Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2012.0162
Multiple vulnerabilities have been fixed in the latest
versions of Mozilla Firefox, Thunderbird, and SeaMonkey.
21 November 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Firefox
Thunderbird
SeaMonkey
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Administrator Compromise -- Remote with User Interaction
Execute Arbitrary Code/Commands -- Remote with User Interaction
Cross-site Request Forgery -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2012-5843 CVE-2012-5842 CVE-2012-5841
CVE-2012-5840 CVE-2012-5839 CVE-2012-5838
CVE-2012-5837 CVE-2012-5836 CVE-2012-5835
CVE-2012-5833 CVE-2012-5830 CVE-2012-5829
CVE-2012-4218 CVE-2012-4217 CVE-2012-4216
CVE-2012-4215 CVE-2012-4214 CVE-2012-4213
CVE-2012-4212 CVE-2012-4210 CVE-2012-4209
CVE-2012-4208 CVE-2012-4207 CVE-2012-4206
CVE-2012-4205 CVE-2012-4204 CVE-2012-4203
CVE-2012-4202 CVE-2012-4201
Member content until: Friday, December 21 2012
OVERVIEW
Multiple vulnerabilities have been fixed in the latest versions of
Mozilla Firefox, Thunderbird, and SeaMonkey.
IMPACT
The following information is from the Mozilla website:
CVE-2012-5842 and CVE-2012-5843:
"Mozilla developers identified and fixed several memory safety bugs in
the browser engine used in Firefox and other Mozilla-based products.
Some of these bugs showed evidence of memory corruption under certain
circumstances, and we presume that with enough effort at least some of
these could be exploited to run arbitrary code." MFSA2012-91 [1]
CVE-2012-4202:
"Security researcher Atte Kettunen from OUSPG used the Address Sanitizer
tool to discover a buffer overflow while rendering GIF format images.
This issue is potentially exploitable and could lead to arbitrary code
execution." MFSA2012-92 [2]
CVE-2012-4201:
"Mozilla security researcher moz_bug_r_a4 reported that if code
executed by the evalInSandbox function sets location.href, it can get
the wrong subject principal for the URL check, ignoring the sandbox's
Javascript context and gaining the context of evalInSandbox object.
This can lead to malicious web content being able to perform a
cross-site scripting (XSS) attack or stealing a copy of a local file
if the user has installed an add-on vulnerable to this attack."
MFSA2012-93 [3]
CVE-2012-5836:
"Security researcher Jonathan Stephens discovered that combining SVG
text on a path with the setting of CSS properties could lead to a
potentially exploitable crash." MFSA2012-94 [4]
CVE-2012-4203:
"Security researcher kakzz.ng@gmail.com reported that if a javascript:
URL is selected from the list of Firefox "new tab" page, the script
will inherit the privileges of the privileged "new tab" page. This
allows for the execution of locally installed programs if a user can be
convinced to save a bookmark of a malicious javascript: URL."
MFSA2012-95 [5]
CVE-2012-4204:
"Security researcher Scott Bell of Security-Assessment.com used the
Address Sanitizer tool to discover a memory corruption in str_unescape
in the Javascript engine. This could potentially lead to arbitrary code
execution." MFSA2012-96 [6]
CVE-2012-4205:
"Mozilla developer Gabor Krizsanits discovered that XMLHttpRequest
objects created within sandboxes have the system principal instead of
the sandbox principal. This can lead to cross-site request forgery
(CSRF) or information theft via an add-on running untrusted code in a
sandbox." MFSA2012-97 [7]
CVE-2012-4206:
"Security researcher Robert Kugler reported that when a specifically
named DLL file on a Windows computer is placed in the default downloads
directory with the Firefox installer, the Firefox installer will load
this DLL when it is launched. In circumstances where the installer is
run by an administrator privileged account, this allows for the
downloaded DLL file to be run with administrator privileges. This can
lead to arbitrary code execution from a privileged account."
MFSA2012-98 [8]
CVE-2012-4208:
"Mozilla developer Peter Van der Beken discovered that same-origin
XrayWrappers expose chrome-only properties even when not in a chrome
compartment. This can allow web content to get properties of DOM
objects that are intended to be chrome-only." MFSA2012-99 [9]
CVE-2012-5841:
"Mozilla developer Bobby Holley reported that security wrappers filter
at the time of property access, but once a function is returned, the
caller can use this function without further security checks. This
affects cross-origin wrappers, allowing for write actions on objects
when only read actions should be properly allowed. This can lead to
cross-site scripting (XSS) attacks." MFSA2012-100 [10]
CVE-2012-4207:
"Security researcher Masato Kinugawa found when HZ-GB-2312 charset
encoding is used for text, the "~" character will destroy another
character near the chunk delimiter. This can lead to a cross-site
scripting (XSS) attack in pages encoded in HZ-GB-2312."
MFSA2012-101 [11]
CVE-2012-5837:
"Security researcher Masato Kinugawa reported that when script is
entered into the Developer Toolbar, it runs in a chrome privileged
context. This allows for arbitrary code execution or cross-site
scripting (XSS) if a user can be convinced to paste malicious code into
the Developer Toolbar." MFSA2012-102 [12]
CVE-2012-4209:
"Security researcher Mariusz Mlynski reported that the location
property can be accessed by binary plugins through top.location with a
frame whose name attribute's value is set to "top". This can allow for
possible cross-site scripting (XSS) attacks through plugins."
