Date: 04 March 2009
References: ESB-2009.0274 ESB-2009.1038
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
A U S C E R T A L E R T
AL-2009.0007 -- AUSCERT ALERT
[Win][UNIX/Linux]
Updates available for Firefox, ThunderBird and SeaMonkey
5 March 2009
===========================================================================
AusCERT Alert Summary
---------------------
Product: Firefox
SeaMonkey
Thunderbird
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact: Execute Arbitrary Code/Commands
Access Confidential Data
Denial of Service
Access: Remote/Unauthenticated
CVE Names: CVE-2009-0358 CVE-2009-0357 CVE-2009-0356
CVE-2009-0355 CVE-2009-0354 CVE-2009-0353
CVE-2009-0352
Member content until: Thursday, March 05 2009
Comment: Firefox 2 has not been patched. Update to Firefox 3.0.6 as
soon as possible.
Revision History: March 5 2009: Fixed title and formatting
February 5 2009: Initial Release
OVERVIEW:
Mozilla has released 6 advisories relating to Firefox,
Thunderbird and Seamonkey. Mozilla has rated 1 of these
advisories as "Critical", 2 as "High", 1 as "Moderate"
and 2 as "Low" impact.
IMPACT:
According to Mozilla, the vulnerabilties corrected in this
update are:
o MFSA 2009-01(CVE-2009-0352): "Crashes with evidence of memory
corruption (rv:1.9.0.6) Mozilla developers identified and fixed
several stability bugs in the browser engine used in Firefox and
other Mozilla-based products. Some of these crashes showed evidence
of memory corruption under certain circumstances and we presume
that with enough effort at least some of these could be exploited
to run arbitrary code.
Thunderbird shares the browser engine with Firefox and could be
vulnerable if JavaScript were to be enabled in mail. This is not
the Default setting and we strongly discourage users from running
JavaScript in mail. Without further investigation we cannot rule
out the possibility that for some of these an attacker might be
able to prepare memory for exploitation through some means other
than JavaScript such as large images." [1]
o MFSA 2009-02(CVE-2009-0354): "Mozilla security researcher
moz_bug_r_a4 reported that a chrome XBL method can be used in
conjuction with window.eval to execute arbitrary JavaScript within
the context of another website, violating the same origin policy.
Firefox 2 releases are not affected." [2]
o MFSA 2009-03(CVE-2009-0355): "Mozilla security researcher
moz_bug_r_a4 reported that a form input control's type could be
changed during the restoration of a closed tab. An attacker could
set an input control's text value to the path of a local file whose
location was known to the attacker. If the tab was then closed and
the victim persuaded to re-open it, upon restoring the tab the
attacker could use this vulnerability to change the input type to
file. Scripts in the page could then automatically submit the form
and steal the contents of the user's local file." [3]
o MFSA 2009-04(CVE-2009-0356): "Mozilla security researcher Georgi
Guninski reported that the fix for an earlier vulnerability
reported by Liu Die Yu using local internet shortcut files to
access other sites (MFSA 2008-47) could be bypassed by
redirecting to a privileged about: URI such as about:plugins.
If an attacker could get a victim to download two files, a
malicious HTML file and a .desktop shortcut file, they could have
the HTML document load a privileged chrome document via the
shortcut and both documents would be treated as same origin.
This vulnerability could potentially be used by an attacker to
inject arbitrary code into the chrome document and execute with
chrome privileges. Because this attack has relatively high
complexity, the severity of this issue was determined to be
moderate." [4]
o MFSA 2009-05(CVE-2009-0357):" Developer and Mozilla community member
Wladimir Palant reported that cookies marked HTTPOnly were readable
by JavaScript via the XMLHttpRequest.getResponseHeader and
XMLHttpRequest.getAllResponseHeaders APIs. This vulnerability
bypasses the security mechanism provided by the HTTPOnly flag
which intends to restrict JavaScript access to document.cookie." [5]
o MFSA 2009-06 (CVE-2009-0358): "Paul Nel reported that certain HTTP
directives to not cache web pages, Cache-Control: no-store and
Cache-Control: no-cache for HTTPS pages, were being ignored by
Firefox 3. On a shared system, applications relying upon these
HTTP directives could potentially expose private data. Another user
on the system could use this vulnerability to view improperly
cached pages containing private data by navigating the browser
back." [6]
MITIGATION:
These vulnerabilities have been fixed in Firefox 3.0.6, Thunderbird
2.0.0.21 and SeaMonkey 1.1.15. Updated versions of these programs are
available from the Mozilla web site.
REFERENCES:
[1] Mozilla Foundation Security Advisory 2009-01
http://www.mozilla.org/security/announce/2009/mfsa2009-01.html
[2] Mozilla Foundation Security Advisory 2009-02
http://www.mozilla.org/security/announce/2009/mfsa2009-02.html
[3 ]Mozilla Foundation Security Advisory 2009-03
http://www.mozilla.org/security/announce/2009/mfsa2009-03.html
[4] Mozilla Foundation Security Advisory 2009-04
http://www.mozilla.org/security/announce/2009/mfsa2009-04.html
[5] Mozilla Foundation Security Advisory 2009-05
http://www.mozilla.org/security/announce/2009/mfsa2009-05.html
[6] Mozilla Foundation Security Advisory 2009-06
http://www.mozilla.org/security/announce/2009/mfsa2009-06.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFJrzwNNVH5XJJInbgRAr1lAKCBJ178va4FTxxnpmCwVLa0eUyA3gCfeQKd
shSnYnQd92tDHlce0rZitF0=
=Kf4A
-----END PGP SIGNATURE-----
|