AusCERT - AL-2009.0035 -- [Win][UNIX/Linux] -- Firefox, Seamonkey and Thunderbird: Execute Arbitrary Code

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
AL-2009.0035 -- [Win][UNIX/Linux] -- Firefox, Seamonkey and Thunderbird: Execute Arbitrary Code
Date: 23 April 2009
References: ESB-2009.0391 ESB-2009.0454

Click here for printable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T

                       AL-2009.0035 -- AUSCERT ALERT
                             [Win][UNIX/Linux]
        Firefox, Seamonkey and Thunderbird: Execute Arbitrary Code
                               23 April 2009

===========================================================================

        AusCERT Alert Summary
        ---------------------

Product:              Firefox 3.0.8
                      Thunderbird 2.0.21
                      Seamonkey 1.1.16
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact:               Execute Arbitrary Code/Commands
                      Access Privileged Data
                      Create Arbitrary Files
                      Cross-site Scripting
                      Cross-site Request Forgery
                      Provide Misleading Information
Access:               Remote/Unauthenticated
CVE Names:            CVE-2009-1302 CVE-2009-1303 CVE-2009-1304
                      CVE-2009-1305 CVE-2009-1306 CVE-2009-1307
                      CVE-2009-1308 CVE-2009-1309 CVE-2009-1310
                      CVE-2009-1311 CVE-2009-1312
Member content until: Thursday, May 21 2009

- --------------------------BEGIN INCLUDED TEXT--------------------

OVERVIEW:

      Mozilla has released nine advisories relating to Firefox, Thunderbird
      and Seamonkey. Mozilla has rated one of these advisories as "Critical", 
      two as "High", two as "Moderate" and four as "Low" impact.


IMPACT:

      According to Mozilla, the vulnerabilties corrected in this update 
      are:

      o MFSA 2009-22 (CVE-2009-1312): "Mozilla community member Michael 
        reported that when a server responds with a Refresh header 
        containing a javascript: URI, Firefox will redirect to the 
        javascript: URI. If an attacker could inject a Refresh header into a 
        server response, or could control the value that a site places in 
        the Refresh header, they could use this vulnerability to perform an 
        XSS attack and execute arbitrary JavaScript within the context of 
        that site." [1]
      
      o MFSA 2009-21 (CVE-2009-1311): "Developer and Mozilla community member 
        Paolo Amadini reported that when saving the inner frame of a web 
        page as a file when the outer page has POST data associated with it, 
        the POST data will be incorrectly sent to the URL of the inner frame. 
        This could potentially result in a user's sensitive data being sent 
        to a site for which it was not intended." [2]

      o MFSA 2009-20 (CVE-2009-1310): "Security researcher Prateek Saxena 
        reported that a malicious MozSearch plugin could be created using a 
        javascript: URI in the SearchForm value. This URI is used as the 
        default landing page when an empty search is performed. If an 
        attacker could get a user to install the malicious plugin and 
        perform an empty search, the SearchForm javascript: URI would be 
        executed within the context of the currently open page." [3]

      o MFSA 2009-19 (CVE-2009-1309): "Mozilla security researcher 
        moz_bug_r_a4 reported that it is possible to create a document whose 
        URI does not match the document's principal using XMLHttpRequest. 
        This type of mismatch leads to incorrect results in principal-based 
        security checks. An attacker could use this vulnerability to execute 
        arbitrary JavaScript within the context of another site.

        moz_bug_r_a4 separately reported that 
        XPCNativeWrapper.toString's __proto__ comes from the wrong scope 
        which results in calls to that function being executed in the wrong 
        context in certain circumstances. An attacker could use this 
        vulnerability to run arbitrary code within the context of a 
        different site. Alternatively, if chrome were to call 
        content.toString.call(), then attacker-defined functions could be 
        run with chrome privileges.

        Note: Thunderbird shares the browser engine with Firefox and could 
              be vulnerable if JavaScript were to be enabled in mail. This 
              is not the default setting and we strongly discourage users 
              from running JavaScript in mail." [4]

      o MFSA 2009-18 (CVE-2009-1308): "Web developer Cefn Hoile reported that 
        sites which allow users to embed third-party stylesheets are 
        vulnerable to script injection attacks using XBL bindings. While 
        this behavior was documented previously, it was determined that this 
        particular risk was not well-understood by some websites. To 
        mitigate this risk Mozilla added a restriction that requires XBL 
        bindings to come from the same origin as the bound document.

        Note: Thunderbird shares the browser engine with Firefox and could 
              be vulnerable if JavaScript were to be enabled in mail. This 
              is not the default setting and we strongly discourage users 
              from running JavaScript in mail." [5]

      o MFSA 2009-17 (CVE-2009-1307): "Security researcher Gregory Fleischer 
        reported that when an Adobe Flash file is loaded via the 
        view-source: scheme, the Flash plugin misinterprets the origin of 
        the content as localhost, leading to two specific vulnerabilities:

        1. The Flash file can bypass restrictions imposed by the 
           crossdomain.xml mechanism and initiate HTTP requests to arbitrary 
           third-party sites. This vulnerability could be used by an 
           attacker to perform CSRF attacks against these sites.
        2. The Flash file, being treated as a local resource, can read and 
           write Local Shared Objects on a user's machine. This 
           vulnerability could be used by an attacker to place cookie-like 
           objects on a user's computer and track them across multiple sites.

