Hash: SHA1

                         AUSCERT Security Bulletin

          Multiple vulnerabilities have been fixed in the latest
         versions of Mozilla Firefox, Thunderbird, and SeaMonkey.
                             21 November 2012


        AusCERT Security Bulletin Summary

Product:              Firefox
Operating System:     UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Administrator Compromise        -- Remote with User Interaction
                      Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Cross-site Request Forgery      -- Remote with User Interaction
                      Cross-site Scripting            -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
                      Access Confidential Data        -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2012-5843 CVE-2012-5842 CVE-2012-5841
                      CVE-2012-5840 CVE-2012-5839 CVE-2012-5838
                      CVE-2012-5837 CVE-2012-5836 CVE-2012-5835
                      CVE-2012-5833 CVE-2012-5830 CVE-2012-5829
                      CVE-2012-4218 CVE-2012-4217 CVE-2012-4216
                      CVE-2012-4215 CVE-2012-4214 CVE-2012-4213
                      CVE-2012-4212 CVE-2012-4210 CVE-2012-4209
                      CVE-2012-4208 CVE-2012-4207 CVE-2012-4206
                      CVE-2012-4205 CVE-2012-4204 CVE-2012-4203
                      CVE-2012-4202 CVE-2012-4201 
Member content until: Friday, December 21 2012


        Multiple vulnerabilities have been fixed in the latest versions of
        Mozilla Firefox, Thunderbird, and SeaMonkey.


