AusCERT - ESB-2006.0617 -- [Solaris] -- Multiple Security Vulnerabilites in Mozilla 1.4 and 1.7 for Solaris and for Sun JDS for Linux

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
ESB-2006.0617 -- [Solaris] -- Multiple Security Vulnerabilites in Mozilla 1.4 and 1.7 for Solaris and for Sun JDS for Linux
Date: 16 September 2008
References: ESB-2006.0102 AA-2006.0021 AL-2006.0027 ESB-2006.0390

Click here for printable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                        ESB-2006.0617 -- [Solaris]
        Multiple Security Vulnerabilites in Mozilla 1.4 and 1.7 for
                     Solaris and for Sun JDS for Linux
                             16 September 2008

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Mozilla versions 1.7 and 1.4
Publisher:            Sun Microsystems
Operating System:     Solaris 8, 9 and 10
Impact:               Execute Arbitrary Code/Commands
                      Read-only Data Access
                      Access Privileged Data
                      Denial of Service
Access:               Remote/Unauthenticated
CVE Names:            CVE-2005-4134 CVE-2006-0292 CVE-2006-0293
                      CVE-2006-0296 CVE-2006-0748 CVE-2006-0749
                      CVE-2006-0884 CVE-2006-1724 CVE-2006-1727
                      CVE-2006-1728 CVE-2006-1729 CVE-2006-1730
                      CVE-2006-1731 CVE-2006-1732 CVE-2006-1733
                      CVE-2006-1734 CVE-2006-1735 CVE-2006-1736
                      CVE-2006-1737 CVE-2006-1738 CVE-2006-1739
                      CVE-2006-1740 CVE-2006-1741 CVE-2006-1742
                      CVE-2006-1790

Ref:                  AL-2006.0027
                      AA-2006.0021
                      ESB-2006.0390
                      ESB-2006.0102

Revision History:     September 16 2008: Updated resolution section 
                                         detailing final patches
                      December 13 2006:  Fixes are available for Solaris 8 
                                         and 9
                      August 28 2006:    Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

   Solution Type: Sun Alert
   Solution  228526 :   Multiple Security Vulnerabilities in Mozilla 1.4
   and 1.7 for Solaris and for Sun JDS for Linux          
   Previously Published As: 102550

   Bug ID: 6412730, 6415128, 6415131, 6415133, 6415135, 6415138, 6415142, 
   6415143, 6424493,  6424545,  6424548,  6424551, 6424560,  6424563, 
   6424567, 6424568, 6424573, 6424574, 6424577, 6424579

   Product
   Mozilla 1.4 for Solaris
   Mozilla 1.4 for Linux
   Mozilla v1.7

   Date of Workaround Release: 22-AUG-2006

   Date of Resolved Release: 08-Sep-2008

   SA Document Body
   Multiple Security Vulnerabilities in Mozilla 1.4 and 1.7 for Solaris and 
   for Sun JDS for Linux

   1. Impact

   Multiple security vulnerabilities are present in Mozilla version 1.4
   (Solaris 8 and 9) and Mozilla version 1.7 (Solaris 8, 9 and 10) and
   under Sun Java Desktop System (JDS) for Linux. (Mozilla can be used
   as a web browser and editor, an irc client, an email client, and a
   news client).

   These issues may allow a remote unprivileged user who controls a
   website that is visited by a local user using the Mozilla browser to
   execute code with elevated privileges, gain unauthorized access to
   data stored on the local machine, or cause a Denial of Service (DoS)
   to the Mozilla browser.

   Bug 6415128 - For Mozilla 1.4 and 1.7:

   Mozilla contains an integer overflow flaw within the CSS letter
   spacing property. This flaw may result in a remote user executing
   arbitrary code with the privileges of the local user when an affected
   site is visited.

   This issue is described in the following documents:

   http://www.mozilla.org/security/announce/mfsa2006-22.html
   http://www.kb.cert.org/vuls/id/179014
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1730

   Bug 6415131 - For Mozilla 1.4 and 1.7:

   Mozilla contains a flaw within the XBL bindings which may allow a
   remote user the ability to execute JavaScript code within the XBL
   bindings with the privileges of the local user when an affected site
   is visited.

   This issue is described in the following documents:

   http://www.mozilla.org/security/announce/mfsa2006-16.html
   http://www.kb.cert.org/vuls/id/488774
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1733

   Bug 6415133 - For Mozilla 1.4 and 1.7:

   Mozilla contains a flaw within the "Object.watch" method which may
   allow a remote user the ability to execute arbitrary JavaScript code
   with the privileges of the local user when an affected site is
   visited.

