Date: 29 August 2012
References: ESB-2012.0823 ESB-2012.0913 ESB-2012.0922 ESB-2012.0957 ESB-2012.0972 ESB-2012.1053
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2012.0119
New versions of Mozilla Firefox, Thunderbird, and SeaMonkey
29 August 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Firefox
Thunderbird
SeaMonkey
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Mobile Device
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Access Privileged Data -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2012-3980 CVE-2012-3979 CVE-2012-3978
CVE-2012-3976 CVE-2012-3975 CVE-2012-3974
CVE-2012-3973 CVE-2012-3972 CVE-2012-3971
CVE-2012-3970 CVE-2012-3969 CVE-2012-3968
CVE-2012-3967 CVE-2012-3966 CVE-2012-3965
CVE-2012-3964 CVE-2012-3963 CVE-2012-3962
CVE-2012-3961 CVE-2012-3960 CVE-2012-3959
CVE-2012-3958 CVE-2012-3957 CVE-2012-3956
CVE-2012-1976 CVE-2012-1975 CVE-2012-1974
CVE-2012-1973 CVE-2012-1972 CVE-2012-1971
CVE-2012-1970 CVE-2012-1956
Member content until: Friday, September 28 2012
OVERVIEW
Multiple vulnerabilities have been fixed in Mozilla Firefox,
Thunderbird and in SeaMonkey. [1]
IMPACT
The vendor has provided the following details about the vulnerabilities:
"Mozilla developers identified and fixed several memory safety bugs in
the browser engine used in Firefox and other Mozilla-based products.
Some of these bugs showed evidence of memory corruption under certain
circumstances, and we presume that with enough effort at least some of
these could be exploited to run arbitrary code." MFSA 2012-57 [2]
"Security researcher Abhishek Arya (Inferno) of Google Chrome Security
Team discovered a series of use-after-free issues using the Address
Sanitizer tool. Many of these issues are potentially exploitable,
allowing for remote code execution." MFSA 2012-58 [3]
"Security researcher Mariusz Mlynski reported that it is possible to
shadow the location object using Object.defineProperty. This could be
used to confuse the current location to plugins, allowing for possible
cross-site scripting (XSS) attacks." MFSA 2012-59 [4]
"Security researcher Mariusz Mlynski reported that when a page opens a
new tab, a subsequent window can then be opened that can be navigated
to about:newtab, a chrome privileged page. Once about:newtab is loaded,
the special context can potentially be used to escalate privilege,
allowing for arbitrary code execution on the local system in a
maliciously crafted attack." MFSA 2012-60 [5]
"Security researcher Frédéric Hoguin reported two related issues with
the decoding of bitmap (.BMP) format images embedded in icon (.ICO)
format files. When processing a negative "height" header value for the
bitmap image, a memory corruption can be induced, allowing an attacker
to write random memory and cause a crash. This crash may be potentially
exploitable." MFSA 2012-61 [6]
"Security researcher miaubiz used the Address Sanitizer tool to discover
two WebGL issues. The first issue is a use-after-free when WebGL
shaders are called after being destroyed. The second issue exposes a
problem with Mesa drivers on Linux, leading to a potentially
exploitable crash." MFSA 2012-62 [7]
"Security researcher Arthur Gerkis used the Address Sanitizer tool to
find two issues involving Scalable Vector Graphics (SVG) files. The
first issue is a buffer overflow in Gecko's SVG filter code when the
sum of two values is too large to be stored as a signed 32-bit integer,
causing the function to write past the end of an array. The second
issue is a use-after-free when an element with a "requiredFeatures"
attribute is moved between documents. In that situation, the internal
representation of the "requiredFeatures" value could be freed
prematurely. Both issues are potentially exploitable." MFSA 2012-63 [8]
"Using the Address Sanitizer tool, Mozilla security researcher Christoph
Diehl discovered two memory corruption issues involving the Graphite 2
library used in Mozilla products. Both of these issues can cause a
potentially exploitable crash. These problems were fixed in the
Graphite 2 library, which has been updated for Mozilla products."
MFSA 2012-64 [9]
"Security research Nicolas Grégoire used the Address Sanitizer tool to
discover an out-of-bounds read in the format-number feature of XSLT,
which can cause inaccurate formatting of numbers and information
leakage. This is not directly exploitable." MFSA 2012-65 [10]
"Mozilla security researcher Mark Goodwin discovered an issue with the
Firefox developer tools' debugger. If remote debugging is disabled, but
the experimental HTTPMonitor extension has been installed and enabled,
a remote user can connect to and use the remote debugging service
through the port used by HTTPMonitor. A remote-enabled flag has been
added to resolve this problem and close the port unless debugging is
explicitly enabled." MFSA 2012-66 [11]
"Security researcher Masato Kinugawa reported that if a crafted
executable is placed in the root partition on a Windows file system,
the Firefox and Thunderbird installer will launch this program after a
standard installation instead of Firefox or Thunderbird, running this
program with the user's privileges." MFSA 2012-67 [12]
"Security researcher vsemozhetbyt reported that when the DOMParser is
used to parse text/html data in a Firefox extension, linked resources
within this HTML data will be loaded. If the data being parsed in the
extension is untrusted, it could lead to information leakage and can
potentially be combined with other attacks to become exploitable."
