Date: 05 January 2009
References: ESB-2008.1136 AU-2009.0001 ESB-2009.0014 ESB-2009.0015 ESB-2009.0343 ESB-2009.0471
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
A U S C E R T A L E R T
AL-2008.0129 -- AUSCERT ALERT
[Win][UNIX/Linux]
A number of vulnerabilities have been identified in Mozilla
Firefox, SeaMonkey and Thunderbird
6 January 2009
===========================================================================
AusCERT Alert Summary
---------------------
Product: Firefox 3.0.4
Firefox 2.0.0.18
Thunderbird 2.0.0.18
SeaMonkey 1.1.13
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact: Execute Arbitrary Code/Commands
Access Confidential Data
Create Arbitrary Files
Modify Arbitrary Files
Provide Misleading Information
Reduced Security
Access: Remote/Unauthenticated
CVE Names: CVE-2008-5513 CVE-2008-5512 CVE-2008-5511
CVE-2008-5510 CVE-2008-5508 CVE-2008-5507
CVE-2008-5506 CVE-2008-5505 CVE-2008-5502
CVE-2008-5501 CVE-2008-5500
Member content until: Wednesday, January 14 2009
Original Bulletin:
http://www.mozilla.org/security/announce/2008/mfsa2008-60.html
http://www.mozilla.org/security/announce/2008/mfsa2008-61.html
http://www.mozilla.org/security/announce/2008/mfsa2008-63.html
http://www.mozilla.org/security/announce/2008/mfsa2008-64.html
http://www.mozilla.org/security/announce/2008/mfsa2008-65.html
http://www.mozilla.org/security/announce/2008/mfsa2008-66.html
http://www.mozilla.org/security/announce/2008/mfsa2008-67.html
http://www.mozilla.org/security/announce/2008/mfsa2008-68.html
http://www.mozilla.org/security/announce/2008/mfsa2008-69.html
Revision History: January 6 2009: Updated patch for Firefox 2.x
as 2.0.0.20
December 17 2008: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
OVERVIEW:
Mozilla has released eight advisories relating to Firefox, seven
advisories relating to Thunderbird, and seven advisories relating to
SeaMonkey, describing a total of nine vulnerabilities. Mozilla has
rated three of these advisories as "Critical", one as "High", two as
"Moderate" and three as "Low" Impact.
IMPACT:
According to Mozilla, the vulnerabilities corrected in this update
are:
o MFSA 2008-60 (CVE-2008-5500, CVE-2008-5501, CVE-2008-5502): Crashes
with evidence of memory corruption, the result of "... several
stability bugs in the browser engine used in Firefox and other
Mozilla-based products. Some of these crashes showed evidence of
memory corruption under certain circumstances and we presume that
with enough effort at least some of these could be exploited to run
arbitrary code." [1]
o MFSA 2008-61 (CVE-2008-5503): Information stealing via
loadBindingDocument, allowing "...XBL bindings ...[to]... be used
to read data from other domains, a violation of the same-origin
policy." [2]
o MFSA 2008-63 (CVE-2008-5505): A vulnerability allowing "... the
persist attribute in XUL elements ...[to]... be used to store
cookie-like information on a user's computer which could later be
read by a website. This creates a privacy issue for users who have
a non-standard cookie preference and wish to prevent sites from
setting cookies on their machine. Even with cookies turned off, this
issue could be used by a website to write persistent data in a user's
browser and track the user across browsing sessions. Additionally,
this issue could allow a website to bypass the limits normally placed
on cookie size and number." [3]
o MFSA 2008-64 (CVE-2008-5506): XMLHttpRequest 302 response disclosure
"... when a XMLHttpRequest is made to a same-origin resource which
302 redirects to a resource in a different domain, the response
from the cross-domain resource is readable by the site issuing the
XHR. Cookies marked HttpOnly were not readable, but other potentially
sensitive data could be revealed in the XHR response including URL
