Date: 24 August 2009
References: ESB-2009.1196 ASB-2009.1059 ESB-2009.1222 ASB-2009.1073 ESB-2009.1276 ESB-2009.1391.3 ESB-2009.1450 ESB-2009.1500 ESB-2009.1513 ESB-2010.0358
ESB-2010.0677
Related Files:
ASB-2009.1040
ASB-2009.1040.2
ASB-2009.1040.3
ASB-2009.1040.4
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2009.1040.5
Two new versions of Mozilla Firefox have been released
correcting a number of security vulnerabilities
24 August 2009
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Firefox 3.5.1
Firefox 3.0.12
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2009-2665 CVE-2009-2664 CVE-2009-2663
CVE-2009-2662 CVE-2009-2654 CVE-2009-2470
CVE-2009-2408 CVE-2009-2404
Member content until: Thursday, September 3 2009
Revision History: August 24 2009: Added additional fixes
August 19 2009: Updated impact section to included Mozilla
reference to CVE reference
August 5 2009: Added CVE references
August 4 2009: Version number correction
August 4 2009: Initial Release
OVERVIEW
Mozilla has released four advisories relating to Firefox. Mozilla has
rated two of these advisories as "Critical", one as "Moderate", and
one as "Low" impact.
IMPACT
According to Mozilla, the vulnerabilities corrected in this update are:
o MFSA 2009-38 (CVE-2009-2470): "Andrej Andolsek reported that when
Firefox receives a reply from a SOCKS5 proxy which contains a DNS
name longer than 15 characters, the subsequent data stream in the
response can become corrupted. There was no evidence of memory
corruption, however, and the severity of the issue was determined
to be low." [1]
o MFSA 2009-44 (CVE-2009-2654): "Security researcher Juan Pablo Lopez
Yacubian reported that an attacker could call window.open() on an
invalid URL which looks similar to a legitimate URL and then use
document.write() to place content within the new document, appearing
to have come from the spoofed location. Additionally, if the spoofed
document was created by a document with a valid SSL certificate, the
SSL indicators would be carried over into the spoofed document. An
attacker could use these issues to display misleading location and
SSL information for a malicious web page." [2]
o MFSA 2009-45 (CVE-2009-2663): "Mozilla developers and community members identified
and fixed several stability bugs in the browser engine used in
Firefox and other Mozilla-based products. Some of these crashes
showed evidence of memory corruption under certain circumstances
and we presume that with enough effort at least some of these could
be exploited to run arbitrary code." [3]
o MFSA 2009-46: "Mozilla add-on developer and community member
Wladimir Palant reported broken functionality on pages that had a
Link: HTTP header when an add-on was installed which implemented a
Content Policy in JavaScript, such as AdBlock Plus or NoScript.
Mozilla security researcher moz_bug_r_a4 demonstrated that the
broken functionality was due to the window's global object receiving
an incorrect security wrapper and that this issue could be used to
execute arbitrary JavaScript with chrome privileges.
Note: This vulnerability does not affect Firefox prior to version
3.5" [4]
o MFSA 2009-42 (CVE-2009-2408): "IOActive security researcher Dan
Kaminsky reported a mismatch in the treatment of domain names in
SSL certificates between SSL clients and the Certificate
Authorities (CA) which issue server certificates. In particular,
if a malicious person requested a certificate for a host name with
an invalid null character in it most CAs would issue the certificate
if the requester owned the domain specified after the null, while
most SSL clients (browsers) ignored that part of the name and used
the unvalidated part in front of the null. This made it possible for
attackers to obtain certificates that would function for any site
they wished to target. These certificates could be used to intercept
and potentially alter encrypted communication between the client and
a server such as sensitive bank account transactions." [5]
o MFSA 2009-43 (CVE-2009-2404): "Moxie Marlinspike reported a heap
overflow vulnerability in the code that handles regular expressions
in certificate names. This vulnerability could be used to compromise
the browser and run arbitrary code by presenting a specially crafted
certificate to the client. This code provided compatibility with the
non-standard regular expression syntax historically supported by
Netscape clients and servers. With version 3.5 Firefox switched to
the more limited industry-standard wildcard syntax instead and is not
vulnerable to this flaw." [6]
MITIGATION
These vulnerabilities have been fixed in Firefox 3.0.13, and Firefox
3.5.2 and can be downloaded from the Mozilla web site.
REFERENCES
[1] Mozilla Foundation Security Advisory 2009-38
http://www.mozilla.org/security/announce/2009/mfsa2009-38.html
[2] Mozilla Foundation Security Advisory 2009-44
http://www.mozilla.org/security/announce/2009/mfsa2009-44.html
[3] Mozilla Foundation Security Advisory 2009-45
http://www.mozilla.org/security/announce/2009/mfsa2009-45.html
[4] Mozilla Foundation Security Advisory 2009-46
http://www.mozilla.org/security/announce/2009/mfsa2009-46.html
[5] Mozilla Foundation Security Advisory 2009-42
http://www.mozilla.org/security/announce/2009/mfsa2009-42.html
[6] Mozilla Foundation Security Advisory 2009-43
http://www.mozilla.org/security/announce/2009/mfsa2009-43.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFKkgG8NVH5XJJInbgRAsXbAJ4y1SxEy8MudOWtuMOJ29vJryAo4ACfYvsl
62ZktGzdkDx0u3PHVW2OA8g=
=OOXy
-----END PGP SIGNATURE-----
|