copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
Search this site

On this site

 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login


ASB-2014.0084 - [Win][UNIX/Linux][Android] Mozilla Firefox, Mozilla Firefox ESR and Thunderbird: Multiple vulnerabilities

Date: 23 July 2014
References: ESB-2014.1210  ESB-2014.1211  ESB-2014.1212  ESB-2014.1221  ESB-2014.1292  ESB-2014.1530  ESB-2014.1689  ESB-2014.2128  

Click here for printable version
Click here for PGP verifiable version
Hash: SHA1

                         AUSCERT Security Bulletin

        A number of vulnerabilities have been identified in Mozilla
               Firefox, Mozilla Firefox ESR and Thunderbird.
                               23 July 2014


        AusCERT Security Bulletin Summary

Product:              Mozilla Firefox
                      Mozilla Firefox ESR
                      Mozilla Thunderbird
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
                      Provide Misleading Information  -- Remote with User Interaction
                      Access Confidential Data        -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2014-1561 CVE-2014-1560 CVE-2014-1559
                      CVE-2014-1558 CVE-2014-1557 CVE-2014-1556
                      CVE-2014-1555 CVE-2014-1552 CVE-2014-1551
                      CVE-2014-1550 CVE-2014-1549 CVE-2014-1548
                      CVE-2014-1547 CVE-2014-1544 
Member content until: Friday, August 22 2014


        A number of vulnerabilities have been identified in Mozilla
        Firefox, Mozilla Firefox ESR and Thunderbird. [1]


        The vendor has provided the following details regarding these 
        "CVE-2014-1547,CVE-2014-1548: Mozilla developers and community 
        identified identified and fixed several memory safety bugs in the 
        browser engine used in Firefox and other Mozilla-based products. 
        Some of these bugs showed evidence of memory corruption under 
        certain circumstances, and we presume that with enough effort at 
        least some of these could be exploited to run arbitrary code." [2]
        "CVE-2014-1549: Using the Address Sanitizer tool, security 
        researcher Atte Kettunen from OUSPG discovered a buffer overflow 
        during interaction with the Web Audio buffer for playback because of
        an error in the the amount of allocated memory for buffers. This 
        leads to a potentially exploitable crash with some audio 
        "CVE-2014-1550: Using the Address Sanitizer tool, security 
        researcher Atte Kettunen from OUSPG discovered a use-after-free in 
        Web Audio due to an issue with how control messages for Web Audio 
        are ordered and processed. This leads to a potentially exploitable 
        crash." [4]
        "CVE-2014-1551: Mozilla community member James Kitchener reported a
        crash in DirectWrite when rendering MathML content with specific 
        fonts due to an error in how font resources and tables are handled.
        This leads to use-after-free of a DirectWrite font-face object, 
        resulting in a potentially exploitable crash." [5]
        "CVE-2014-1561: Mozilla developers David Chan and Gijs Kruitbosch 
        reported that it is possible to create a drag and drop event in web
        content which mimics the behavior of a chrome customization event. 
        This can occur when a user is customizing a page or panel. This 
        results in a limited ability to move UI icons within the visible 
        window but does not otherwise affect customization or window 
        content." [6]
        "CVE-2014-1555: Security researcher Jethro Beekman of the University
        of California, Berkeley reported a crash when the FireOnStateChange
        event is triggered in some circumstances. This leads to a 
        use-after-free and a potentially exploitable crash when it occurs."
        "CVE-2014-1556: Developer Patrick Cozzi reported a crash in some 
        circumstances when using the Cesium JavaScript library to generate 
        WebGL content. Mozilla developers determined that this crash is 
        potentially exploitable." [8]
        "CVE-2014-1544: Security researchers Tyson Smith and Jesse 
        Schwartzentruber used the Address Sanitizer tool while fuzzing to 
        discover a use-after-free error resulting in a crash. This is a 
        result of a pair of NSSCertificate structures being added to a trust
        domain and then one of them is removed while they are still in use 
        by the trusted cache. This crash is potentially exploitable." [9]
        "CVE-2014-1557: Mozilla community member John reported a crash in 
        the Skia library when scaling high quality images if the scaling 
        operation takes too long. This is caused by the image data being 
        discarded while still in use by the scaling operation. This crash is
        potentially exploitable on some systems." [10]
        "CVE-2014-1558, CVE-2014-1559, CVE-2014-1560: Mozilla security 
        researcher Christian Holler discovered several issues while fuzzing
        the parsing of SSL certificates. Two of these issues were a result 
        of using characters that are not UTF-8 in certificates when various
        functions expected all strings to be UTF-8 format. The third issue 
        was a result of using characters that were not ASCII in certificates
        while a function expected only ASCII formatted text. All of these 
        issues causes the certificates to be incorrectly parsed, leading to
        a potential inability to use valid SSL certificates." [11]
        "CVE-2014-1552: Mozilla developer Boris Zbarsky discovered an issue
        where network-level redirects cause an <iframe> sandbox to forget 
        its unique origin and behave as if the allow-same-origin keyword 
        were applied. This allows the sandboxed content to access other 
        content from the same origin without explicit approval. " [12]


        It is recommended that users update to the latest versions of 
        Mozilla Firefox, Firefox ESR and Thunderbird to correct these 
        issues. [1 - 12]


        [1] Security Advisories for Firefox

        [2] Mozilla Foundation Security Advisory 2014-56

        [3] Mozilla Foundation Security Advisory 2014-57

        [4] Mozilla Foundation Security Advisory 2014-58

        [5] Mozilla Foundation Security Advisory 2014-59

        [6] Mozilla Foundation Security Advisory 2014-60

        [7] Mozilla Foundation Security Advisory 2014-61

        [8] Mozilla Foundation Security Advisory 2014-62

        [9] Mozilla Foundation Security Advisory 2014-63

        [10] Mozilla Foundation Security Advisory 2014-64

        [11] Mozilla Foundation Security Advisory 2014-65

        [12] Mozilla Foundation Security Advisory 2014-66

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email:
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.