parameters and content in the response body." [4]
o MFSA 2008-65 (CVE-2008-5507): Cross-domain data theft via script
redirect error message as "...a website could access a limited amount
of data from a different domain by loading a same-domain JavaScript
URL which redirects to an off-domain target resource containing data
which is not parsable as JavaScript. Upon attempting to load the data
as JavaScript a syntax error is generated that can reveal some of the
file context via the window.onerror DOM API. This issue could be used
by a malicious website to steal private data from users who are
authenticated on the redirected website." [5]
o MFSA 2008-66 (CVE-2008-5508): Errors parsing URLs with leading
whitespace and control characters as "... certain control characters,
when placed at the beginning of a URL, would lead to incorrect parsing
resulting in a malformed URL being output by the parser." [6]
o MFSA 2008-67 (CVE-2008-5510): Escaped null characters ignored by CCS
parser where "... unlike literal null characters which were handled
correctly, the escaped form '\0' was ignored by the CSS parser and
treated as if it was not present in the CSS input string. This issue
could potentially be used to bypass script sanitization routines in
web applications. The severity of this issue was determined to be
low." [7]
o MFSA 2008-68 (CVE-2008-5511, CVE-2008-5512): XSS and JavaScript
privilege escalation, a result of "... an XBL binding, when attached to
an unloaded document, ...[being]... used to violate the same-origin
policy and execute arbitrary JavaScript within the context of a
different website." Additionally "... two vulnerabilities by which page
content can pollute XPCNativeWrappers and run arbitary JavaScript with
chrome priviliges." [8]
o MFSA 2008-69 (CVE-2008-5513): A number of "...vulnerabilities in the
session-restore feature by which content could be injected into an
incorrect document storage location, including storage locations for
other domains. An attacker could utilize these issues to violate the
browser's same-origin policy and perform an XSS attack while
SessionStore data is being restored." It was "... also reported that
one variant could be used by an attacker to run arbitrary JavaScript
with chrome privileges." [9]
MITIGATION:
These vulnerabilities have been fixed in Firefox 3.0.5, Firefox 2.0.0.20
SeaMonkey 1.1.14 and Thunderbird 2.0.0.19. Updated versions of these
programs are available from the Mozilla web site.
REFERENCES:
[1] Mozilla Foundation Security Advisory 2008-60
http://www.mozilla.org/security/announce/2008/mfsa2008-60.html
[2] Mozilla Foundation Security Advisory 2008-61
http://www.mozilla.org/security/announce/2008/mfsa2008-61.html
[3] Mozilla Foundation Security Advisory 2008-63
http://www.mozilla.org/security/announce/2008/mfsa2008-63.html
[4] Mozilla Foundation Security Advisory 2008-64
http://www.mozilla.org/security/announce/2008/mfsa2008-64.html
[5] Mozilla Foundation Security Advisory 2008-65
http://www.mozilla.org/security/announce/2008/mfsa2008-65.html
[6] Mozilla Foundation Security Advisory 2008-66
http://www.mozilla.org/security/announce/2008/mfsa2008-66.html
[7] Mozilla Foundation Security Advisory 2008-67
http://www.mozilla.org/security/announce/2008/mfsa2008-67.html
[8] Mozilla Foundation Security Advisory 2008-68
http://www.mozilla.org/security/announce/2008/mfsa2008-68.html
[9] Mozilla Foundation Security Advisory 2008-69
http://www.mozilla.org/security/announce/2008/mfsa2008-69.html
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBSWKpZyh9+71yA2DNAQJHEAP/RQSDIJiDOy5UU+grt7nQypTkSU2ylD/E
QF7O7C1JnzLSUfeGQiyBgP/3tzs0pHZ0X2mkdkgGGKbyCZXw+TslwpUwz5/URuQ2
ZTPPzdUmU6CQAVNtNyYsBEEyfQGzVSyt4KtKR/7+ZuJkcHfBXyz6kzq2pdubd6XC
x/pKePAeYZo=
=qgE0
-----END PGP SIGNATURE-----
|