copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
Search this site

On this site

 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login


ASB-2014.0066 - [Win][UNIX/Linux][Android] Mozilla Firefox, Mozilla Firefox ESR and Thunderbird: Multiple vulnerabilities

Date: 11 June 2014
References: ESB-2014.0942  ESB-2014.0958  ESB-2014.0990  

Click here for printable version
Click here for PGP verifiable version
Hash: SHA1

                         AUSCERT Security Bulletin

        A number of vulnerabilities have been identified in Mozilla
               Firefox, Mozilla Firefox ESR and Thunderbird
                               11 June 2014


        AusCERT Security Bulletin Summary

Product:              Mozilla Firefox
                      Mozilla Firefox ESR
                      Mozilla Thunderbird
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
                      Provide Misleading Information  -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2014-1543 CVE-2014-1542 CVE-2014-1541
                      CVE-2014-1540 CVE-2014-1539 CVE-2014-1538
                      CVE-2014-1537 CVE-2014-1536 CVE-2014-1534
Member content until: Friday, July 11 2014


        A number of vulnerabilities have been identified in Mozilla
        Firefox, Mozilla Firefox ESR and Thunderbird.


        The vendor has provided the following details regarding these 
        CVE-2014-1533,CVE-2014-1534:"Mozilla developers and community 
        identified identified and fixed several memory safety bugs in the 
        browser engine used in Firefox and other Mozilla-based products. 
        Some of these bugs showed evidence of memory corruption under 
        certain circumstances, and we presume that with enough effort at 
        least some of these could be exploited to run arbitrary code." [1]
        CVE-2014-1536,CVE-2014-1537,CVE-2014-1538:"Security researcher 
        Abhishek Arya (Inferno) of the Google Chrome Security Team 
        discovered a number of use-after-free and out of bounds read issues
        using the Address Sanitizer tool. These issues are potentially 
        exploitable, allowing for remote code execution." [2]
        CVE-2014-1539:"Security researcher Jordi Chancel reported a 
        mechanism where the cursor can be rendered invisible after it has 
        been used on an embedded flash object when used outside of the 
        object. This flaw can be in used in combination with an image of the
        cursor manipulated through JavaScript, leading to clickjacking 
        during interactions with HTML content subsequently. This issue only
        affects OS X and is not present on Windows or Linux systems." [3]
        CVE-2014-1540:"Security researchers Tyson Smith and Jesse 
        Schwartzentruber of the BlackBerry Security Automated Analysis Team
        used the Address Sanitizer tool while fuzzing to discover a 
        use-after-free in the event listener manager. This can be triggered
        by web content and leads to a potentially exploitable crash. This 
        issue was introduced in Firefox 29 and does not affect earlier 
        versions." [4]
        CVE-2014-1541:"Security researcher Nils used the Address Sanitizer 
        to discover a use-after-free problem with the SMIL Animation 
        Controller when interacting with and rendering improperly formed web
        content. This causes a potentially exploitable crash." [5]
        CVE-2014-1542:"Security researcher Holger Fuhrmannek used the used 
        the Address Sanitizer tool to discover a buffer overflow with the 
        Speex resampler in Web Audio when working with audio content that 
        exceeds expected bounds. This leads to a potentially exploitable 
        crash." [6]
        CVE-2014-1543:"Security researcher Looben Yang reported a buffer 
        overflow in Gamepad API when it is exercised with a gamepad device 
        with non-contiguous axes. This can be either an actual physical 
        device or by the installation of a virtual gamepad. This results in
        a potentially exploitable crash. The Gamepad API was introduced in 
        Firefox 29 and this issue does not affect earlier versions." [7]


        It is recommended that users update to the latest versions of 
        Mozilla Firefox, Firefox ESR and Thunderbird to correct these 
        issues. [1-7]


        [1] Mozilla Foundation Security Advisory 2014-48

        [2] Mozilla Foundation Security Advisory 2014-49

        [3] Mozilla Foundation Security Advisory 2014-50

        [4] Mozilla Foundation Security Advisory 2014-51

        [5] Mozilla Foundation Security Advisory 2014-52

        [6] Mozilla Foundation Security Advisory 2014-53

        [7] Mozilla Foundation Security Advisory 2014-54

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email:
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.