Date: 19 October 2007
References: ESB-2007.0816 ESB-2007.0817 ESB-2007.0821 ESB-2007.0822 ESB-2007.0844 ESB-2007.0870 AA-2007.0103
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2007.0814 -- [Win][UNIX/Linux]
New versions of Firefox, Thuinderbird, and SeaMonkey fix
multiple security vulnerabilities
19 October 2007
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Firefox 2.0.0.7 and prior
Thunderbird 2.0.0.7 and prior
SeaMonkey 1.1.4 and prior
Publisher: Mozilla Foundation
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact: Execute Arbitrary Code/Commands
Access Confidential Data
Provide Misleading Information
Access Confidential Data
Access: Remote/Unauthenticated
CVE Names: CVE-2007-5339 CVE-2007-5340 CVE-2007-1095
CVE-2007-2292 CVE-2007-3511 CVE-2006-2894
CVE-2007-5334 CVE-2007-5337 CVE-2007-5338
CVE-2007-4841
Original Bulletin:
http://www.mozilla.org/security/announce/2007/mfsa2007-29.html
http://www.mozilla.org/security/announce/2007/mfsa2007-30.html
http://www.mozilla.org/security/announce/2007/mfsa2007-31.html
http://www.mozilla.org/security/announce/2007/mfsa2007-32.html
http://www.mozilla.org/security/announce/2007/mfsa2007-33.html
http://www.mozilla.org/security/announce/2007/mfsa2007-34.html
http://www.mozilla.org/security/announce/2007/mfsa2007-35.html
http://www.mozilla.org/security/announce/2007/mfsa2007-36.html
Comment: This bulletin contains eight (8) Mozilla security advisories for
Firefox, Thunderbird and SeaMonkey.
- --------------------------BEGIN INCLUDED TEXT--------------------
Mozilla Foundation Security Advisory 2007-29
Title: Crashes with evidence of memory corruption (rv:1.8.1.8)
Impact: Critical
Announced: October 18, 2007
Reporter: Mozilla developers and community
Products: Firefox, Thunderbird, SeaMonkey
Fixed in: Firefox 2.0.0.8
Thunderbird 2.0.0.8
SeaMonkey 1.1.5
Description
As part of the Firefox 2.0.0.8 update releases Mozilla developers
fixed many bugs to improve the stability of the product. Some of these
crashes showed evidence of memory corruption under certain
circumstances and we presume that with enough effort at least some of
these could be exploited to run arbitrary code.
Thunderbird shares the browser engine with Firefox and could be
vulnerable if JavaScript were to be enabled in mail. This is not the
default setting and we strongly discourage users from running
JavaScript in mail. Without further investigation we cannot rule out
the possibility that for some of these an attacker might be able to
prepare memory for exploitation through some means other than
JavaScript such as large images.
Workaround
Disable JavaScript until a version containing these fixes can be
installed.
References
L. David Baron, Boris Zbarsky, Georgi Guninski, Paul Nickerson, Olli
Pettay, Jesse Ruderman, Vladimir Sukhoy, Daniel Veditz, and Martijn
Wargers reported crashes in the browser engine.
* CVE-2007-5339
* Browser crashes
Igor Bukanov, Eli Friedman, and Jesse Ruderman reported crashes in the
JavaScript engine.
* CVE-2007-5340
* JavaScript engine crashes
Portions of this content are 19982007 by individual mozilla.org
contributors; content available under a Creative Commons license:
http://creativecommons.org/licenses/by-sa/2.0/legalcode
- ----
Mozilla Foundation Security Advisory 2007-30
Title: onUnload Tailgating
Impact: Low
Announced: October 18, 2007
Reporter: Michal Zalewski
Products: Firefox, SeaMonkey
Fixed in: Firefox 2.0.0.8
SeaMonkey 1.1.5
Description
Michal Zalewski demonstrated that onUnload event handlers had access
to the address of the new page about to be loaded, even if the
navigation was triggered from outside the page content such as by
using a bookmark, pressing the back button, or typing an address into
the location bar. If the bookmark contained sensitive information in
the URL the attacking page might be able to take advantage of it. An
attacking page would also be able to redirect the user, perhaps to a
phishing page that looked like the site the user thought they were
about to visit.
References
* https://bugzilla.mozilla.org/show_bug.cgi?id=371360
* CVE-2007-1095
Portions of this content are 19982007 by individual mozilla.org
contributors; content available under a Creative Commons license:
http://creativecommons.org/licenses/by-sa/2.0/legalcode
- ----
Mozilla Foundation Security Advisory 2007-31
Title: Digest authentication request splitting
Impact: Moderate
Announced: October 18, 2007
Reporter: Stefano Di Paola
Products: Firefox, SeaMonkey
Fixed in: Firefox 2.0.0.8
SeaMonkey 1.1.5
Description
Security researcher Stefano Di Paola reported that Firefox did not
properly validate the user ID when making an HTTP request using Digest
Authentication to log into a web site. A malicious page could abuse
this to inject arbitrary HTTP headers by including a newline character
in the user ID followed by the injected header data. If the user were
connecting through a proxy the attacker could inject headers that a
proxy would interpret as two separate requests for different hosts.
