AusCERT - AL-2009.0051 -- [Win][UNIX/Linux] -- Firefox, Seamonkey and Thunderbird: Multiple Vulnerabilities

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
AL-2009.0051 -- [Win][UNIX/Linux] -- Firefox, Seamonkey and Thunderbird: Multiple Vulnerabilities
Date: 12 June 2009
References: ESB-2009.0560 ESB-2009.0561 ESB-2009.0579 ESB-2009.0587 ESB-2009.0610 ESB-2009.1002.2 ESB-2009.1038

Click here for printable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T

                       AL-2009.0051 -- AUSCERT ALERT
                             [Win][UNIX/Linux]
       Firefox, Seamonkey and Thunderbird: Multiple Vulnerabilities
                               12 June 2009

===========================================================================

        AusCERT Alert Summary
        ---------------------

Product:              Firefox
                      Thunderbird
                      Seamonkey
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact:               Execute Arbitrary Code/Commands
                      Increased Privileges
                      Inappropriate Access
                      Provide Misleading Information
                      Denial of Service
Access:               Remote/Unauthenticated
CVE Names:            CVE-2009-1841 CVE-2009-1840 CVE-2009-1839
                      CVE-2009-1838 CVE-2009-1837 CVE-2009-1836
                      CVE-2009-1835 CVE-2009-1834 CVE-2009-1833
                      CVE-2009-1832 CVE-2009-1392
Member content until: Friday, July 10 2009

OVERVIEW:

      Mozilla has released nine advisories relating to Firefox, Thunderbird
      and Seamonkey. Mozilla has rated four of these advisories as 
      "Critical", one as "High", two as "Moderate" and two as "Low" impact.


IMPACT:

      According to Mozilla, the vulnerabilties corrected in this update 
      are:

      o MFSA 2009-24 (CVE-2009-1833, CVE-2009-1832, CVE-2009-1392): "Mozilla 
        developers and community members identified and fixed several 
        stability bugs in the browser engine used in Firefox and other 
        Mozilla-based products. Some of these crashes showed evidence of 
        memory corruption under certain circumstances and we presume that 
        with enough effort at least some of these could be exploited to run 
        arbitrary code.

        Note: Thunderbird shares the browser engine with Firefox and could 
        be vulnerable if JavaScript were to be enabled in mail. This is not 
        the default setting and we strongly discourage users from running 
        JavaScript in mail. Without further investigation we cannot rule out 
        the possibility that for some of these an attacker might be able to 
        prepare memory for exploitation through some means other than 
        JavaScript such as large images." [1]
      
      o MFSA 2009-25 (CVE-2009-1834): "Mozilla add-on developer Pavel 
        Cvrcek reported that certain invalid unicode characters, when used 
        as part of an IDN, are displayed as whitespace in the location bar. 
        This whitespace could be used to force part of the URL out of view 
        in the location bar. An attacker could use this vulnerability to 
        spoof the location bar and display a misleading URL for their 
        malicious web page." [2]

      o MFSA 2009-26 (CVE-2009-1835): "Security researcher Gregory 
        Fleischer reported that local resources loaded via the file: 
        protocol can access any domain's cookies which have been saved on a 
        user's machine. Fleischer demonstrated that a local document's 
        domain was being calculated incorrectly from its URL. If a victim 
        could be persuaded to download a malicious file and then open that 
        file in their browser, the malicious file could then steal 
        arbitrary cookies from the victim's computer. Due to the 
        interaction required for this attack, the severity of the issue was 
        determined to be moderate." [3]

      o MFSA 2009-27 (CVE-2009-1836): "Microsoft security researchers Shuo 
        Chen, Ziqing Mao, Yi-Min Wang, and Ming Zhang reported that when a 
        CONNECT request is sent to a proxy server and a non-200 response is 
        returned, then the body of the response is incorrectly rendered 
        within the context of the request Host: header. An active network 
        attacker could use this vulnerability to intercept a CONNECT 
        request and reply with a non-200 response containing malicious code 
        which would be executed within the context of the victim's 
        requested SSL-protected domain. Since this attack requires the 
        victim to have a proxy configured, the severity of this issue was 
        determined to be high." [4]

      o MFSA 2009-28 (CVE-2009-1837): "Jakob Balle and Carsten Eiram of 
        Secunia Research reported a race condition in 
        NPObjWrapper_NewResolve when accessing the properties of a NPObject, 
        a wrapped JSObject. Balle and Eiram demonstrated that this 
        condition could be reached by navigating away from a web page 
        during the loading of a Java applet. Under such conditions the Java 
        object would be destroyed but later called into resulting in a free 
        memory read. It might be possible for an attacker to write to the 
        freed memory before it is reused and run arbitrary code on the 
        victim's computer.