   This issue is described in the following documents:

   http://www.mozilla.org/security/announce/mfsa2006-15.html
   http://www.kb.cert.org/vuls/id/842094
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1734

   Bug 6415135 - For Mozilla 1.4 and 1.7:

   Mozilla contains a flaw within the "eval" method of the XBL bindings
   which may allow a remote user the ability to execute arbitrary
   JavaScript code with the privileges of the local user when an affected
   site is visited.

   This issue is described in the following documents:

   http://www.mozilla.org/security/announce/mfsa2006-14.html
   http://www.kb.cert.org/vuls/id/813230
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1735

   Bug 6415138 - For Mozilla 1.4 and 1.7:

   Mozilla contains a flaw within the processing of HTML tags that may
   allow a remote user the ability to execute arbitrary code with the
   privileges of the local user when an affected site is visited.

   This issue is described in the following documents:

   http://www.mozilla.org/security/announce/mfsa2006-18.html
   http://www.kb.cert.org/vuls/id/736934
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-0749


   Bug 6412730 - For Mozilla 1.4 and 1.7:

   Mozilla contains a flaw within the "XULDocument.presist" method which
   may allow a remote attacker to inject XML into the localstore
   (localstore.rdf) when an affected site is visited. The injected XML
   might be acted upon at startup thus executing arbitrary code.

   This issue is described in the following documents:

   http://www.mozilla.org/security/announce/mfsa2006-05.html
   http://www.kb.cert.org/vuls/id/592425
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-0296

   Bug 6424493 - For Mozilla 1.4 and 1.7:

   Mozilla contains a flaw that may allow a remote attacker to execute
   arbitrary code with the privileges of the local user when a site is
   viewed with an invalid order for the table related tags.

   This issue is described in the following documents:

   http://www.mozilla.org/security/announce/mfsa2006-27.html
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-0748

   Bug 6424545 - For Mozilla 1.4 and 1.7:

   Mozilla contains a flaw that may allow a remote attacker to gain
   "chrome" privilege when using the print preview feature of the
   browser.

   This issue is described in the following documents:

   http://www.mozilla.org/security/announce/mfsa2006-25.html
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1727

   Bug 6424548 - For Mozilla 1.4 and 1.7:

   Mozilla contains a flaw that may allow a remote attacker the ability
   to read any local file when a site is viewed.

   This issue is described in the following documents:

   http://www.mozilla.org/security/announce/mfsa2006-23.html
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1729

   Bug 6424551 - For Mozilla 1.4 and 1.7:

   Mozilla Mail contains a flaw that may allow an attacker to execute
   arbitrary JavaScript when a mail message is forwarded as embedded
   text.

   This issue is described in the following documents:

   http://www.mozilla.org/security/announce/mfsa2006-21.html
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-0884

   Bug 6424560 - For Mozilla 1.4 and 1.7:

   Mozilla contains a flaw within ".valueOf.call()" and
   ".valueOf.apply()" that may allow a remote attacker to inject script
   into another window.

   This issue is described in the following documents:

   http://www.mozilla.org/security/announce/mfsa2006-19.html
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1731

   Bug 6424563 - For Mozilla 1.4 and 1.7:

   Mozilla contains a flaw within the "window.controllers" array that may
   allow a malicious site to inject script into content from another
   site.

   This issue is described in the following documents:

   http://www.mozilla.org/security/announce/mfsa2006-17.html
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1732

   Bug 6424567 - For Mozilla 1.4 and 1.7:

   Mozilla contains a flaw with the handling of layered transparent
   images that may allow a malicious site to convince visitors to save
   the image and then fool them by uploading an executable instead.
   Should the user later double-click the saved "image" within a file
   manager, it would be executing with the privileges of the local user.

   This issue is described in the following documents:

   http://www.mozilla.org/security/announce/mfsa2006-13.html
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1736

   Bug 6424568 - For Mozilla 1.4 and 1.7:

   Mozilla contains a flaw in the browser's secure-site indicators that
   may allow a malicious site to spoof a local user into thinking they
   are still at a secure site.

   This issue is described in the following documents:

   http://www.mozilla.org/security/announce/mfsa2006-12.html
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1740

   Bug 6415143 - For Mozilla 1.4 and 1.7:

   Mozilla contains a flaw within DHTML which may allow a remote user the
   ability to execute arbitrary code with the privileges of the local
   user when an affected site is visited.

