|
|
AL-2009.0051 -- [Win][UNIX/Linux] -- Firefox, Seamonkey and Thunderbird: Multiple Vulnerabilities |
|
Date: 12 June 2009 Original URL: http://www.auscert.org.au/render.html?cid=32&it=11139 References: ESB-2009.0560 ESB-2009.0561 ESB-2009.0579 ESB-2009.0587 ESB-2009.0610 ESB-2009.1002.2 ESB-2009.1038 Click here for PGP verifiable version -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
A U S C E R T A L E R T
AL-2009.0051 -- AUSCERT ALERT
[Win][UNIX/Linux]
Firefox, Seamonkey and Thunderbird: Multiple Vulnerabilities
12 June 2009
===========================================================================
AusCERT Alert Summary
---------------------
Product: Firefox
Thunderbird
Seamonkey
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact: Execute Arbitrary Code/Commands
Increased Privileges
Inappropriate Access
Provide Misleading Information
Denial of Service
Access: Remote/Unauthenticated
CVE Names: CVE-2009-1841 CVE-2009-1840 CVE-2009-1839
CVE-2009-1838 CVE-2009-1837 CVE-2009-1836
CVE-2009-1835 CVE-2009-1834 CVE-2009-1833
CVE-2009-1832 CVE-2009-1392
Member content until: Friday, July 10 2009
OVERVIEW:
Mozilla has released nine advisories relating to Firefox, Thunderbird
and Seamonkey. Mozilla has rated four of these advisories as
"Critical", one as "High", two as "Moderate" and two as "Low" impact.
IMPACT:
According to Mozilla, the vulnerabilties corrected in this update
are:
o MFSA 2009-24 (CVE-2009-1833, CVE-2009-1832, CVE-2009-1392): "Mozilla
developers and community members identified and fixed several
stability bugs in the browser engine used in Firefox and other
Mozilla-based products. Some of these crashes showed evidence of
memory corruption under certain circumstances and we presume that
with enough effort at least some of these could be exploited to run
arbitrary code.
Note: Thunderbird shares the browser engine with Firefox and could
be vulnerable if JavaScript were to be enabled in mail. This is not
the default setting and we strongly discourage users from running
JavaScript in mail. Without further investigation we cannot rule out
the possibility that for some of these an attacker might be able to
prepare memory for exploitation through some means other than
JavaScript such as large images." [1]
o MFSA 2009-25 (CVE-2009-1834): "Mozilla add-on developer Pavel
Cvrcek reported that certain invalid unicode characters, when used
as part of an IDN, are displayed as whitespace in the location bar.
This whitespace could be used to force part of the URL out of view
in the location bar. An attacker could use this vulnerability to
spoof the location bar and display a misleading URL for their
malicious web page." [2]
o MFSA 2009-26 (CVE-2009-1835): "Security researcher Gregory
Fleischer reported that local resources loaded via the file:
protocol can access any domain's cookies which have been saved on a
user's machine. Fleischer demonstrated that a local document's
domain was being calculated incorrectly from its URL. If a victim
could be persuaded to download a malicious file and then open that
file in their browser, the malicious file could then steal
arbitrary cookies from the victim's computer. Due to the
interaction required for this attack, the severity of the issue was
determined to be moderate." [3]
o MFSA 2009-27 (CVE-2009-1836): "Microsoft security researchers Shuo
Chen, Ziqing Mao, Yi-Min Wang, and Ming Zhang reported that when a
CONNECT request is sent to a proxy server and a non-200 response is
returned, then the body of the response is incorrectly rendered
within the context of the request Host: header. An active network
attacker could use this vulnerability to intercept a CONNECT
request and reply with a non-200 response containing malicious code
which would be executed within the context of the victim's
requested SSL-protected domain. Since this attack requires the
victim to have a proxy configured, the severity of this issue was
determined to be high." [4]
o MFSA 2009-28 (CVE-2009-1837): "Jakob Balle and Carsten Eiram of
Secunia Research reported a race condition in
NPObjWrapper_NewResolve when accessing the properties of a NPObject,
a wrapped JSObject. Balle and Eiram demonstrated that this
condition could be reached by navigating away from a web page
during the loading of a Java applet. Under such conditions the Java
object would be destroyed but later called into resulting in a free
memory read. It might be possible for an attacker to write to the
freed memory before it is reused and run arbitrary code on the
victim's computer.
