Date: 25 March 2008
References: ESB-2008.0318 ESB-2008.0321 ESB-2008.0323 ESB-2008.0493 ESB-2008.0697
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AA-2008.0070 AUSCERT Advisory
[Win][UNIX/Linux]
Firefox 2.0.0.13 released fixing several vulnerabilities
26 March 2008
- ---------------------------------------------------------------------------
AusCERT Advisory Summary
------------------------
Product: Firefox
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact: Execute Arbitrary Code/Commands
Increased Privileges
Cross-site Scripting
Provide Misleading Information
Reduced Security
Access: Remote/Unauthenticated
CVE Names: CVE-2008-1241 CVE-2008-1240 CVE-2008-1238
CVE-2008-1236 CVE-2008-1235 CVE-2008-1234
CVE-2008-1233 CVE-2008-1195 CVE-2007-4879
Member content until: Wednesday, April 23 2008
OVERVIEW:
Mozilla have release the latest version of Firefox, correcting
several vulnerabilities ranging from cross-site scripting to the
execution of arbitrary code.
IMPACT:
The following vulnerabilities have been corrected in version
2.0.0.13:
o MFSA-2008-19 (CVE-2008-1241) "It was possible to have a background
tab create a borderless XUL pop-up in front of the active tab in
the user's browser. This technique could be used by an attacker to
spoof form elements such as a login prompt for a site opened in a
different tab and steal the user's login credentials for that
site." [1]
o MFSA-2008-18 (CVE-2008-1240, CVE-2008-1195) "Web content fetched
via the jar: protocol can use Java via LiveConnect to open socket
connections to arbitrary ports on the user's machine
('localhost')." [2]
o MFSA-2008-17 (CVE-2007-4879) "The default setting for SSL Client
Authentication, automatically selecting a client certificate on
behalf of the user, creates a potential privacy issue for users by
allowing tracking through client certificates." [3]
o MFSA-2008-16 (CVE-2008-1238) "Security researcher Gregory Fleischer
demonstrated a problem with the HTTP Referer:(sic) header sent with
requests to URLs containing Basic Authentication credentials with
empty usernames. In these cases a number of leading characters,
based on the length of the password in the URL, are removed from the
referrer hostname. Fleischer pointed out that websites which only
check the Referer: header to protect against Cross-Site Request
Forgery (CSRF) could be attacked using this flaw." [4]
o MFSA-2008-15 (CVE-2008-1237, CVE-2008-1236) "Mozilla developers
identified and fixed several stability bugs in the browser engine
used in Firefox and other Mozilla-based products. Some of these
crashes showed evidence of memory corruption under certain
circumstances and we presume that with enough effort at least some
of these could be exploited to run arbitrary code." [5]
o MFSA-2008-14 (CVE-2008-1235, CVE-2008-1234, CVE-2008-1233) "Mozilla
contributors moz_bug_r_a4, Boris Zbarsky, and Johnny Stenback
reported a series of vulnerabilities which allow scripts from page
content to run with elevated privileges. moz_bug_r_a4 demonstrated
additional variants of MFSA 2007-25 and MFSA2007-35 (arbitrary code
execution through XPCNativeWrapper pollution). Additional
vulnerabilities reported separately by Boris Zbarsky, Johnny
Stenback, and moz_bug_r_a4 showed that the browser could be forced
to run JavaScript code using the wrong principal leading to
universal XSS and arbitrary code execution." [6]
MITIGATION:
Users can protect themselves from these vulnerabilities by upgrading
to Firefox 2.0.0.13 which is available for download from the Mozilla
website [7].
REFERENCES:
[1] Mozilla Foundation Security Advisory 2008-19
http://www.mozilla.org/security/announce/2008/mfsa2008-19.html
[2] Mozilla Foundation Security Advisory 2008-18
http://www.mozilla.org/security/announce/2008/mfsa2008-18.html
[3] Mozilla Foundation Security Advisory 2008-17
http://www.mozilla.org/security/announce/2008/mfsa2008-17.html
[4] Mozilla Foundation Security Advisory 2008-16
http://www.mozilla.org/security/announce/2008/mfsa2008-16.html
[5] Mozilla Foundation Security Advisory 2008-15
http://www.mozilla.org/security/announce/2008/mfsa2008-15.html
[6] Mozilla Foundation Security Advisory 2008-14
http://www.mozilla.org/security/announce/2008/mfsa2008-14.html
[7] Firefox Web Browser
http://www.mozilla.com/en-US/firefox/
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBR+nMvih9+71yA2DNAQIVmwP+JMAA32ze5HGcVIrElwDsRKP/Zg6+670d
TjTQPO9y6ttJuIJacY8iAcZCasEZxmLkjYwkEd27zpn/V5PebNDzekIw1w9OfGS0
9WUKskvpHnIoZcsJDRe9FpKvIJ7HaJKNkqdI5PkM9EWP72JsQzPyL6SQ9UnncBV6
NiO/qoGPmgo=
=4uy5
-----END PGP SIGNATURE-----
|