-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2011.0100
        A number of vulnerabilities have been identified in Mozilla
                      Firefox and Mozilla Thunderbird
                              9 November 2011

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Mozilla Firefox
                      Mozilla Thunderbird
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Increased Privileges            -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
                      Access Confidential Data        -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2011-3655 CVE-2011-3654 CVE-2011-3653
                      CVE-2011-3652 CVE-2011-3651 CVE-2011-3650
                      CVE-2011-3649 CVE-2011-3648 
Member content until: Friday, December  9 2011

OVERVIEW

        A number of vulnerabilities have been identified in Mozilla Firefox
        prior to versions 8.0 and 3.6.24, and Mozilla Thunderbird prior to 
        versions 8.0 and 3.6.16.


IMPACT

        The vendor has provided the following details regarding a vulnerability 
        which affects Mozilla Firefox prior to version 3.6.24 and Mozilla 
        Thunderbird prior to version 3.6.16:
        
        CVE-2011-3647: "Mozilla security researcher moz_bug_r_a4 reported that 
        the problem described in MFSA 2011-43 and fixed in Firefox 7 also 
        affected Firefox 3.6: a malicious page could potentially exploit a 
        Firefox user who had installed an add-on that used loadSubscript in 
        vulnerable ways." [1]
        
        The vendor has provided the following details regarding 
        vulnerabilities which affect Mozilla Firefox prior to versions 3.6.24 
        and 8.0, and Mozilla Thunderbird prior to versions 3.6.16 and 8.0:
        
        CVE-2011-3648: "Yosuke Hasegawa reported that the Mozilla browser 
        engine mishandled invalid sequences in the Shift-JIS encoding. When 
        encountering an invalid pair Mozilla would turn the entire two-byte 
        sequence into a single unknown character rather than an unknown 
        character followed by a valid single-byte character. On some sites 
        attackers may have been able to end their input with the first byte 
        of a two byte sequence; when that input was later put into a page 
        context it might cause the following delimiter (such as a double-quote) 
        to be consumed, breaking the format of the page. Depending on the page 
        this could potentially be used to steal data or inject script into the 
        page." [2]
        
        CVE-2011-3650: "Marc Schoenefeld reported a crash when using Firebug to 
        profile a JavaScript file with many functions. It may be possible to 
        trigger this crash without the use of debugging APIs, and if so this 
        could be exploitable." [3]
        
        The vendor has provided the following details regarding a vulnerability 
        which affects Mozilla Firefox prior to version 8.0 and Mozilla 
        Thunderbird prior to version 8.0:
        
        CVE-2011-3651, CVE-2011-3652, CVE-2011-3654: "Mozilla developers fixed 
        several memory safety bugs in the browser engine used in Firefox and 
        other Mozilla-based products. Some of these bugs showed evidence of 
        memory corruption under certain circumstances, and we presume that with 
        enough effort at least some of these could be exploited to run 
        arbitrary code. In general these flaws cannot be exploited through 
        email in the Thunderbird and SeaMonkey products because scripting is 
        disabled, but are potentially a risk in browser or browser-like 
        contexts in those products." [4]
        
        CVE-2011-3649: "Mozilla developer Bas Schouten reported that the 
        introduction of the "Azure" graphics back-end on Windows in Firefox 7 
        re-introduced the cross-origin data theft issue reported by 
        nasalislarvatus3000 as described in MFSA 2011-29." [5]
        
        CVE-2011-3653: "Claus Wahlers reported that random images from GPU 
        memory were showing up in WebGL textures. Once incorporated into the 
        WebGL graphics it is possible for a site to programatically read the 
        image data and potentially gain sensitive data from other things that 
        had been displayed earlier. This problem is due to a bug in the driver 
        for Intel integrated GPUs on recent Mac OS X hardware, and the problem 
        can be seen in WebGL implementations from other vendors. Mozilla has 
        implemented a work-around to prevent this from happening with this 
        hardware-driver combination." [6]
        
