copyright
|
disclaimer
|
privacy
|
contact
HOME
About
AusCERT
Membership
Contact Us
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
Login »
Become a member »
Home
»
Security Bul...
»
By Operating...
»
UNIX (all)
»
BSD (all)
» AL-2009.0114 -- [Win][UNIX/Linux] -- Firefox 3.0.4/2...
AL-2009.0114 -- [Win][UNIX/Linux] -- Firefox 3.0.4/2.0.0.18 and SeaMonkey 1.1.13 released to correct multiple vulnerabilities
Date:
17 August 2009
Click here for printable version
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== A U S C E R T A L E R T AL-2009.0114 -- AUSCERT ALERT [Win][UNIX/Linux] Firefox 3.0.4/2.0.0.18 and SeaMonkey 1.1.13 released to correct multiple vulnerabilities 17 August 2009 =========================================================================== AusCERT Alert Summary --------------------- Product: Firefox 3.0.3 Seamonkey 1.1.12 Thunderbird 2.0.17 Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact: Execute Arbitrary Code/Commands Read-only Data Access Cross-site Scripting Reduced Security Access: Remote/Unauthenticated CVE Names: CVE-2008-0017 CVE-2008-4582 CVE-2008-5015 CVE-2008-5016 CVE-2008-5017 CVE-2008-5018 CVE-2008-5019 CVE-2008-5021 CVE-2008-5022 CVE-2008-5023 CVE-2008-5024 CVE-2008-6961 Member content until: Thursday, December 11 2008 Revision History: August 17 2009: Added MFSA 2008-59 November 13 2008: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- OVERVIEW Mozilla has released 9 advisories relating to Firefox, Thunderbird and Seamonkey describing a total of 11 vulnerabilities. Mozilla has rated 4 of these advisories as "Critical", 2 as "High", 2 as "Moderate" and 1 as "Low" impact. IMPACT According to Mozilla, the vulnerabilties corrected in this update are: o MFSA 2008-47 (CVE-2008-4582): "Locally saved .url shortcut files could be used to read information stored in the local cache. An attacker could use this vulnerability to steal information from a victim's browser cache if they were able to get the victim to download two separate files, a .url shortcut and a HTML file." [1] o MFSA 2008-51 (CVE-2008-5015): "file: URIs are given chrome privileges when opened in the same tab as a chrome page or privileged about: page. This vulnerability could be used by an attacker to run arbitrary JavaScript with chrome privileges." [2] o MFSA 2008-52 (CVE-2008-5016, CVE-2008-5017, CVE-2008-5018): "Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code." [3] o MFSA 2008-53 (CVE-2008-5019): "The browser's session restore feature can be used to violate the same-origin policy and run JavaScript in the context of another site. Any otherwise unexploitable crash can be used to force the user into the session restore state" and "This vulnerability could also be used by an attacker to run arbitrary JavaScript with chrome privileges" [4] o MFSA 2008-54 (CVE-2008-0017): "A flaw in the way Mozilla parses the http-index-format MIME type. By sending a specially crafted 200 header line in the HTTP index response, an attacker can cause the browser to crash and run arbitrary code on the victim's computer." [5] o MFSA 2008-55 (CVE-2008-5021): "A flaw in part of Mozilla's DOM constructing code. This vulnerability can be exploited by modifying certain properties of a file input element before it has finished initializing. When the blur method of the modified input element is called, uninitialized memory is accessed by the browser, resulting in a crash. This crash may be used by an attacker to run arbitrary code on a victim's computer." [6] o MFSA 2008-56 (CVE-2008-5022): "Same-origin check in nsXMLHttpRequest::NotifyEventListeners() could be bypassed. This vulnerability could be used to execute JavaScript in the context of a different website" [7] o MFSA 2008-57 (CVE-2008-5023): "The -moz-binding CSS property can be used to bypass security checks which validate codebase principals". This can be exploited to "run arbitrary JavaScript within the context of another site". [8] o MFSA 2008-58 (CVE-2008-5024): "An error in the method used to parse the default namespace in an E4X document. The error was caused by quote characters in the namespace not being properly escaped." Mozilla has not listed any potential exploit for this flaw. [9] o MFSA 2008-58 (CVE-2008-6961): Script access to .documentURI and and .textContent may allow a malicious mail message to be "... able to glean personal information about the recipient from the mailbox URI (such as computer account name) if the mail recipient has enabled JavaScript in mail."[10] MITIGATION These vulnerabilities have been fixed in Firefox 2.0.0.18, Firefox 3.0.4 and SeaMonkey 1.1.13. Updated versions of these programs are available from the Mozilla web site. There is not yet an updated release of Thunderbird 2.0.0.18. Mozilla has recommended ensuring that JavaScript is not rendered by Thunderbird. By default, JavaScript is not enabled in Thunderbird. REFERENCES [1] Mozilla Foundation Security Advisory 2008-47 http://www.mozilla.org/security/announce/2008/mfsa2008-47.html [2] Mozilla Foundation Security Advisory 2008-51 http://www.mozilla.org/security/announce/2008/mfsa2008-51.html [3] Mozilla Foundation Security Advisory 2008-52 http://www.mozilla.org/security/announce/2008/mfsa2008-52.html [4] Mozilla Foundation Security Advisory 2008-53 http://www.mozilla.org/security/announce/2008/mfsa2008-53.html [5] Mozilla Foundation Security Advisory 2008-54 http://www.mozilla.org/security/announce/2008/mfsa2008-54.html [6] Mozilla Foundation Security Advisory 2008-55 http://www.mozilla.org/security/announce/2008/mfsa2008-55.html [7] Mozilla Foundation Security Advisory 2008-56 http://www.mozilla.org/security/announce/2008/mfsa2008-56.html [8] Mozilla Foundation Security Advisory 2008-57 http://www.mozilla.org/security/announce/2008/mfsa2008-57.html [9] Mozilla Foundation Security Advisory 2008-58 http://www.mozilla.org/security/announce/2008/mfsa2008-58.html [10] Mozilla Foundation Security Advisory 2008-59 http://www.mozilla.org/security/announce/2008/mfsa2008-59.html - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://www.auscert.org.au/1967 iD8DBQFKiLlLNVH5XJJInbgRAj+7AJ9gs5+CqTgVjM6ne3nk4a3yPt16vgCggxJz doO6L7nuTnkWGUeuGNaG4rc= =ai+O -----END PGP SIGNATURE-----
Comments? Click here
http://www.auscert.org.au/render.html?cid=37&it=10073