        The following information is from the Mozilla website:
        CVE-2012-5842 and CVE-2012-5843:
        "Mozilla developers identified and fixed several memory safety bugs in
        the browser engine used in Firefox and other Mozilla-based products.
        Some of these bugs showed evidence of memory corruption under certain
        circumstances, and we presume that with enough effort at least some of
        these could be exploited to run arbitrary code." MFSA2012-91 [1]
        "Security researcher Atte Kettunen from OUSPG used the Address Sanitizer
        tool to discover a buffer overflow while rendering GIF format images.
        This issue is potentially exploitable and could lead to arbitrary code
        execution." MFSA2012-92 [2]
        "Mozilla security researcher moz_bug_r_a4 reported that if code
        executed by the evalInSandbox function sets location.href, it can get
        the wrong subject principal for the URL check, ignoring the sandbox's
        Javascript context and gaining the context of evalInSandbox object.
        This can lead to malicious web content being able to perform a
        cross-site scripting (XSS) attack or stealing a copy of a local file
        if the user has installed an add-on vulnerable to this attack."
        MFSA2012-93 [3]
        "Security researcher Jonathan Stephens discovered that combining SVG
        text on a path with the setting of CSS properties could lead to a
        potentially exploitable crash." MFSA2012-94 [4]
        "Security researcher kakzz.ng@gmail.com reported that if a javascript:
        URL is selected from the list of Firefox "new tab" page, the script
        will inherit the privileges of the privileged "new tab" page. This
        allows for the execution of locally installed programs if a user can be
        convinced to save a bookmark of a malicious javascript: URL."
        MFSA2012-95 [5]
        "Security researcher Scott Bell of Security-Assessment.com used the
        Address Sanitizer tool to discover a memory corruption in str_unescape
        in the Javascript engine. This could potentially lead to arbitrary code
        execution." MFSA2012-96 [6]
        "Mozilla developer Gabor Krizsanits discovered that XMLHttpRequest
        objects created within sandboxes have the system principal instead of
        the sandbox principal. This can lead to cross-site request forgery
        (CSRF) or information theft via an add-on running untrusted code in a
        sandbox." MFSA2012-97 [7]
        "Security researcher Robert Kugler reported that when a specifically
        named DLL file on a Windows computer is placed in the default downloads
        directory with the Firefox installer, the Firefox installer will load
        this DLL when it is launched. In circumstances where the installer is
        run by an administrator privileged account, this allows for the
        downloaded DLL file to be run with administrator privileges. This can
        lead to arbitrary code execution from a privileged account."
        MFSA2012-98 [8]
        "Mozilla developer Peter Van der Beken discovered that same-origin
        XrayWrappers expose chrome-only properties even when not in a chrome
        compartment. This can allow web content to get properties of DOM
        objects that are intended to be chrome-only." MFSA2012-99 [9]
        "Mozilla developer Bobby Holley reported that security wrappers filter
         at the time of property access, but once a function is returned, the
        caller can use this function without further security checks. This
        affects cross-origin wrappers, allowing for write actions on objects
        when only read actions should be properly allowed. This can lead to
        cross-site scripting (XSS) attacks." MFSA2012-100 [10]
        "Security researcher Masato Kinugawa found when HZ-GB-2312 charset
        encoding is used for text, the "~" character will destroy another
        character near the chunk delimiter. This can lead to a cross-site
        scripting (XSS) attack in pages encoded in HZ-GB-2312."
        MFSA2012-101 [11]
        "Security researcher Masato Kinugawa reported that when script is
        entered into the Developer Toolbar, it runs in a chrome privileged
        context. This allows for arbitrary code execution or cross-site
        scripting (XSS) if a user can be convinced to paste malicious code into
        the Developer Toolbar." MFSA2012-102 [12]
        "Security researcher Mariusz Mlynski reported that the location
        property can be accessed by binary plugins through top.location with a
        frame whose name attribute's value is set to "top". This can allow for
        possible cross-site scripting (XSS) attacks through plugins."
        MFSA2012-103 [13]
        "Security researcher Mariusz Mlynski reported that when a maliciously
        crafted stylesheet is inspected in the Style Inspector, HTML and CSS
        can run in a chrome privileged context without being properly sanitized
        first. This can lead to arbitrary code execution." MFSA2012-104 [14]
        CVE-2012-4212, CVE-2012-4213, CVE-2012-4214, CVE-2012-4215,
        CVE-2012-4216, CVE-2012-4217, CVE-2012-4218, CVE-2012-5829,
        CVE-2012-5839, CVE-2012-5840:
        "Security researcher Abhishek Arya (Inferno) of the Google Chrome
        Security Team discovered a series critically rated of use-after-free
        and buffer overflow issues using the Address Sanitizer tool in shipped
        software. These issues are potentially exploitable, allowing for remote
        code execution. We would also like to thank Abhishek for reporting five
        additional use-after-free, out of bounds read, and buffer overflow
        flaws introduced during Firefox development that were fixed before
        general release." MFSA2012-105 [15]
        CVE-2012-5830, CVE-2012-5833, CVE-2012-5835, CVE-2012-5838:
        "Security researcher miaubiz used the Address Sanitizer tool to
        discover a series critically rated of use-after-free, buffer overflow,
        and memory corruption issues in shipped software. These issues are
        potentially exploitable, allowing for remote code execution. We would
        also like to thank miaubiz for reporting two additional use-after-free
        and memory corruption issues introduced during Firefox development that
        were fixed before general release." MFSA2012-106 [16]


        Users should update to the following versions:
        	* Firefox 17.0
        	* Firefox ESR 10.0.11
        	* Thunderbird 17.0
        	* Thunderbird ESR 10.0.11
        	* SeaMonkey 2.14


        [1] Mozilla Foundation Security Advisory 2012-91

        [2] Mozilla Foundation Security Advisory 2012-92

        [3] Mozilla Foundation Security Advisory 2012-93

        [4] Mozilla Foundation Security Advisory 2012-94

        [5] Mozilla Foundation Security Advisory 2012-95

        [6] Mozilla Foundation Security Advisory 2012-96

        [7] Mozilla Foundation Security Advisory 2012-97

        [8] Mozilla Foundation Security Advisory 2012-98

        [9] Mozilla Foundation Security Advisory 2012-99

        [10] Mozilla Foundation Security Advisory 2012-100

        [11] Mozilla Foundation Security Advisory 2012-101

        [12] Mozilla Foundation Security Advisory 2012-102

        [13] Mozilla Foundation Security Advisory 2012-103

        [14] Mozilla Foundation Security Advisory 2012-104

        [15] Mozilla Foundation Security Advisory 2012-105

        [16] Mozilla Foundation Security Advisory 2012-106

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967