug_r_a4 reported a cross-site
scripting (XSS) attack through the context menu using a data: URL. In
this issue, context menu functionality ("View Image", "Show only this
frame", and "View background image") are disallowed in a javascript:
URL but allowed in a data: URL, allowing for XSS. This can lead to
arbitrary code execution." MFSA 2012-46 [6]
"Security researcher Mario Heiderich reported that javascript could be
executed in the HTML feed-view using <embed> tag within the RSS
<description>. This problem is due to <embed> tags not being filtered
out during parsing and can lead to a potential cross-site scripting
(XSS) attack. The flaw existed in a parser utility class and could
affect other parts of the browser or add-ons which rely on that class
to sanitize untrusted input." MFSA 2012-47 [7]
"Security researcher Arthur Gerkis used the Address Sanitizer tool to
find a use-after-free in nsGlobalWindow::PageHidden when
mFocusedContent is released and oldFocusedContent is used afterwards.
This use-after-free could possibly allow for remote code execution."
MFSA 2012-48 [8]
"Mozilla developer Bobby Holley found that same-compartment security
wrappers (SCSW) can be bypassed by passing them to another
compartment. Cross-compartment wrappers often do not go through SCSW,
but have a filtering policy built into them. When an object is wrapped
cross-compartment, the SCSW is stripped off and, when the object is
read read back, it is not known that SCSW was previously present,
resulting in a bypassing of SCSW. This could result in untrusted
content having access to the XBL that implements browser
functionality." MFSA 2012-49 [9]
"Google developer Tony Payne reported an out of bounds (OOB) read in
QCMS, Mozilla's color management library. With a carefully crafted
color profile portions of a user's memory could be incorporated into a
transformed image and possibly deciphered." MFSA 2012-50 [10]
"Bugzilla developer Frédéric Buclin reported that the "X-Frame-Options
header is ignored when the value is duplicated, for example
X-Frame-Options: SAMEORIGIN, SAMEORIGIN. This duplication occurs for
unknown reasons on some websites and when it occurs results in Mozilla
browsers not being protected against possible clickjacking attacks on
those pages." MFSA 2012-51 [11]
"Security researcher Bill Keese reported a memory corruption. This is
caused by JSDependentString::undepend changing a dependent string into
a fixed string when there are additional dependent strings relying on
the same base. When the undepend occurs during conversion, the base
data is freed, leaving other dependent strings with dangling pointers.
This can lead to a potentially exploitable crash." MFSA 2012-52 [12]
"Security researcher Karthikeyan Bhargavan of Prosecco at INRIA
reported Content Security Policy (CSP) 1.0 implementation errors. CSP
violation reports generated by Firefox and sent to the "report-uri"
location include sensitive data within the "blocked-uri" parameter.
These include fragment components and query strings even if the
"blocked-uri" parameter has a different origin than the protected
resource. This can be used to retrieve a user's OAuth 2.0 access
tokens and OpenID credentials by malicious sites." MFSA 2012-53 [13]
"Security Researcher Matt McCutchen reported that a clickjacking attack
using the certificate warning page. A man-in-the-middle (MITM)
attacker can use an iframe to display its own certificate error
warning page (about:certerror) with the "Add Exception" button of a
real warning page from a malicious site. This can mislead users to
adding a certificate exception for a different site than the perceived
one. This can lead to compromised communications with the user
perceived site through the MITM attack once the certificate exception