Note: This vulnerability does not affect Firefox 2 nor other
products built using the "Gecko 1.8" version of Mozilla code" [5]
o MFSA 2009-29 (CVE-2009-1838): "Mozilla security researcher
moz_bug_r_a4 reported that the owner document of an element can
become null after garbage collection. In such cases, event
listeners may be executed within the wrong JavaScript context. An
attacker could potentially use this vulnerability to have a
malicious event handler execute arbitrary JavaScript with chrome
privileges.
Note: Thunderbird shares the browser engine with Firefox and could
be vulnerable if JavaScript were to be enabled in mail. This is not
the default setting and we strongly discourage users from running
JavaScript in mail." [6]
o MFSA 2009-30 (CVE-2009-1839): "Security researchers Adam Barth and
Collin Jackson reported that when a file: resource is loaded via
the location bar it inherits the principal of the previously
loaded document. This vulnerability can potentially give the newly
loaded document additional privileges to access the contents of
other local files that it wouldn't otherwise have permission to
read.
A potential victim would first have to have downloaded the
attackers document to their local machine. Then the victim would
have to open another document in a directory of interest to the
attacker before opening the attacker's file in the same window.
Note: Prior to version 3.0, Firefox (like browsers from other
vendors) treated all local files as having the same origin without
restriction. This vulnerability is a partial bypass of the
restrictions implemented in Firefox 3.0" [7]
o MFSA 2009-31 (CVE-2009-1840): "Mozilla add-on developer and
community member Wladimir Palant reported that content-loading
policies were not checked before loading external script files
into XUL documents. The severity of this problem would depend on
the reasons behind the content policy check, which include privacy
from "web bugs" in Thunderbird mail messages, blocking of Ads and
Ad-server tracking in AdBlock Plus, and preventing the running of
scripts in NoScript." [8]
o MFSA 2009-32 (CVE-2009-1841): "Mozilla security researcher
moz_bug_r_a4 reported a vulnerability which allows scripts from
page content to run with elevated privileges. Using this
vulnerability, an attacker could cause a chrome privileged object,
such as the browser sidebar or the FeedWriter, to interact with web
content in such a way that attacker controlled code may be executed
with the object's chrome privileges.
Note: Thunderbird supports neither the sidebar nor
BrowserFeedWriter objects and is not vulnerable in its default
configuration. Thunderbird might be vulnerable if the user has
installed any add-on which adds a similarly implemented feature and
then enables JavaScript in mail messages. This is not the default
setting and we strongly discourage users from running JavaScript in
mail" [9]
MITIGATION:
These vulnerabilities have been fixed in Firefox 3.0.11, Thunderbird
2.0.0.22 and SeaMonkey 1.1.17. At the time of this publication
updates for Thunderbird and SeaMonkey have not yet been released,
however Firefox 3.0.11 can be downloaded from the Mozilla web site.
REFERENCES:
[1] Mozilla Foundation Security Advisory 2009-24
http://www.mozilla.org/security/announce/2009/mfsa2009-24.html
[2] Mozilla Foundation Security Advisory 2009-25
http://www.mozilla.org/security/announce/2009/mfsa2009-25.html
[3] Mozilla Foundation Security Advisory 2009-26
http://www.mozilla.org/security/announce/2009/mfsa2009-26.html
[4] Mozilla Foundation Security Advisory 2009-27
http://www.mozilla.org/security/announce/2009/mfsa2009-27.html
[5] Mozilla Foundation Security Advisory 2009-28
http://www.mozilla.org/security/announce/2009/mfsa2009-28.html
[6] Mozilla Foundation Security Advisory 2009-29
http://www.mozilla.org/security/announce/2009/mfsa2009-29.html
[7] Mozilla Foundation Security Advisory 2009-30
http://www.mozilla.org/security/announce/2009/mfsa2009-30.html
[8] Mozilla Foundation Security Advisory 2009-31
http://www.mozilla.org/security/announce/2009/mfsa2009-31.html
[9] Mozilla Foundation Security Advisory 2009-32
http://www.mozilla.org/security/announce/2009/mfsa2009-32.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFKMaiwNVH5XJJInbgRAj8YAKCCY/ADXRkkuGp2oONeAJMPSK0y+gCfTABK
/T7fmWYIPGeXjfZu3HD/r/0=
=y4Xe
-----END PGP SIGNATURE-----
|