        CVE-2011-3655: "Mozilla security researcher moz_bug_r_a4 reported that 
        an internal privilege check failed to respect the NoWaiverWrappers 
        introduced with Firefox 4. This could result in elevated privilege 
        being granted to web content." [7]


MITIGATION

        The vendor recommends that users upgrade to the latest version of
        Mozilla Firefox and Mozilla Thunderbird. [8, 9]
        
        Regarding the 3.6.x branch of Mozilla Firefox, the vendor has stated: 
        "Firefox 3.6.x will be maintained with security and stability updates 
        for a short amount of time. All users are strongly encouraged to 
        upgrade to the latest version of Firefox." [10]
        
        Regarding the 3.6.x branch of Mozilla Thunderbird, the vendor has 
        stated: "Thunderbird 3.1.x will be maintained with security and 
        stability releases for a short period of time. All users are strongly 
        encouraged to upgrade to the latest Thunderbird release" [11]


REFERENCES

        [1] Mozilla Foundation Security Advisory 2011-46
            http://www.mozilla.org/security/announce/2011/mfsa2011-46.html

        [2] Mozilla Foundation Security Advisory 2011-47
            http://www.mozilla.org/security/announce/2011/mfsa2011-47.html

        [3] Mozilla Foundation Security Advisory 2011-49
            http://www.mozilla.org/security/announce/2011/mfsa2011-49.html

        [4] Mozilla Foundation Security Advisory 2011-48
            http://www.mozilla.org/security/announce/2011/mfsa2011-48.html

        [5] Mozilla Foundation Security Advisory 2011-50
            http://www.mozilla.org/security/announce/2011/mfsa2011-50.html

        [6] Mozilla Foundation Security Advisory 2011-51
            http://www.mozilla.org/security/announce/2011/mfsa2011-51.html

        [7] Mozilla Foundation Security Advisory 2011-52
            http://www.mozilla.org/security/announce/2011/mfsa2011-52.html

        [8] Firefox Release Notes
            http://www.mozilla.org/en-US/firefox/8.0/releasenotes/

        [9] Thunderbird Release Notes
            https://www.mozilla.org/en-US/thunderbird/8.0/releasenotes/

        [10] Download Firefox 3.6
             http://www.mozilla.org/en-US/firefox/all-older.html

        [11] Download Thunderbird 3.1
             http://www.mozilla.org/en-US/thunderbird/all-older.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBTrngIu4yVqjM2NGpAQKtexAAkXLYN6pLlG9b6mxza2MnZzCa5YDEFz3P
Ia5AevPiH8BpsDLrJ6MweBKqTXgGcHnEKAjG82rUqQo2vHAjSwUpU8wWo9M3zJAP
YbA8cLKjFMR5AXv0TQYRuFOFKcNa99I1PJDWxAfgBq8+gD6xylBcPoIHE081nXCU
V3KBQCoQR2ara9/ZvNOCG++u9OjxCCvjN+lWkZzlOz/GIYuvSNXDLSI2UI1MfE6b
zH57OcVMEXXYkJXONLgRiVj+oJNsD6ZqJWCbpTgapM2UgrQgGX+lZZEi8kz5eF27
GpVxCgHnitr4A75fFFQhuAKEFR5pMirg/H9hT+Fyd5uI41k8eWTjiOFtbGKYuuK0
wLoG6qmy8PqlYISA2+vrx2VJ3a8gSiyap2SywcZeRxmLTt5BKpTvvPIzF0HNFCcO
oiSKEFYri5pXZQp1XrJxrr9DyRibgJsU3TVgHgaXgfMRvyS2fcu0ceH3Q68yBG+O
SalNsG+EoQpjua1WCvrSlh3XwJhXlYvCEUCivGsZHhUoLCtv5qLT5lxEtzv0wTFc
OjgyAoQ6Rm0MBitoA+yoRHgR0HREywT4oOLzOK0O0oMJ5hdF/pIaXZGwjtqWThSU
SjFTXWCzT3ATn60o88UUxuTtSGK/TUxxvDlIfrB1E7+k+3JBrwTR41rBl1DrTF2E
RDGDixJWNhg=
=gkDD
-----END PGP SIGNATURE-----