has been added." MFSA 2012-54 [14]
"Security researchers Mario Gomes and Soroush Dalili reported that
since Mozilla allows the pseudo-protocol feed: to prefix any valid
URL, it is possible to construct feed:javascript: URLs that will
execute scripts in some contexts. On some sites it may be possible to
use this to evade output filtering that would otherwise strip
javascript: URLs and thus contribute to cross-site scripting (XSS)
problems on these sites." MFSA 2012-55 [15]
"Mozilla security researcher moz_bug_r_a4 reported a arbitrary code
execution attack using a javascript: URL. The Gecko engine features a
JavaScript sandbox utility that allows the browser or add-ons to
safely execute script in the context of a web page. In certain cases,
javascript: URLs are executed in such a sandbox with insufficient
context that can allow those scripts to escape from the sandbox and
run with elevated privilege. This can lead to arbitrary code
execution." MFSA 2012-56 [16]
MITIGATION
Users of the affected versions should upgrade to current versions:
- Firefox: 14 or Firefox ESR 10.0.6
- Thunderbird: 14 or Thunderbird ESR 10.0.6
- SeaMonkey: 2.11
REFERENCES
[1] Mozilla Foundation Security Advisories
http://www.mozilla.org/security/announce/
[2] Mozilla Foundation Security Advisory 2012-42
http://www.mozilla.org/security/announce/2012/mfsa2012-42.html
[3] Mozilla Foundation Security Advisory 2012-43
http://www.mozilla.org/security/announce/2012/mfsa2012-43.html
[4] Mozilla Foundation Security Advisory 2012-44
http://www.mozilla.org/security/announce/2012/mfsa2012-44.html
[5] Mozilla Foundation Security Advisory 2012-45
http://www.mozilla.org/security/announce/2012/mfsa2012-45.html
[6] Mozilla Foundation Security Advisory 2012-46
http://www.mozilla.org/security/announce/2012/mfsa2012-46.html
[7] Mozilla Foundation Security Advisory 2012-47
http://www.mozilla.org/security/announce/2012/mfsa2012-47.html
[8] Mozilla Foundation Security Advisory 2012-48
http://www.mozilla.org/security/announce/2012/mfsa2012-48.html
[9] Mozilla Foundation Security Advisory 2012-49
http://www.mozilla.org/security/announce/2012/mfsa2012-49.html
[10] Mozilla Foundation Security Advisory 2012-50
http://www.mozilla.org/security/announce/2012/mfsa2012-50.html
[11] Mozilla Foundation Security Advisory 2012-51
http://www.mozilla.org/security/announce/2012/mfsa2012-51.html
[12] Mozilla Foundation Security Advisory 2012-52
http://www.mozilla.org/security/announce/2012/mfsa2012-52.html
[13] Mozilla Foundation Security Advisory 2012-53
http://www.mozilla.org/security/announce/2012/mfsa2012-53.html
[14] Mozilla Foundation Security Advisory 2012-54
http://www.mozilla.org/security/announce/2012/mfsa2012-54.html
[15] Mozilla Foundation Security Advisory 2012-55
http://www.mozilla.org/security/announce/2012/mfsa2012-55.html
[16] Mozilla Foundation Security Advisory 2012-56
http://www.mozilla.org/security/announce/2012/mfsa2012-56.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUAZDiu4yVqjM2NGpAQKZUxAAo/U6nMntUKhdgRKcmSD/cWhI5yVbHTWN
361HvhGeYatC/FGcEGUtjedj1/6XZbzHb7Mu47LTGay0h9A/rnKl4DJHI5PQvW/w
N0MJoDjKY7xDMLqvjvnnsm9Cas2HT7zPi7UyVXryYj4miEYAEqKZzmLErOBvmaPm
cnG0r2p7boFfWRmDTVU+3z+ZvgekL427dkMDr9wjY9UFGAtKgQm5TuiG0ZLCRqd/
CgyftG3MAQzMK4fQWv+c+66DUgvzfEUfEc9eUgl9qANKETHdcfr1NgX6FrVJKlkG
Hqu9PIVqSQ49dNgYiMfUwTMkebvTsAp2dTDBD19AE82zPWhvE2WMP1tKQJ0UDgrV
HsTRMexU2Adi7b0TOL9sR2/bfVEfYC9Ow9TTgxfv5HvBHrIjetETPlBZvvAwr73Z
RJPiBapTmBu1JbJXkSkpjX5jT9OpJogf9qC+jnNf/xwU48SUJ+RDpSC1Vln8+CPe
PL/CCDfvXg78fYiiLFxIVyYdx8T7SmlZ9n0pnaA7MDYjiDgo8tldnasoACW7ZkZL
czkIoGDy+SVU4xmrbF0kj9FPvnp3p06Qlw+Wo8Y9VYErmYWr+CS8kNBaOtg36o51
GfcxAVL6GA0xgBZdbE1Vw7CiDm8wRcZPGxINCa2cGM1wI6kXGgWZtjUsuaMWl2gj
j3zdsXqyCjA=
=pOAl
-----END PGP SIGNATURE-----
|