Date: 25 September 2008
References: ESB-2008.0908 ESB-2008.0910 AU-2008.0019 ESB-2008.1063 ESB-2009.0343
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
A U S C E R T A L E R T
AL-2008.0099 -- AUSCERT ALERT
[Win][UNIX/Linux]
Firefox 3.0.2/2.0.0.17, Thunderbird 2.0.0.17 and SeaMonkey
1.1.12 released to correct multiple vulnerabilities
25 September 2008
===========================================================================
AusCERT Alert Summary
---------------------
Product: Firefox 3.0.1
Firefox 2.0.0.16
Thunderbird 2.0.0.16
SeaMonkey 1.1.11
Publisher: Mozilla
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact: Execute Arbitrary Code/Commands
Cross-site Scripting
Provide Misleading Information
Access Privileged Data
Access: Remote/Unauthenticated
CVE Names: CVE-2008-0016 CVE-2008-3835 CVE-2008-3836
CVE-2008-3837 CVE-2008-4058 CVE-2008-4059
CVE-2008-4060 CVE-2008-4061 CVE-2008-4062
CVE-2008-4063 CVE-2008-4064 CVE-2008-4065
CVE-2008-4066 CVE-2008-4067 CVE-2008-4068
CVE-2008-4069
Member content until: Wednesday, October 22 2008
Original Bulletin:
http://www.mozilla.org/security/announce/2008/mfsa2008-37.html
http://www.mozilla.org/security/announce/2008/mfsa2008-38.html
http://www.mozilla.org/security/announce/2008/mfsa2008-39.html
http://www.mozilla.org/security/announce/2008/mfsa2008-40.html
http://www.mozilla.org/security/announce/2008/mfsa2008-41.html
http://www.mozilla.org/security/announce/2008/mfsa2008-42.html
http://www.mozilla.org/security/announce/2008/mfsa2008-43.html
http://www.mozilla.org/security/announce/2008/mfsa2008-44.html
http://www.mozilla.org/security/announce/2008/mfsa2008-45.html
Revision History: September 25 2008: Added additional advisories and
corrected Thunderbird information.
September 24 2008: Initial Release
OVERVIEW
Mozilla has released 9 advisories relating to Firefox,
Thunderbird and SeaMonkey describing 16 a total of vulnerabilities.
Mozilla has rated 4 of these advisories as "Critical", 1 as "High"
2 as "Moderate" and 2 as "Low" Impact.
IMPACT
According to Mozilla, the vulnerabilities corrected in this update
are:
o MFSA 2008-37 (CVE-2008-0016): Errors in URL parsing routines
which "could be exploited using a specially crafted UTF-8 URL in
a hyperlink which could overflow a stack buffer and allow an
attacker to execute arbitrary code." [1]
o MFSA 2008-38 (CVE-2008-3835): "The same-origin check in
nsXMLDocument::OnChannelRedirect() could be bypassed. This
vulnerability could be used to execute JavaScript in the context
of a different website." [2]
o MFSA 2008-39 (CVE-2008-3836): "Vulnerabilities in feedWriter
which allow scripts from page content to run with chrome
privileges." [3]
o MFSA 2008-40 (CVE-2008-3837): "The vulnerability allowed an
attacker to move the content window while the mouse was being
clicked, causing an item to be dragged rather than clicked-on.
This issue could potentially be used to force a user to download
a file or perform other drag-and-drop actions." [4]
o MFSA 2008-41 (CVE-2008-4058, CVE-2008-4059, CVE-2008-4060):
"There were a series of vulnerabilities by which page content can
pollute XPCNativeWrappers and have arbitrary code run with chrome
privileges." and an "XSLT can create documents which do not have
script handling objects. moz_bug_r_a4 also reported that
document.loadBindingDocument() returns a document that does not
have a script handling object. These issues could also be used by
an attacker to run arbitrary script with chrome privileges." [5]
o MFSA 2008-42 (CVE-2008-4061, CVE-2008-4062, CVE-2008-4063,
CVE-2008-4064): "Stability bugs in the browser engine used in
Firefox and other Mozilla-based products. Some of these crashes
showed evidence of memory corruption under certain circumstances
and we presume that with enough effort at least some of these
could be exploited to run arbitrary code." [6]
o MFSA 2008-43 (CVE-2008-4065, CVE-2008-4066): "BOM characters are
stripped from JavaScript code before it is executed. This can
lead to code, which would otherwise be treated as part of a
quoted string, to be executed" as well as "an issue with the HTML
parser in which the parser ignored certain low surrogate
characters if they were HTML-escaped." These issues could
potentially be used by an attacker to bypass or evade script
filters and perform an XSS attack. [7]
o MFSA 2008-44 (CVE-2008-4067, CVE-2008-4068): "The resource:
protocol allowed directory traversal on Linux when using
URL-encoded slashes and restrictions imposed on local HTML files
could be bypassed using the resource: protocol." [8]
o MFSA 2008-45 (CVE-2008-4069): "a bug in the XBM decoder that
allowed random small chunks of uninitialized memory to be read."
[9]
More information regarding these vulnerabilities can be found in the
original advisory.
MITIGATION
These vulnerabilities have been fixed in Firefox 2.0.0.17,
Firefox 3.0.2 and SeaMonkey 1.1.12. Updated versions of these
programs are available from the Mozilla web site.
There is not yet an updated release of Thunderbird 2.0.0.17.
Mozilla has recommended ensuring that JavaScript is not rendered by
Thunderbird. By default, JavaScript is not enabled in Thunderbird.
REFERENCES
[1] Mozilla Foundation Security Advisory 2008-37
http://www.mozilla.org/security/announce/2008/mfsa2008-37.html
[2] Mozilla Foundation Security Advisory 2008-38
http://www.mozilla.org/security/announce/2008/mfsa2008-38.html
[3] Mozilla Foundation Security Advisory 2008-39
http://www.mozilla.org/security/announce/2008/mfsa2008-39.html
[4] Mozilla Foundation Security Advisory 2008-40
http://www.mozilla.org/security/announce/2008/mfsa2008-40.html
[5] Mozilla Foundation Security Advisory 2008-41
http://www.mozilla.org/security/announce/2008/mfsa2008-41.html
[6] Mozilla Foundation Security Advisory 2008-42
http://www.mozilla.org/security/announce/2008/mfsa2008-42.html
[7] Mozilla Foundation Security Advisory 2008-43
http://www.mozilla.org/security/announce/2008/mfsa2008-43.html
[8] Mozilla Foundation Security Advisory 2008-44
http://www.mozilla.org/security/announce/2008/mfsa2008-44.html
[9] Mozilla Foundation Security Advisory 2008-45
http://www.mozilla.org/security/announce/2008/mfsa2008-45.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBSNsAkCh9+71yA2DNAQJ8qgP/f9pGgXFu0L7fYLrHqRmeQKsMST1Ie/jJ
jw8oqSHrDRx0hu8rlisp5nERRJuXGGRjLrBEa9cwCPMibCVBaw9rUoyN24dsn1Wm
P0S2OzbPoHvMRb6M9IxLtKrWrdbV3P9tZ0J0J1NiMQsn4N1snvA6Kdp+VDKF4O29
FF3+olhfwYo=
=BSS0
-----END PGP SIGNATURE-----
|