Date: 01 August 2007
References: AU-2007.0018 AL-2007.0091 ESB-2007.0586 ESB-2007.0707 ESB-2007.0816 ESB-2007.0821 ESB-2007.0822 ESB-2007.0844 ESB-2007.1030
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2007.0576 -- [Win][UNIX/Linux]
New Firefox, Thunderbird and SeaMonkey released fixing URI
and about:blank vulnerabilities
1 August 2007
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Firefox 2.0.0.5 and prior
Thunderbird 2.0.0.5 and prior
Thunderbird 1.5.0.12 and prior
SeaMonkey 1.1.3 and prior
Publisher: Mozilla Foundation
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
CVE Names: CVE-2007-3845 CVE-2007-3844
Ref: AL-2007.0091
AU-2007.0018
Original Bulletin:
http://www.mozilla.org/security/announce/2007/mfsa2007-27.html
http://www.mozilla.org/security/announce/2007/mfsa2007-26.html
Comment: This bulletin contains two separate Mozilla advisories for
vulnerabilities fixed in Firefox 2.0.0.6 and related products:
MFSA-2007-27 addresses the URI filtering vulnerability that was
reported previously in AusCERT Alert AL-2007.0091.
MFSA-2007-26 addresses a new about:blank vulnerability that was
introduced in Firefox 2.0.0.5. It potentially allows execution
of arbitrary code in conjunction with certain Firefox addons.
- --------------------------BEGIN INCLUDED TEXT--------------------
Mozilla Foundation Security Advisory 2007-27
Title: Unescaped URIs passed to external programs
Impact: Critical
Announced: July 30, 2007
Reporter: Jesper Johansson
Products: Firefox, Thunderbird, SeaMonkey
Fixed in: Firefox 2.0.0.6
Thunderbird 2.0.0.6
Thunderbird 1.5.0.13
SeaMonkey 1.1.4
Description
Jesper Johansson pointed out that Mozilla did not percent-encode
spaces and double-quotes in URIs handed off to external programs for
handling, which can cause the receiving program to mistakenly
interpret a single URI as multiple arguments. The danger depends on
the arguments supported by the specific receiving program, though at
the very least we know Firefox (and Thunderbird) 2.0.0.4 and older
could be used to run arbitrary script (see [26]MFSA 2007-23). The vast
majority of programs do not have dangerous arguments, though many
could still be made to do something unexpected.
A similar issue with URIs passed to external handlers was reported by
Billy Rios and Nate McFeters. When running Firefox on Windows XP with
IE7 installed, URIs for certain common protocols (such as mailto:)
that contain a %00 do not launch the protocol handler registered for
that scheme but instead launch a file handling program based on the
file extension at the end of the URI. Coupled with the issue reported
by Jesper Johansson this appears to allow execution of any program
installed at a known location and limited argument passing that might
be enough to exploit a system. Further investigation by Secunia showed
that a % not followed by a valid two-digit hexadecimal number also
triggered the problem for the affected protocols. The Firefox and
Thunderbird 2.0.0.6 releases contain fixes that prevent the original
demonstrations of this variant, but it is still possible to launch a
filetype handler based on extension rather than the registered
protocol handler. A way to exploit a common handler with a single
unexpected URI as an argument may yet be found. Since this handling is
a property of the Windows Shell API this variant appears to affect
other internet-enabled applications that pass these URIs to the
Windows Shell.
Workaround
By default Firefox will ask before launching external protocol
handlers, and these prompts should be denied from sites that are not
trustworthy, especially if the requested URL contains spaces and
double-quote (") characters. An exception is made for mail-related
protocols in Firefox, they do not prompt by default. If the default
mail handler is Thunderbird 2.0.0.5 or later there will not be a
problem, but if another program or older version of Thunderbird is the
default handler then mail URIs can be made to prompt as well.
(Similarly, in Thunderbird browser protocols like http: and ftp: do
not prompt but instead launch the default browser.) To make
mail-related links prompt in Firefox before launching external
programs:
* Enter about:config in the location bar
* Enter warn-external in the Filter: box
* Double-click to set the mailto, news, nntp, and snews lines to
true
References
* Jesper's Blog
http://msinfluentials.com/blogs/jesper/archive/2007/07/20/hey-mozilla-quotes-are-not-legal-in-a-url.aspx
* https://bugzilla.mozilla.org/show_bug.cgi?id=389106
* CVE-2007-3845
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3845
* Secunia Advisory SA26201
http://secunia.com/advisories/26201/
* US-CERT Vulnerability Notes VU#783400 and VU##403150
http://www.kb.cert.org/vuls/id/783400
http://www.kb.cert.org/vuls/id/403150
* https://bugzilla.mozilla.org/show_bug.cgi?id=389580
- ----------------------------------------------------------------------------
Mozilla Foundation Security Advisory 2007-26
Title: Privilege escalation through chrome-loaded about:blank windows
Impact: Moderate
Announced: July 30, 2007
Reporter: moz_bug_r_a4
Products: Firefox 2.0.0.5, Thunderbird 2.0.0.5, SeaMonkey 1.1.3
Fixed in: Firefox 2.0.0.6
Thunderbird 2.0.0.6
Thunderbird 1.5.0.13
SeaMonkey 1.1.4
Description
Mozilla researcher moz_bug_r_a4 reported that a flaw was introduced by
the fix for [26]MFSA 2007-20 that could enable privilege escalation
attacks against addons that create "about:blank" windows and populate
them in certain ways (including implicit "about:blank" document
creation through data: or javascript: URLs in a new window).
Workaround
Any workaround would depend on the addon in question. One addon known
to be affected was the Web Developer Toolbar, which was safe in its
default configuration but potentially vulnerable to malicious web
content if informational windows were opened as separate windows
instead of tabs. The workaround for this, then, is to switch back to
the default setting.
Other affected addons might not have a workaround other than to
upgrade to a fixed version of Firefox.
References
* https://bugzilla.mozilla.org/show_bug.cgi?id=388121
* CVE-2007-3844
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3844
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRq/T6ih9+71yA2DNAQI6YwP+IyoioxjlXnDrO1qiWe37KZkzcHP/Cd7z
C8yS1dWnkA2W1ujYExk8gR++uTCbEW72npc1uf8LHC8x09KTWYYWc2J3SiDt/pc8
jgRWFFWNxunpfUpLv2dae8efpfHexjiZHyeNgzgdl6BZMoP7rsAx+EYFZ6abXWJW
EbPMVFIF4I0=
=gNRr
-----END PGP SIGNATURE-----
|