copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » Security Bul... » AusCERT Secu... » ASB-2012.0139 - ALERT [Win][UNIX/Linux][Mobile] Mozi...
 

ASB-2012.0139 - ALERT [Win][UNIX/Linux][Mobile] Mozilla Firefox, Thunderbird & SeaMonkey : Multiple vulnerabilities
Date: 12 October 2012
References: ESB-2012.0984  ESB-2012.0985  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2012.0139
 Two vulnerabilities fixed in Mozilla Firefox, Thunderbird, and SeaMonkey
                              12 October 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Firefox
                      Thunderbird
                      SeaMonkey
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
                      Mobile Device
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
                      Access Confidential Data        -- Remote/Unauthenticated      
Resolution:           Patch/Upgrade
CVE Names:            CVE-2012-4193 CVE-2012-4192 CVE-2012-4191
                      CVE-2012-4190  
Member content until: Sunday, November 11 2012

OVERVIEW

        Multiple vulnerabilities have been fixed in Mozilla Firefox, 
        Thunderbird and in SeaMonkey. [1]


IMPACT

        The vendor has provided the following details about the vulnerabilities:
        
        CVE-2012-4190 CVE-2012-4191 "Mozilla developers identified and fixed 
        two top crashing bugs in the browser engine used in Firefox and other 
        Mozilla-based products. These bugs showed evidence of memory corruption 
        under certain circumstances, and we presume that with enough effort at 
        least some of these could be exploited to run arbitrary code.
        
        The first of these bugs, a FreeType issue, is a mobile only issue which 
        happens on custom kernels like Cyanogenmod, not on standard Android 
        installations. The second bug is a websockets crash affecting Firefox 
        16 but not Firefox ESR." MFSA 2012-88 [2]
        
        CVE-2012-4192 CVE-2012-4193 "Mozilla security researcher moz_bug_r_a4 
        reported a regression where security wrappers are unwrapped without 
        doing a security check in defaultValue(). This can allow for improper 
        access access to the Location object. In versions 15 and earlier of 
        affected products, there was also the potential for arbitrary code 
        execution." MFSA 2012-89 [3]


MITIGATION

        Users of the affected versions should upgrade to current versions:
        - Firefox: 16.0.1 or Firefox ESR 10.0.9
        - Thunderbird: 16.0.1 or Thunderbird ESR 10.0.9
        - SeaMonkey: 2.13.1


REFERENCES

        [1] Mozilla Foundation Security Advisories
            https://www.mozilla.org/security/announce/

        [2] Mozilla Foundation Security Advisory 2012-88
            https://www.mozilla.org/security/announce/2012/mfsa2012-88.html

        [3] Mozilla Foundation Security Advisory 2012-89
            https://www.mozilla.org/security/announce/2012/mfsa2012-89.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUHexMe4yVqjM2NGpAQLiuBAAsOWXfNb6/WQr3cx4hGFjSx69BKo/GDhW
8fuxs92JeZPaorkImSTJPo5bKHliYe85glAvUinw+s26zw5rlSnaUNn5EasKM0We
LROZplVliPoF+IylX6TIsUS0rRDjF4JeewfJ9F2tCBYYpKsyrgeEFQgzErWBpppx
aUytZzyKu/fC2pAo1u0QS+gxwYEInq75HYS61Imq/O3sc4R+WLivI5uN8l1LkYpE
jbzhHrjT3kSECggD9Q0HqSZNSL+kMuNGjCt3hdjNqtCgLBOymoSiSFzHVT2PWPfN
oTNpBeVG0bW6r1QGJHd0TEsnWo1jB/dBK3FoVNELRRFZ/PEYrGUAvEmjIeoGcXCD
JA1gX7bGayCLX0RXGy3qXiivHU7avyJQfV8FZccWemHd1Bv2MDw/YxsCwCtHkVWw
PFXBAjE29bWlhfodpnrKGRZTfp3COb9anFKkRpAiJerW3iV9MlbiQAWbkM88GS1I
v3p+baUvcnJddAhQpkYP57Sh8woqAM2mAKgpzlPDcENBOnA0esOBjIEoAW332yMK
2p51dJjrWiSz6Eyreryt+2f+1Rg7t/BCCXcbvES/HXsiB9wxLFiGxGTt5Rr4nYj1
sI6k44mpnzy1ja4AryN+F0ao1MjmVou4m7OLlJFJwFIyFlrJF+CaZjHlF2J6KR3E
/objlayaL2c=
=/2gN
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/16460