   This issue is described in the following documents:

     http://www.mozilla.org/security/announce/mfsa2006-20.html
     http://www.kb.cert.org/vuls/id/350262
     http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1724

   Bug 6415142 - For Mozilla 1.4 and 1.7:

   Mozilla contains several flaws that may allow a remote attacker to
   execute arbitrary code. There exists a buffer overflow within the CSS
   border-rendering code that may allow the remote attacker to execute
   arbitrary code. There exists a 16-bit integer overflow that may allow
   a remote attacker to execute the supplied data as JavaScript bytecode.
   When programmatically changing the "-moz-grid" and "-moz-grid-group"
   display styles, a remote attacker may be able to execute arbitrary
   code. There exists a buffer overflow within the
   "InstallTrigger.install()" method that was introduced by the fix for
   mfsa2005-58.

   This issue is described in the following documents:

   http://www.mozilla.org/security/announce/mfsa2006-11.html
   http://www.kb.cert.org/vuls/id/329500
   http://www.kb.cert.org/vuls/id/252324
   http://www.kb.cert.org/vuls/id/935556
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1737
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1738
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1739
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1790

   Bug 6424573 - For Mozilla 1.4 and 1.7:

   Mozilla contains a flaw within the JavaScript engine for routines that
   use temporary variables. This flaw may allow a malicious site to
   execute arbitrary code including installing software as the local
   user.

   This issue is described in the following documents:

   http://www.mozilla.org/security/announce/mfsa2006-10.html
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1742

   Bug 6424574 - For Mozilla 1.4 and 1.7:

   Mozilla contains a flaw that may allow a malicious site to inject
   JavaScript code into a new site using a modal alert. This
   vulnerability may allow an attacker to steal confidential information
   that the new site might contain.

   This issue is described in the following documents:

     http://www.mozilla.org/security/announce/mfsa2006-09.html
     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1741

   Bug 6424577 - For Mozilla 1.4 and 1.7:

   Mozilla contains a flaw which may allow a Denial of Service (DOS) to
   occur when the browser displays a very long title.

   This issue is described in the following documents:

     http://www.mozilla.org/security/announce/mfsa2006-03.html
     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4134

   Bug 6424579 - For Mozilla 1.4 and 1.7:

   Mozilla contains a flaw within the JavaScript engine which may cause a
   temporary variable to be freed during garbage collection. This flaw
   may be used by a remote attacker to execute arbitrary code with the
   permissions of the local user.

   This issue is described in the following documents:

   http://www.mozilla.org/security/announce/mfsa2006-01.html
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0292
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0293
   
   2. Contributing Factors

   This issue can occur in the following releases:

   SPARC Platform
     * Mozilla 1.4 (for Solaris 8)
     * Mozilla 1.4 (for Solaris 9)
     * Mozilla 1.7 (for Solaris 8 and 9) without patch 120671-02
     * Mozilla 1.7 (for Solaris 10) without patch 119115-19

   x86 Platform
     * Mozilla 1.4 (for Solaris 8)
     * Mozilla 1.4 (for Solaris 9)
     * Mozilla 1.7 (for Solaris 8 and 9) without patch 120672-02
     * Mozilla 1.7 (for Solaris 10) without patch 119116-19

   Linux Platform
     * Sun Java Desktop System (JDS) Release 2 without the updated RPMs

   Note: These issues (for Mozilla 1.4) only occur with Mozilla versions
   "mozilla-1.4.1-224b" or earlier.

   To determine the version of Mozilla on a Solaris system, the following
   command can be run:
    % /usr/sfw/bin/mozilla -version
    Mozilla 1.7, (Sun Java Desktop System), build 2005031721

   To determine the release of JDS for Linux installed on a system, the
   following command can be run:
    % cat /etc/sun-release
    Sun Java Desktop System, Release 2 -build 10b (GA)
    Assembled 30 March 2004

   To determine the version of Mozilla on a Linux system, the following
   command (on JDS for Linux) can be run:
    % rpm -qf /usr/bin/mozilla
    mozilla-1.4.1-224b

   3. Symptoms

   There are no predictable symptoms that would indicate the described
   issues have been exploited.
   
