-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2010.0248
        Mozilla has released versions 3.6.13 and 3.5.16 of Firefox
                             10 December 2010

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Firefox
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
                      Cross-site Scripting            -- Remote with User Interaction
                      Provide Misleading Information  -- Remote with User Interaction
                      Increased Privileges            -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2010-3778 CVE-2010-3777 CVE-2010-3776
                      CVE-2010-3775 CVE-2010-3774 CVE-2010-3773
                      CVE-2010-3772 CVE-2010-3771 CVE-2010-3770
                      CVE-2010-3769 CVE-2010-3768 CVE-2010-3767
                      CVE-2010-3766 CVE-2010-0179 
Member content until: Sunday, January  9 2011
Reference:            ASB-2010.0093.2

OVERVIEW

        Mozilla has released versions 3.6.13 and 3.5.16 of the Firefox web 
        browser, correcting multiple security vulnerabilities.


IMPACT

        The vendor has supplied the following information regarding these 
        vulnerabilities:
        
        "Mozilla developers identified and fixed several memory safety bugs
        in the browser engine used in Firefox and other Mozilla-based products.
        Some of these bugs showed evidence of memory corruption under
        certain circumstances, and we presume that with enough effort at least
        some of these could be exploited to run arbitrary code." [1]
        
        "Dirk Heinrich reported that on Windows platforms when
        document.write() was called with a very long string a buffer
        overflow was caused in line breaking routines attempting to process
        the string for display. Such cases triggered an invalid read past the
        end of an array causing a crash which an attacker could potentially
        use to run arbitrary code on a victim's computer." [2]
        
        "Security researcher echo reported that a web page could open a window
        with an about:blank location and then inject an <isindex> element into
        that page which upon submission would redirect to a chrome: document.
        The effect of this defect was that the original page would wind up with
        a reference to a chrome-privileged object, the opened window, which
        could be leveraged for privilege escalation attacks." [3]
        
        "Security researcher wushi of team509 reported that when a XUL tree had
        an HTML <div> element nested inside a <treechildren> element then code
        attempting to display content in the XUL tree would incorrectly treat
        the <div> element as a parent node to tree content underneath it
        resulting in incorrect indexes being calculated for the child content.
        These incorrect indexes were used in subsequent array operations
        which resulted in writing data past the end of an allocated buffer.
        An attacker could use this issue to crash a victim's browser and run
        arbitrary code on their machine." [4]
        
        "Mozilla added the OTS font sanitizing library to prevent downloadable
        fonts from exposing vulnerabilities in the underlying OS font code.
        This library mitigates against several issues independently reported by
        Red Hat Security Response Team member Marc Schoenefeld and Mozilla
        security researcher Christoph Diehl." [5]
        
        "Security researcher Gregory Fleischer reported that when a Java
        LiveConnect script was loaded via a data: URL which redirects via a
        meta refresh, then the resulting plugin object was created with the
        wrong security principal and thus received elevated privileges such as
        the abilities to read local files, launch processes, and create network
        connections." [6]
        
        "Security researcher regenrecht reported via TippingPoint's Zero Day
        Initiative that a nsDOMAttribute node can be modified without informing
        the iterator object responsible for various DOM traversals. This flaw
        could lead to a inconsistent state where the iterator points to an object
        it believes is part of the DOM but actually points to some other object.
        If such an object had been deleted and its memory reclaimed by the system,
        then the iterator could be used to call into attacker-controlled memory" [7]
        
        "Security researcher regenrecht reported via TippingPoint's Zero Day
        Initiative that JavaScript arrays were vulnerable to an integer overflow
        vulnerability. The report demonstrated that an array could be constructed
        containing a very large number of items such that when memory was
        allocated to store the array items, the integer value used to calculate
        the buffer size would overflow resulting in too small a buffer being
        allocated. Subsequent use of the array object could then result in data
        being written past the end of the buffer and causing memory corruption" [8]
        
        "Mozilla security researcher moz_bug_r_a4 reported that the fix for
        CVE-2010-0179 could be circumvented permitting the execution of
        arbitrary JavaScript with chrome privileges." [9]
        
        "Google security researcher Michal Zalewski reported that when a window
        was opened to a site resulting in a network or certificate error page,
        the opening site could access the document inside the opened window and
        inject arbitrary content. An attacker could use this bug to spoof the
        location bar and trick a user into thinking they were on a different site
        than they actually were" [10]
        
        "Security researchers Yosuke Hasegawa and Masatoshi Kimura reported that
        the x-mac-arabic, x-mac-farsi and x-mac-hebrew character encodings are
        vulnerable to XSS attacks due to some characters being converted to angle
        brackets when displayed by the rendering engine. Sites using these
        character encodings would thus be potentially vulnerable to script
        injection attacks if their script filtering code fails to strip out these
        specific characters." [11]


MITIGATION

        It is recommended that users of Firefox upgrade to the latest version.


REFERENCES

        [1] Mozilla Foundation Security Advisory 2010-74
            http://www.mozilla.org/security/announce/2010/mfsa2010-74.html

        [2] Mozilla Foundation Security Advisory 2010-75
            http://www.mozilla.org/security/announce/2010/mfsa2010-75.html

        [3] Mozilla Foundation Security Advisory 2010-76
            http://www.mozilla.org/security/announce/2010/mfsa2010-76.html

        [4] Mozilla Foundation Security Advisory 2010-77
            http://www.mozilla.org/security/announce/2010/mfsa2010-77.html

        [5] Mozilla Foundation Security Advisory 2010-78
            http://www.mozilla.org/security/announce/2010/mfsa2010-78.html

        [6] Mozilla Foundation Security Advisory 2010-79
            http://www.mozilla.org/security/announce/2010/mfsa2010-79.html

        [7] Mozilla Foundation Security Advisory 2010-80
            http://www.mozilla.org/security/announce/2010/mfsa2010-80.html

        [8] Mozilla Foundation Security Advisory 2010-81
            http://www.mozilla.org/security/announce/2010/mfsa2010-81.html

        [9] Mozilla Foundation Security Advisory 2010-82
            http://www.mozilla.org/security/announce/2010/mfsa2010-82.html

        [10] Mozilla Foundation Security Advisory 2010-83
             http://www.mozilla.org/security/announce/2010/mfsa2010-83.html

        [11] Mozilla Foundation Security Advisory 2010-84
             http://www.mozilla.org/security/announce/2010/mfsa2010-84.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFNAXha/iFOrG6YcBERAj7TAKC6LoFLbvIMhNcpU7RIsM9klT1IXgCg2Pln
N1ByynuzR6DaTQfr2cmrlcA=
=7a4s
-----END PGP SIGNATURE-----