MFSA2012-103 [13]
CVE-2012-4210:
"Security researcher Mariusz Mlynski reported that when a maliciously
crafted stylesheet is inspected in the Style Inspector, HTML and CSS
can run in a chrome privileged context without being properly sanitized
first. This can lead to arbitrary code execution." MFSA2012-104 [14]
CVE-2012-4212, CVE-2012-4213, CVE-2012-4214, CVE-2012-4215,
CVE-2012-4216, CVE-2012-4217, CVE-2012-4218, CVE-2012-5829,
CVE-2012-5839, CVE-2012-5840:
"Security researcher Abhishek Arya (Inferno) of the Google Chrome
Security Team discovered a series critically rated of use-after-free
and buffer overflow issues using the Address Sanitizer tool in shipped
software. These issues are potentially exploitable, allowing for remote
code execution. We would also like to thank Abhishek for reporting five
additional use-after-free, out of bounds read, and buffer overflow
flaws introduced during Firefox development that were fixed before
general release." MFSA2012-105 [15]
CVE-2012-5830, CVE-2012-5833, CVE-2012-5835, CVE-2012-5838:
"Security researcher miaubiz used the Address Sanitizer tool to
discover a series critically rated of use-after-free, buffer overflow,
and memory corruption issues in shipped software. These issues are
potentially exploitable, allowing for remote code execution. We would
also like to thank miaubiz for reporting two additional use-after-free
and memory corruption issues introduced during Firefox development that
were fixed before general release." MFSA2012-106 [16]
MITIGATION
Users should update to the following versions:
* Firefox 17.0
* Firefox ESR 10.0.11
* Thunderbird 17.0
* Thunderbird ESR 10.0.11
* SeaMonkey 2.14
REFERENCES
[1] Mozilla Foundation Security Advisory 2012-91
http://www.mozilla.org/security/announce/2012/mfsa2012-91.html
[2] Mozilla Foundation Security Advisory 2012-92
http://www.mozilla.org/security/announce/2012/mfsa2012-92.html
[3] Mozilla Foundation Security Advisory 2012-93
http://www.mozilla.org/security/announce/2012/mfsa2012-93.html
[4] Mozilla Foundation Security Advisory 2012-94
http://www.mozilla.org/security/announce/2012/mfsa2012-94.html
[5] Mozilla Foundation Security Advisory 2012-95
http://www.mozilla.org/security/announce/2012/mfsa2012-95.html
[6] Mozilla Foundation Security Advisory 2012-96
http://www.mozilla.org/security/announce/2012/mfsa2012-96.html
[7] Mozilla Foundation Security Advisory 2012-97
http://www.mozilla.org/security/announce/2012/mfsa2012-97.html
[8] Mozilla Foundation Security Advisory 2012-98
http://www.mozilla.org/security/announce/2012/mfsa2012-98.html
[9] Mozilla Foundation Security Advisory 2012-99
http://www.mozilla.org/security/announce/2012/mfsa2012-99.html
[10] Mozilla Foundation Security Advisory 2012-100
http://www.mozilla.org/security/announce/2012/mfsa2012-100.html
[11] Mozilla Foundation Security Advisory 2012-101
http://www.mozilla.org/security/announce/2012/mfsa2012-101.html
[12] Mozilla Foundation Security Advisory 2012-102
http://www.mozilla.org/security/announce/2012/mfsa2012-102.html
[13] Mozilla Foundation Security Advisory 2012-103
http://www.mozilla.org/security/announce/2012/mfsa2012-103.html
[14] Mozilla Foundation Security Advisory 2012-104
http://www.mozilla.org/security/announce/2012/mfsa2012-104.html
[15] Mozilla Foundation Security Advisory 2012-105
http://www.mozilla.org/security/announce/2012/mfsa2012-105.html
[16] Mozilla Foundation Security Advisory 2012-106
http://www.mozilla.org/security/announce/2012/mfsa2012-106.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUKwrS+4yVqjM2NGpAQJIrRAAvogA/470mHoAdIOeObF2HSddQP3Q/Bxl
Vu3ax6GO7OP0YeB+wadKPFMbtOftZChEMwa1UWp5YvQm58Z301obcRtaeRBFR6s0
rkoxDM8PWL/3JdxB46ZpLHYJKly75O2Mdt5sy2WOvnlFyPHksEO2TXYMhslBlUe3
XgOvrsiFV4XiP0weyRvNSwhN135SLt+SBpxhCJcyC3DYzQhbmyjDOB2AtNOeewc1
wuNojYWFiEVUTGqxZUOvyrUgn3Z90Ccka68cP2BRe01EOKYDw3B59PvAZJxDVwd4
ZGrdp2bZtb6s8QLoh/vxJkSepgYT6FkK3IWFiXMmUD4atkPAZMJV8JSD3r/lQNEt
IIwPcuXY+oYB8XDxD+LqWBgpv5VIzZZvCY6Mf/OjYloT0cSxC3vNHhTcN0rV0eRh
HCX4BaucTxkQq7/GmT40dkiTlOReGw6JAc9rmgndp7whFp4opOQa4B18375dD1Wu
8Jo6ip1Ps5w+WMEi1be3M0J1NpQj8gCzjCQNtXkP6N1C/KXQ+8N0M88M70MfEFBn
izvUsV5C1HBiCAuNsUJxADAzNFeoWVsIswl2Y22wfi4RBYPTCq46jxt6EOFl3MdS
5zI+U3UJ4yfkWfZBJPExWg37MgU1tfsZkZDSIjS9UXDSuINiP6qUOARbAuxvCBpE
/yQ0WG7RcPk=
=jIyY
-----END PGP SIGNATURE-----