Date: 17 August 2009
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
A U S C E R T A L E R T
AL-2009.0114 -- AUSCERT ALERT
[Win][UNIX/Linux]
Firefox 3.0.4/2.0.0.18 and SeaMonkey 1.1.13 released to
correct multiple vulnerabilities
17 August 2009
===========================================================================
AusCERT Alert Summary
---------------------
Product: Firefox 3.0.3
Seamonkey 1.1.12
Thunderbird 2.0.17
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact: Execute Arbitrary Code/Commands
Read-only Data Access
Cross-site Scripting
Reduced Security
Access: Remote/Unauthenticated
CVE Names: CVE-2008-0017 CVE-2008-4582 CVE-2008-5015
CVE-2008-5016 CVE-2008-5017 CVE-2008-5018
CVE-2008-5019 CVE-2008-5021 CVE-2008-5022
CVE-2008-5023 CVE-2008-5024 CVE-2008-6961
Member content until: Thursday, December 11 2008
Revision History: August 17 2009: Added MFSA 2008-59
November 13 2008: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
OVERVIEW
Mozilla has released 9 advisories relating to Firefox,
Thunderbird and Seamonkey describing a total of 11 vulnerabilities.
Mozilla has rated 4 of these advisories as "Critical", 2 as "High",
2 as "Moderate" and 1 as "Low" impact.
IMPACT
According to Mozilla, the vulnerabilties corrected in this
update are:
o MFSA 2008-47 (CVE-2008-4582): "Locally saved .url shortcut files
could be used to read information stored in the local cache. An
attacker could use this vulnerability to steal information from a
victim's browser cache if they were able to get the victim to
download two separate files, a .url shortcut and a HTML file." [1]
o MFSA 2008-51 (CVE-2008-5015): "file: URIs are given chrome
privileges when opened in the same tab as a chrome page or
privileged about: page. This vulnerability could be used by an
attacker to run arbitrary JavaScript with chrome privileges." [2]
o MFSA 2008-52 (CVE-2008-5016, CVE-2008-5017, CVE-2008-5018):
"Mozilla developers identified and fixed several stability bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these crashes showed evidence of memory
corruption under certain circumstances and we presume that with
enough effort at least some of these could be exploited to run
arbitrary code." [3]
o MFSA 2008-53 (CVE-2008-5019): "The browser's session restore
feature can be used to violate the same-origin policy and run
JavaScript in the context of another site. Any otherwise
unexploitable crash can be used to force the user into the session
restore state" and "This vulnerability could also be used by an
attacker to run arbitrary JavaScript with chrome privileges" [4]
o MFSA 2008-54 (CVE-2008-0017): "A flaw in the way Mozilla parses
the http-index-format MIME type. By sending a specially crafted
200 header line in the HTTP index response, an attacker can cause
the browser to crash and run arbitrary code on the victim's
computer." [5]
o MFSA 2008-55 (CVE-2008-5021): "A flaw in part of Mozilla's DOM
constructing code. This vulnerability can be exploited by
modifying certain properties of a file input element before it
has finished initializing. When the blur method of the modified
input element is called, uninitialized memory is accessed by the
browser, resulting in a crash. This crash may be used by an
attacker to run arbitrary code on a victim's computer." [6]
o MFSA 2008-56 (CVE-2008-5022): "Same-origin check in
nsXMLHttpRequest::NotifyEventListeners() could be bypassed. This
vulnerability could be used to execute JavaScript in the context
of a different website" [7]
o MFSA 2008-57 (CVE-2008-5023): "The -moz-binding CSS property can
be used to bypass security checks which validate codebase
principals". This can be exploited to "run arbitrary JavaScript
within the context of another site". [8]
o MFSA 2008-58 (CVE-2008-5024): "An error in the method used to
parse the default namespace in an E4X document. The error was
caused by quote characters in the namespace not being properly
escaped." Mozilla has not listed any potential exploit for this
flaw. [9]
o MFSA 2008-58 (CVE-2008-6961): Script access to .documentURI and
and .textContent may allow a malicious mail message to be
"... able to glean personal information about the recipient from
the mailbox URI (such as computer account name) if the mail
recipient has enabled JavaScript in mail."[10]
MITIGATION
These vulnerabilities have been fixed in Firefox 2.0.0.18,
Firefox 3.0.4 and SeaMonkey 1.1.13. Updated versions of these
programs are available from the Mozilla web site.
There is not yet an updated release of Thunderbird 2.0.0.18.
Mozilla has recommended ensuring that JavaScript is not rendered
by Thunderbird. By default, JavaScript is not enabled in
Thunderbird.
REFERENCES
[1] Mozilla Foundation Security Advisory 2008-47
http://www.mozilla.org/security/announce/2008/mfsa2008-47.html
[2] Mozilla Foundation Security Advisory 2008-51
http://www.mozilla.org/security/announce/2008/mfsa2008-51.html
[3] Mozilla Foundation Security Advisory 2008-52
http://www.mozilla.org/security/announce/2008/mfsa2008-52.html
[4] Mozilla Foundation Security Advisory 2008-53
http://www.mozilla.org/security/announce/2008/mfsa2008-53.html
[5] Mozilla Foundation Security Advisory 2008-54
http://www.mozilla.org/security/announce/2008/mfsa2008-54.html
[6] Mozilla Foundation Security Advisory 2008-55
http://www.mozilla.org/security/announce/2008/mfsa2008-55.html
[7] Mozilla Foundation Security Advisory 2008-56
http://www.mozilla.org/security/announce/2008/mfsa2008-56.html
[8] Mozilla Foundation Security Advisory 2008-57
http://www.mozilla.org/security/announce/2008/mfsa2008-57.html
[9] Mozilla Foundation Security Advisory 2008-58
http://www.mozilla.org/security/announce/2008/mfsa2008-58.html
[10] Mozilla Foundation Security Advisory 2008-59
http://www.mozilla.org/security/announce/2008/mfsa2008-59.html
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://www.auscert.org.au/1967
iD8DBQFKiLlLNVH5XJJInbgRAj+7AJ9gs5+CqTgVjM6ne3nk4a3yPt16vgCggxJz
doO6L7nuTnkWGUeuGNaG4rc=
=ai+O
-----END PGP SIGNATURE-----
|