References
* IE 7 and Firefox Browsers Digest Authentication Request
Splitting
* https://bugzilla.mozilla.org/show_bug.cgi?id=378787
* CVE-2007-2292
Portions of this content are 19982007 by individual mozilla.org
contributors; content available under a Creative Commons license:
http://creativecommons.org/licenses/by-sa/2.0/legalcode
- ----
Mozilla Foundation Security Advisory 2007-32
Title: File input focus stealing vulnerability
Impact: Moderate
Announced: October 18, 2007
Reporter: hong, Charles McAuley
Products: Firefox, SeaMonkey
Fixed in: Firefox 2.0.0.8
SeaMonkey 1.1.5
Description
A user on the Sla.ckers.org forums named hong reported that a file
upload control could be filled programmatically by switching page
focus to the label before a file upload form control for selected
keyboard events. An attacker could use this trick to steal files from
the users' computer if the attacker knew the full pathnames to the
desired fileis and could create a pretext that would convince the user
to type long enough to produce all the necessary characters.
This is a variant on a similar problem reported by Charles McAuley and
independently rediscovered by Michal Zalewski that was fixed in
Firefox 2.0.0.4.
References
* https://bugzilla.mozilla.org/show_bug.cgi?id=388784
* CVE-2007-3511
* https://bugzilla.mozilla.org/show_bug.cgi?id=370092
* CVE-2006-2894
Portions of this content are 19982007 by individual mozilla.org
contributors; content available under a Creative Commons license:
http://creativecommons.org/licenses/by-sa/2.0/legalcode
- ----
Mozilla Foundation Security Advisory 2007-33
Title: XUL pages can hide the window titlebar
Impact: Low
Announced: October 18, 2007
Reporter: Eli Friedman
Products: Firefox, SeaMonkey
Fixed in: Firefox 2.0.0.8
SeaMonkey 1.1.5
Description
Mozilla developer Eli Friedman discovered that web pages written in
the XUL markup language (rather than the usual HTML) can hide their
window's titlebar. It may have been possible to abuse this ablity to
create more convincing spoof and phishing pages.
References
* https://bugzilla.mozilla.org/show_bug.cgi?id=391043
* CVE-2007-5334
Portions of this content are 19982007 by individual mozilla.org
contributors; content available under a Creative Commons license:
http://creativecommons.org/licenses/by-sa/2.0/legalcode
- ----
Mozilla Foundation Security Advisory 2007-34
Title: Possible file stealing through sftp protocol
Impact: Moderate
Announced: October 18, 2007
Reporter: Georgi Guninski
Products: Firefox, SeaMonkey
Fixed in: Firefox 2.0.0.8
SeaMonkey 1.1.5
Description
On Linux machines with gnome-vfs support the smb: and sftp: URI
schemes are available in Firefox. Georgi Guninski showed that if an
attacker can store the attack page in a mutually accessible location
on the target server (/tmp perhaps) and lure the victim into loading
it, the attacker could potentially read any file owned by the victim
from known locations on that server.
References
* https://bugzilla.mozilla.org/show_bug.cgi?id=381146
* CVE-2007-5337
Portions of this content are 19982007 by individual mozilla.org
contributors; content available under a Creative Commons license:
http://creativecommons.org/licenses/by-sa/2.0/legalcode
- ----
Mozilla Foundation Security Advisory 2007-35
Title: XPCNativeWraper pollution using Script object
Impact: Critical
Announced: October 18, 2007
Reporter: moz_bug_r_a4
Products: Firefox, SeaMonkey
Fixed in: Firefox 2.0.0.8
SeaMonkey 1.1.5
Description
Mozilla security researcher moz_bug_r_a4 reported that it was possible
to use the Script object to modify XPCNativeWrappers in such a way
that subsequent access by the browser chrome--such as by
right-clicking to open a context menu--can cause attacker-supplied
javascript to run with the same privileges as the user. This is
similar to [29]MFSA 2007-25 fixed in Firefox 2.0.0.5
References
* https://bugzilla.mozilla.org/show_bug.cgi?id=387881
* CVE-2007-5338
Portions of this content are 19982007 by individual mozilla.org
contributors; content available under a Creative Commons license:
http://creativecommons.org/licenses/by-sa/2.0/legalcode
- ----
Mozilla Foundation Security Advisory 2007-36
Title: URIs with invalid %-encoding mishandled by Windows
Impact: Moderate
Announced: October 18, 2007
Reporter: Billy Rios, Nate McFeters, Secunia
Products: Firefox, Thunderbird, SeaMonkey
Fixed in: Firefox 2.0.0.8
Thunderbird 2.0.0.8
SeaMonkey 1.1.5
Description
On Windows XP with Internet Explorer 7 installed several "web related"
URI schemes do not launch the registered protocol-handler if the URI
contains an invalid %-encoded sequence. This was initially reported by
Billy Rios and Nate McFeters with additional investigation by Secunia.
A patch that mitigated the known exploits was shipped with Firefox
2.0.0.6 as described at MFSA 2007-27.
That mitigation did not prevent the incorrect file-handling programs
from launching which left some risk. An additional fix has been
applied to Firefox 2.0.0.8 that detects when Windows would mishandle
these URIs so that the wrong program does not get launched.
References
* https://bugzilla.mozilla.org/show_bug.cgi?id=394974
* CVE-2007-4841
Portions of this content are 19982007 by individual mozilla.org
contributors; content available under a Creative Commons license:
http://creativecommons.org/licenses/by-sa/2.0/legalcode
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRxg4mih9+71yA2DNAQLhYAP/RkXR4/3EUDGYI9BZ+qw6BAn6KUP0FMpO
4JAybVSOw9hWxf8Paholj4PCTcBjK5JtF+6xSJivjV0/8awc9freSazc1LRCeryF
u+0PweWnV6irhbYbRdvjtS/UrQZdMQH9bZyEsE/XfuCbL90sVMg0qtPxC/KS6gfM
5VYlvPR2uX0=
=cgoM
-----END PGP SIGNATURE-----
|