        Note: This vulnerability does not affect Firefox 2 nor other 
        products built using the "Gecko 1.8" version of Mozilla code" [5]

      o MFSA 2009-29 (CVE-2009-1838): "Mozilla security researcher 
        moz_bug_r_a4 reported that the owner document of an element can 
        become null after garbage collection. In such cases, event 
        listeners may be executed within the wrong JavaScript context. An 
        attacker could potentially use this vulnerability to have a 
        malicious event handler execute arbitrary JavaScript with chrome 
        privileges.

        Note: Thunderbird shares the browser engine with Firefox and could 
        be vulnerable if JavaScript were to be enabled in mail. This is not 
        the default setting and we strongly discourage users from running 
        JavaScript in mail." [6]

      o MFSA 2009-30 (CVE-2009-1839): "Security researchers Adam Barth and 
        Collin Jackson reported that when a file: resource is loaded via 
        the location bar it inherits the principal of the previously 
        loaded document. This vulnerability can potentially give the newly 
        loaded document additional privileges to access the contents of 
        other local files that it wouldn't otherwise have permission to 
         read.

        A potential victim would first have to have downloaded the 
        attackers document to their local machine. Then the victim would 
        have to open another document in a directory of interest to the 
        attacker before opening the attacker's file in the same window.

        Note: Prior to version 3.0, Firefox (like browsers from other 
        vendors) treated all local files as having the same origin without 
        restriction. This vulnerability is a partial bypass of the 
        restrictions implemented in Firefox 3.0" [7]

      o MFSA 2009-31 (CVE-2009-1840): "Mozilla add-on developer and 
        community member Wladimir Palant reported that content-loading 
        policies were not checked before loading external script files 
        into XUL documents. The severity of this problem would depend on 
        the reasons behind the content policy check, which include privacy 
        from "web bugs" in Thunderbird mail messages, blocking of Ads and 
        Ad-server tracking in AdBlock Plus, and preventing the running of 
        scripts in NoScript." [8]

      o MFSA 2009-32 (CVE-2009-1841): "Mozilla security researcher 
        moz_bug_r_a4 reported a vulnerability which allows scripts from 
        page content to run with elevated privileges. Using this 
        vulnerability, an attacker could cause a chrome privileged object, 
        such as the browser sidebar or the FeedWriter, to interact with web 
        content in such a way that attacker controlled code may be executed 
        with the object's chrome privileges.

        Note: Thunderbird supports neither the sidebar nor 
        BrowserFeedWriter objects and is not vulnerable in its default 
        configuration. Thunderbird might be vulnerable if the user has 
        installed any add-on which adds a similarly implemented feature and 
        then enables JavaScript in mail messages. This is not the default 
        setting and we strongly discourage users from running JavaScript in 
        mail" [9]


MITIGATION:

      These vulnerabilities have been fixed in Firefox 3.0.11, Thunderbird 
      2.0.0.22 and SeaMonkey 1.1.17. At the time of this publication
      updates for Thunderbird and SeaMonkey have not yet been released, 
      however Firefox 3.0.11 can be downloaded from the Mozilla web site.


REFERENCES:

      [1] Mozilla Foundation Security Advisory 2009-24
          http://www.mozilla.org/security/announce/2009/mfsa2009-24.html

      [2] Mozilla Foundation Security Advisory 2009-25
          http://www.mozilla.org/security/announce/2009/mfsa2009-25.html

      [3] Mozilla Foundation Security Advisory 2009-26
          http://www.mozilla.org/security/announce/2009/mfsa2009-26.html

      [4] Mozilla Foundation Security Advisory 2009-27
          http://www.mozilla.org/security/announce/2009/mfsa2009-27.html

      [5] Mozilla Foundation Security Advisory 2009-28
          http://www.mozilla.org/security/announce/2009/mfsa2009-28.html

      [6] Mozilla Foundation Security Advisory 2009-29
          http://www.mozilla.org/security/announce/2009/mfsa2009-29.html

      [7] Mozilla Foundation Security Advisory 2009-30
          http://www.mozilla.org/security/announce/2009/mfsa2009-30.html

      [8] Mozilla Foundation Security Advisory 2009-31
          http://www.mozilla.org/security/announce/2009/mfsa2009-31.html

      [9] Mozilla Foundation Security Advisory 2009-32
          http://www.mozilla.org/security/announce/2009/mfsa2009-32.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFKMaiwNVH5XJJInbgRAj8YAKCCY/ADXRkkuGp2oONeAJMPSK0y+gCfTABK
/T7fmWYIPGeXjfZu3HD/r/0=
=y4Xe
-----END PGP SIGNATURE-----