        Additonally, Fleischer reported that the jar: protocol could be used 
        to bypass restrictions normally preventing content loaded via 
        view-source: from being rendered.

        Note: Thunderbird shares the browser engine with Firefox and could 
              be vulnerable if plugins were to be enabled in mail. This is 
              not the default setting and we strongly discourage users from 
              enabling plugins in mail." [6]

      o MFSA 2009-16 (CVE-2009-1306): "Mozilla developer Daniel Veditz 
        reported that when the jar: scheme is used to wrap a URI which 
        serves the content with Content-Disposition: attachment, the HTTP 
        header is ignored and the content is unpacked and displayed inline. 
        A site may depend on this HTTP header to prevent potentially 
        untrusted content that it serves from executing within the context 
        of the site. An attacker could use this vulnerability to subvert 
        sites using this mechanism to mitigate content injection attacks.

        This vulnerability has not been fixed on the Mozilla 1.8.1 branch, 
        which is used to build Firefox 2 and Thunderbird 2. However, note 
        that there are several mitigating factors which prevent easy 
        exploitation of this issue. In order for a website to be exploitable 
        it must:

        1. Allow users to upload arbitrary content
        2. Allow users to set arbitrary MIME types, or specifically 
           serve .jar files as application/java-archive or application/x-jar
        3. Serve the .jar files from a domain containing sensitive content 
           which would otherwise be protected using 
           Content-Disposition: attachment" [7]

      o MFSA 2009-15 (CVE-2009-0652): "Security researcher Moxie Marlinspike 
        reported that Unicode box drawing characters were allowed in 
        Internationalized Domain Names (IDN) where they could be visually 
        confused with punctuation used in valid web addresses. This could be 
        combined with a phishing-type scam to trick a victim into thinking 
        they were on a different website than they actually were." [8]

      o MFSA 2009-14 (CVE-2009-1302,CVE-2009-1303,CVE-2009-1304,
                      CVE-2009-1305): 
        "Mozilla developers identified and fixed several stability bugs in 
        the browser engine used in Firefox and other Mozilla-based products. 
        Some of these crashes showed evidence of memory corruption under 
        certain circumstances and we presume that with enough effort at 
        least some of these could be exploited to run arbitrary code.

        Note: Thunderbird shares the browser engine with Firefox and could 
              be vulnerable if JavaScript were to be enabled in mail. This 
              is not the default setting and we strongly discourage users 
              from running JavaScript in mail. Without further investigation 
              we cannot rule out the possibility that for some of these an 
              attacker might be able to prepare memory for exploitation 
              through some means other than JavaScript such as large images.
              
        Workaround

        Disable JavaScript until a version containing these fixes can be 
        installed." [9]


MITIGATION:

      These vulnerabilities have been fixed in Firefox 3.0.9, Thunderbird 
      2.0.0.22 and SeaMonkey 1.1.17. At the time of this publication
      updates for Thunderbird and SeaMonkey have not yet been released, 
      however Firefox 3.0.9 can be downloaded from the Mozilla web site.


REFERENCES:

      [1] Mozilla Foundation Security Advisory 2009-22
          http://www.mozilla.org/security/announce/2009/mfsa2009-22.html

      [2] Mozilla Foundation Security Advisory 2009-21
          http://www.mozilla.org/security/announce/2009/mfsa2009-21.html

      [3] Mozilla Foundation Security Advisory 2009-20
          http://www.mozilla.org/security/announce/2009/mfsa2009-20.html

      [4] Mozilla Foundation Security Advisory 2009-19
          http://www.mozilla.org/security/announce/2009/mfsa2009-19.html

      [5] Mozilla Foundation Security Advisory 2009-18
          http://www.mozilla.org/security/announce/2009/mfsa2009-18.html

      [6] Mozilla Foundation Security Advisory 2009-17
          http://www.mozilla.org/security/announce/2009/mfsa2009-17.html

      [7] Mozilla Foundation Security Advisory 2009-16
          http://www.mozilla.org/security/announce/2009/mfsa2009-16.html

      [8] Mozilla Foundation Security Advisory 2009-15
          http://www.mozilla.org/security/announce/2009/mfsa2009-15.html

      [9] Mozilla Foundation Security Advisory 2009-14
          http://www.mozilla.org/security/announce/2009/mfsa2009-14.html

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFJ78U0NVH5XJJInbgRAkU8AJ9Ki0pbxbjKeoiwe6O4wTJsh+aPkgCfellK
w8j4jptdrGKJzxrOG0U+eS4=
=u0Sl
-----END PGP SIGNATURE-----