MFSA 2012-68 [13]
"Security researcher Mark Poticha reported an issue where incorrect SSL
certificate information can be displayed on the addressbar, showing the
SSL data for a previous site while another has been loaded. This is
caused by two onLocationChange events being fired out of the expected
order, leading to the displayed certificate data to not be updated.
This can be used for phishing attacks by allowing the user to input
form or other data on a newer, attacking, site while the credentials of
an older site appear on the addressbar." MFSA 2012-69 [14]
"Mozilla security researcher moz_bug_r_a4 reported that certain security
checks in the location object can be bypassed if chrome code is called
content in a specific manner. This allowed for the loading of
restricted content. This can be combined with other issues to become
potentially exploitable." MFSA 2012-70 [15]
"Mozilla developer Blake Kaplan reported that __android_log_print is
called insecurely in places. If a malicious web page used a dump()
statement with a specially crafted string, it can trigger a potentially
exploitable crash.
Note: This vulnerability only affects Firefox for Android."
MFSA 2012-71 [16]
"Security researcher Colby Russell discovered that eval in the web
console can execute injected code with chrome privileges, leading to
the running of malicious code in a privileged context. This allows for
arbitrary code execution through a malicious web page if the web
console is invoked by the user." MFSA 2012-72 [17]
MITIGATION
Users of the affected versions should upgrade to current versions:
- Firefox: 15 or Firefox ESR 10.0.7
- Thunderbird: 15 or Thunderbird ESR 10.0.7
- SeaMonkey: 2.12
REFERENCES
[1] Mozilla Foundation Security Advisories
https://www.mozilla.org/security/announce/
[2] Mozilla Foundation Security Advisory 2012-57
https://www.mozilla.org/security/announce/2012/mfsa2012-57.html
[3] Mozilla Foundation Security Advisory 2012-58
https://www.mozilla.org/security/announce/2012/mfsa2012-58.html
[4] Mozilla Foundation Security Advisory 2012-59
https://www.mozilla.org/security/announce/2012/mfsa2012-59.html
[5] Mozilla Foundation Security Advisory 2012-60
https://www.mozilla.org/security/announce/2012/mfsa2012-60.html
[6] Mozilla Foundation Security Advisory 2012-61
https://www.mozilla.org/security/announce/2012/mfsa2012-61.html
[7] Mozilla Foundation Security Advisory 2012-62
https://www.mozilla.org/security/announce/2012/mfsa2012-62.html
[8] Mozilla Foundation Security Advisory 2012-63
https://www.mozilla.org/security/announce/2012/mfsa2012-63.html
[9] Mozilla Foundation Security Advisory 2012-64
https://www.mozilla.org/security/announce/2012/mfsa2012-64.html
[10] Mozilla Foundation Security Advisory 2012-65
https://www.mozilla.org/security/announce/2012/mfsa2012-65.html
[11] Mozilla Foundation Security Advisory 2012-66
https://www.mozilla.org/security/announce/2012/mfsa2012-66.html
[12] Mozilla Foundation Security Advisory 2012-67
https://www.mozilla.org/security/announce/2012/mfsa2012-67.html
[13] Mozilla Foundation Security Advisory 2012-68
https://www.mozilla.org/security/announce/2012/mfsa2012-68.html
[14] Mozilla Foundation Security Advisory 2012-69
https://www.mozilla.org/security/announce/2012/mfsa2012-69.html
[15] Mozilla Foundation Security Advisory 2012-70
https://www.mozilla.org/security/announce/2012/mfsa2012-70.html
[16] Mozilla Foundation Security Advisory 2012-71
https://www.mozilla.org/security/announce/2012/mfsa2012-71.html
[17] Mozilla Foundation Security Advisory 2012-72
https://www.mozilla.org/security/announce/2012/mfsa2012-72.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUD2fKu4yVqjM2NGpAQL20xAAh/7zscCI+03xpHzWNbZFKP3qdSJgb/sN
vkXwXP/Uv9gQ2lrjkvBTH/e3bh+zFnZY/Tup2Hxc4be/JJc/iPeOjjnUW/wbbBDJ
KWSFQDrKHt/bOafUmvNA3HZnKvq/40cy2e4GgZ7fLEZMpohrAqHE0K+pK7Csr3r9
ZdMR2tSp98B1iJfNh6VE0NsDZXgt1V1ZGymOnNfzBnPTR13zTt2aljNuz6LUaVzX
ONSTD4aD1rWJrBc+UwRn5H1Ew5u0gXEbruF1vSOSZgzvD7nxIFRYjfah+hC8w/2Q
706CKYhpanSawzYROzsWQuo/zQCtfg5ifCyCxBFix6uxYqegFsnEKGEvSzKk71fD
Myu4OPTDa6eAPzQRuvHRbxs02pVTrVbfpRqhOYlT0qtKeSQrjFe21xEseAmvRC6e
rOxd74mwjSqTa/StchMHvXNUwSq+eViPITPjvDmhT9MFCTHmaIQuCRcAjblZ7CSs
gvFt6a3ikPRkWlBRslzaE1K/uaO/l2nhCc+i3OeMJgXwMW6SBvC+c5w9bgrxqJN3
dq6p2aQyaaA1cFbnI1Q7TZzeDhZkcbZi3nw2y4kfydCjEztfgKizZRzo+QSqOB6A
TxZ1AR2dCYnIatmVdjXUlWtvM+GxPXYnv7QLW0/e6HZgAMq2VdoEYSAq2v3KzAx4
miUpD5+i+u0=
=56rv
-----END PGP SIGNATURE-----
|