-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T

                       AL-2009.0015 -- AUSCERT ALERT
                             [Win][UNIX/Linux]
        A number of vulnerabilities have been identified in Mozilla
                    Firefox, SeaMonkey and Thunderbird
                               5 March 2009

===========================================================================

        AusCERT Alert Summary
        ---------------------

Product:              Firefox 3.0.6
                      Thunderbird 2.0.0.21
                      SeaMonkey 1.1.15
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact:               Execute Arbitrary Code/Commands
                      Access Privileged Data
                      Provide Misleading Information
                      Denial of Service
CVE Names:            CVE-2009-0777 CVE-2009-0776 CVE-2009-0775
                      CVE-2009-0774 CVE-2009-0773 CVE-2009-0772
                      CVE-2009-0771 CVE-2009-0040
Member content until: Thursday, April 02 2009

Ref:                  ESB-2009.0194
                      ESB-2009.0199
                      ESB-2009.0202

OVERVIEW:

       Mozilla has released five advisories relating to Firefox,
       Thunderbird and Seamonkey. Mozilla has rated three of these 
       advisories as "Critical", one as "High", and one as "Low" impact.


IMPACT:

       According to Mozilla, the vulnerabilties corrected in this
       update are:

       o MFSA 2009-07(CVE-2009-0771, CVE-2009-0772, CVE-2009-0773, 
         CVE-2009-0774): "Mozilla developers identified and fixed several 
         stability bugs in the browser engine used in Firefox and other 
         Mozilla-based products. Some of these crashes showed evidence of 
         memory corruption under certain circumstances and we presume that 
         with enough effort at least some of these could be exploited to run 
         arbitrary code.

         Thunderbird shares the browser engine with Firefox and could be 
         vulnerable if JavaScript were to be enabled in mail. This is not 
         the default setting and we strongly discourage users from running 
         JavaScript in mail. Without further investigation we cannot rule out 
         the possibility that for some of these an attacker might be able to 
         prepare memory for exploitation through some means other than 
         JavaScript such as large images." [1]

       o MFSA 2009-08 (CVE-2009-0775): "An anonymous researcher, via 
         TippingPoint's Zero Day Initiative program, reported a vulnerability 
         in Mozilla's garbage collection process. The vulnerability was caused 
         by improper memory management of a set of cloned XUL DOM elements 
         which were linked as a parent and child. After reloading the browser 
         on a page with such linked elements, the browser would crash when 
         attempting to access an object which was already destroyed. An 
         attacker could use this crash to run arbitrary code on the victim's 
         computer.

         Thunderbird shares the browser engine with Firefox and could be 
         vulnerable if JavaScript were to be enabled in mail. This is not 
         the default setting and we strongly discourage users from running 
         JavaScript in mail." [2]

       o MFSA-2009-09 (CVE-2009-0776): "Mozilla security researcher Georgi 
         Guninski reported that a website could use nsIRDFService and a 
         cross-domain redirect to steal arbitrary XML data from another 
         domain, a violation of the same-origin policy. This vulnerability 
         could be used by a malicious website to steal private data from 
         users authenticated to the redirected website.

         Thunderbird shares the browser engine with Firefox and could be 
         vulnerable if JavaScript were to be enabled in mail. This is not 
         the default setting and we strongly discourage users from running 
         JavaScript in mail." [3]

       o MFSA-2009-10 (CVE-2009-0040): "libpng maintainer Glenn 
         Randers-Pehrson reported several memory safety hazards in PNG 
         libraries used by Mozilla. These vulnerabilities could be used by a 
         malicious website to crash a victim's browser and potentially 
         execute arbitrary code on their computer. libpng was upgraded to a 
         version which contained fixes for these flaws." [4]

       o MFSA-2009-11 (CVE-2009-0777): "Mozilla contributor Masahiro Yamada 
         reported that certain invisible control characters were being 
         decoded when displayed in the location bar, resulting in fewer 
         visible characters than were present in the actual location. An 
         attacker could use this vulnerability to spoof the location bar 
         and display a misleading URL for their malicious web page." [5]


MITIGATION:

       These vulnerabilities have been fixed in Firefox 3.0.7, Thunderbird 
       2.0.0.21 and SeaMonkey 1.1.15. At the time of this publication
       updates for Thunderbird and SeaMonkey have not yet been released, 
       however Firefox 3.0.7 can be downloaded from the Mozilla web site.


REFERENCES:

       [1] Mozilla Foundation Security Advisory 2009-07
           http://www.mozilla.org/security/announce/2009/mfsa2009-07.html
      
       [2] Mozilla Foundation Security Advisory 2009-08
           http://www.mozilla.org/security/announce/2009/mfsa2009-08.html

       [3] Mozilla Foundation Security Advisory 2009-09
           http://www.mozilla.org/security/announce/2009/mfsa2009-09.html

       [4] Mozilla Foundation Security Advisory 2009-10
           http://www.mozilla.org/security/announce/2009/mfsa2009-10.html

       [5] Mozilla Foundation Security Advisory 2009-11
           http://www.mozilla.org/security/announce/2009/mfsa2009-11.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFJrzTpNVH5XJJInbgRAjsHAJ48OmbAO8MS7xsZFhBb+ESiiG6iJwCfa2ZU
5v1VsOBpDl78juzLKij7SrA=
=TYnJ
-----END PGP SIGNATURE-----