Date: 21 February 2013
References: ESB-2013.0228
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2013.0024.2
Multiple vulnerabilities have been fixed in the latest
versions of Mozilla Firefox, Thunderbird, & SeaMonkey
21 February 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Mozilla Firefox
Mozilla Thunderbird
Mozilla SeaMonkey
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Android
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2013-0784 CVE-2013-0783 CVE-2013-0782
CVE-2013-0781 CVE-2013-0780 CVE-2013-0779
CVE-2013-0778 CVE-2013-0777 CVE-2013-0776
CVE-2013-0775 CVE-2013-0774 CVE-2013-0773
CVE-2013-0772 CVE-2013-0765
Member content until: Friday, March 22 2013
Revision History: February 21 2013: Modified Product Tag
February 20 2013: Initial Release
OVERVIEW
Multiple vulnerabilities have been fixed in the latest versions of
Mozilla Firefox, Thunderbird and SeaMonkey.
IMPACT
The vendor has provided the following details about the
vulnerabilities:
CVE-2013-0783 and CVE-2013-0784:
"Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort
at least some of these could be exploited to run arbitrary code.
Note: In general these flaws cannot be exploited through email in
the Thunderbird and SeaMonkey products because scripting is
disabled, but are potentially a risk in browser or browser-like
contexts in those products." [1]
CVE-2013-0772:
"Using the Address Sanitizer tool, security researcher Atte Kettunen
from OUSPG found an out-of-bounds read while rendering GIF format
images. This could cause a non-exploitable crash and could also
attempt to render normally inaccesible data as part of the image."
[2]
CVE-2013-0765:
"Mozilla developer Boris Zbarsky reported that in some circumstances
a wrapped WebIDL object can be wrapped multiple times, overwriting
the existing wrapped state. This could lead to an exploitable
condition in rare cases." [3]
CVE-2013-0773:
"Mozilla developer Bobby Holley discovered that it was possible to
bypass some protections in Chrome Object Wrappers (COW) and System
Only Wrappers (SOW), making their prototypes mutable by web content.
This could be used leak information from chrome objects and
possibly allow for arbitrary code execution. Note: In general these
flaws cannot be exploited through email in the Thunderbird and
SeaMonkey products because scripting is disabled, but are
potentially a risk in browser or browser-like contexts in those
products." [4]
CVE-2013-0774:
"Mozilla security researcher Frederik Braun discovered that since
Firefox 15 the file system location of the active browser profile
was available to JavaScript workers. While not dangerous by itself,
this could potentially be combined with other vulnerabilities to
target the profile in an attack. Note: In general these flaws cannot
be exploited through email in the Thunderbird and SeaMonkey products
because scripting is disabled, but are potentially a risk in browser
or browser-like contexts in those products." [5]
CVE-2013-0775:
"Security researcher Nils reported a use-after-free in
nsImageLoadingContent when content script is executed. This could
allow for arbitrary code execution. Note: In general these flaws
cannot be exploited through email in the Thunderbird and SeaMonkey
products because scripting is disabled, but are potentially a risk
in browser or browser-like contexts in those products." [6]
CVE-2013-0776:
"Google security researcher Michal Zalewski reported an issue where
the browser displayed the content of a proxy's 407 response if a
user canceled the proxy's authentication prompt. In this
circumstance, the addressbar will continue to show the requested
site's address, including HTTPS addresses that appear to be secure.
This spoofing of addresses can be used for phishing attacks by
fooling users into entering credentials, for example. Note: In
general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled,
but are potentially a risk in browser or browser-like contexts in
those products." [7]
CVE-2013-0777, CVE-2013-0778, CVE-2013-0779, CVE-2013-0781,
CVE-2013-0782 and CVE-2013-0780:
"Security researcher Abhishek Arya (Inferno) of the Google Chrome
Security Team used the Address Sanitizer tool to discover a series
of use-after-free, out of bounds read, and buffer overflow problems
rated as low to critical security issues in shipped software. Some
of these issues are potentially exploitable, allowing for remote
code execution. We would also like to thank Abhishek for reporting
four additional use-after-free and out of bounds write flaws
introduced during Firefox development that were fixed before general
release. Note: In general these flaws cannot be exploited through
email in the Thunderbird and SeaMonkey products because scripting is
disabled, but are potentially a risk in browser or browser-like
contexts in those products." [8]
MITIGATION
Users should update to the latest versions of Firefox, Thunderbird and
SeaMonkey.
REFERENCES
[1] Mozilla Foundation Security Advisory 2013-21
http://www.mozilla.org/security/announce/2013/mfsa2013-21.html
[2] Mozilla Foundation Security Advisory 2013-22
http://www.mozilla.org/security/announce/2013/mfsa2013-22.html
[3] Mozilla Foundation Security Advisory 2013-23
http://www.mozilla.org/security/announce/2013/mfsa2013-23.html
[4] Mozilla Foundation Security Advisory 2013-24
http://www.mozilla.org/security/announce/2013/mfsa2013-24.html
[5] Mozilla Foundation Security Advisory 2013-25
http://www.mozilla.org/security/announce/2013/mfsa2013-25.html
[6] Mozilla Foundation Security Advisory 2013-26
http://www.mozilla.org/security/announce/2013/mfsa2013-26.html
[7] Mozilla Foundation Security Advisory 2013-27
http://www.mozilla.org/security/announce/2013/mfsa2013-27.html
[8] Mozilla Foundation Security Advisory 2013-28
http://www.mozilla.org/security/announce/2013/mfsa2013-28.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUSXIB+4yVqjM2NGpAQLuiw/+NrSb3ouOTvHBzktutmy1mJhZtf7hnv4W
pdoDxk3nUBNjQW+M6re3QYD6rUfarklHImHSzySXfzWt7g1kZO5ZjQ0wH5dTl2lu
ToVftNXlxSNzutCKgmXuv7CKAoCxJFze2cb19Ey0B/9VPNUXa2ueK7esGXk0gkvS
raI+yCI0uNN+dI1cAiL8m5V8bZyyCK9qBs4Mxh5D98MF1VXJgjzvIx9e36TVnGIV
sFDvtFn80zx4QdxEtBs/NNFVjTT6QURtEclEYAbszYuV1vdv8+CYyInXdivRS4U1
omHSlGn8JY8kg/2uSr4L87dNVFYoJxiNRMTDs8Gh7Mmoz6kHIEDZISRbqAHqiW+m
hhFIjHK7KyA+upaX1kD4SHJlkZovGYcWMnmBnF3Da0D2HYSmMSeQi5aOBzIUpGvL
mwiH1qvUIU4Dtd4hI8j/lgQJ/3uqclDvLB+mvL66fZ0AT6I9XjkcbkHYyB0H59Da
8e9tp5zQAeh6aRmBOlIErl7dnMH4RfjrgfGSFC2ks6nDfjd2GdCYbNLncUcqDVUE
TE1DLWybyyhH5Ieu8icPwZw3pC5kNEV+Xmi0u098Y5Ka9GtAb2UbITWL0a7jtF08
0TiAZKsx63Ia6stlfuJdXmPNiYccnCm0KOuI2HJb4oRThtDKPyFY6XH5eyMSo0mI
LHyX2u2Gkzw=
=Ms9w
-----END PGP SIGNATURE-----
|