   4. Workaround

   Different issues will require different workarounds, as described in
   the following options/examples:

   A) Disable JavaScript. To do this in Mozilla:
    1. Open the Preferences dialog from the Edit menu
    2. Select the Advanced tree
    3. Select the Scripts & Plug-ins leaf
    4. Uncheck the Navigator and Mail & Newsgroups check boxes
    5. Click the OK button

   Or:
    1. Enter "about:config" in the location field
    2. Enter "javascript.enabled" in the search field
    3. Double click on the value and change it to false
    4. Click the OK button

   B) Visit only trusted web sites.

   C) Use the default mail message embedding when forwarding a mail
   message. This can be done by setting the forwarding preference:
    1. Open the Preferences dialog from the Edit menu
    2. Select the Mail & Newsgroups tree
    3. Select the Composition leaf
    4. Set the Forward messages list to "As Attachment"
    5. Click the OK button

   D) Only download images from trusted web sites.

   E) Turn off the "Entering encrypted site" warning dialog. To do this
   in Mozilla:
    1. Enter "about:config" in the location field
    2. Enter "security.warn" in the search field
    3. Double click on each "security.warn" and change the value to false
    4. click the OK button

   F) Turn off the browser history. To do this in Mozilla:
    1. Open the Preferences dialog from the Edit menu
    2. Select the Navigator tree
    3. On the History leaf, set the "remember duration" to 0 days

   Or:
    1. Enter "about:config" in the location field
    2. Enter "browser.history_expires_day" in the search field
    3. Double click on the value and change it to 0
    4. Click the OK button

   G) Remove the "history.dat" file. This can be done by running the
   following commands:
    % cd $HOME/.mozilla/<profile>/*
    % rm history.dat

   All of these issues can be resolved by downloading and
   installing/upgrading to the latest Mozilla version from the Mozilla
   community website at http://www.mozilla.org/releases/#1.7.13

   Linux Platform
     * Sun Java Desktop System (JDS) Release 2 with the updated RPMs
       available at:

   http://download.mozilla.org/?product=firefox-3.0.1&os=linux&lang=e
   n-US
   
   5. Resolution

   This issue is addressed in the following releases:

   SPARC Platform
     * Mozilla 1.7 (for Solaris 8 and 9) with patch 120671-02 or
       later
     * Mozilla 1.7 (for Solaris 10) with patch 119115-19 or later

   x86 Platform
     * Mozilla 1.7 (for Solaris 8 and 9) with patch 120672-02 or
       later
     * Mozilla 1.7 (for Solaris 10) with patch 119116-19 or later

   Systems running Mozilla 1.4 will need to upgrade to Mozilla 1.7 and
   apply the above patches to resolve this issue. Mozilla 1.7 can be
   downloaded at
   http://www.sun.com/download/index.jsp?cat=Desktop&tab=3&subcat=Web
   %20Browsers
   Or from the Mozilla community website at
   http://www.mozilla.org/releases/#1.7.13

   Note: For additional issues regarding patch 119116-19, please see
   Sun Alert 102612 at
   http://sunsolve.sun.com/search/document.do?assetkey=1-26-102612-1

   Linux Platform
     * Sun Java Desktop System (JDS) Release 2 with the updated RPMs (see
       "Workaround" section)

   For more information on Security Sun Alerts, see Technical
   Instruction ID 213557.
   This Sun Alert notification is being provided to you on an "AS IS"
   basis. This Sun Alert notification may contain information provided by
   third parties. The issues described in this Sun Alert notification may
   or may not impact your system(s). Sun makes no representations,
   warranties, or guarantees as to the information contained herein. ANY
   AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
   WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
   NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
   YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
   INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
   OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
   This Sun Alert notification contains Sun proprietary and confidential
   information. It is being provided to you pursuant to the provisions of
   your agreement to purchase services from Sun, or, if you do not have
   such an agreement, the Sun.com Terms of Use. This Sun Alert
   notification may only be used for the purposes contemplated by these
   agreements.
   Copyright 2000-2008 Sun Microsystems, Inc., 4150 Network Circle, Santa
   Clara, CA 95054 U.S.A. All rights reserved

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBSM8z2Ch9+71yA2DNAQJwTwP/Uhu8aP1x4kIf9zUgcV9dveBD6LNXP/h1
BBoozqgeVzBzV5NR09PTkMLEBcNZCEY61WJVjSnSX18TI/XtjTH5D3VtL0SnmxkV
zYGz6qiTFue9dPYusoHNsFzZDCX8ndH/Pxx63wS9cW9ymEXSmkIFomm4iYF18qiU
kJDspAOkFbk=
=ADUl
-----END PGP SIGNATURE-----