copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2005.0196 -- RHSA-2005:176-01 -- Critical: firefox security update

Date: 02 March 2005

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                     ESB-2005.0196 -- RHSA-2005:176-01
                     Critical: firefox security update
                               2 March 2005

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Mozilla Firefox 1.0 and prior
Publisher:         Red Hat
Operating System:  UNIX variants
                   Linux variants
                   Windows
                   Mac OS X
Impact:            Execute Arbitrary Code/Commands
                   Provide Misleading Information
                   Inappropriate Access
                   Modify Permissions
                   Access Privileged Data
Access:            Remote/Unauthenticated
                   Existing Account
CVE Names:         CAN-2005-0593 CAN-2005-0592 CAN-2005-0591
                   CAN-2005-0590 CAN-2005-0589 CAN-2005-0588
                   CAN-2005-0586 CAN-2005-0585 CAN-2005-0584
                   CAN-2005-0578 CAN-2005-0527 CAN-2005-0255
                   CAN-2005-0233 CAN-2005-0232 CAN-2005-0231
                   CAN-2004-1156

Original Bulletin: https://rhn.redhat.com/errata/RHSA-2005-176.html
                   http://www.mozilla.org/projects/security/known-vulnerabilities.html#Firefox

Comment: Mozilla Firefox version 1.0.1 is not vulnerable to these problems. To
         upgrade your version of Firefox, either follow the instructions in
         this bulletin or go to:
         
            http://www.mozilla.org/products/firefox/all.html
         
         and select the appropriate installer for your operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Critical: firefox security update
Advisory ID:       RHSA-2005:176-01
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2005-176.html
Issue date:        2005-03-01
Updated on:        2005-03-01
Product:           Red Hat Enterprise Linux
CVE Names:         CAN-2004-1156 CAN-2005-0231 CAN-2005-0232 CAN-2005-0233 CAN-2005-0255 CAN-2005-0527 CAN-2005-0578 CAN-2005-0584 CAN-2005-0585 CAN-2005-0586 CAN-2005-0588 CAN-2005-0589 CAN-2005-0590 CAN-2005-0591 CAN-2005-0592 CAN-2005-0593
- - ---------------------------------------------------------------------

1. Summary:

Updated firefox packages that fix various bugs are now available.

This update has been rated as having critical security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64

3. Problem description:

Mozilla Firefox is an open source Web browser.

A bug was found in the Firefox string handling functions. If a malicious
website is able to exhaust a system's memory, it becomes possible to
execute arbitrary code. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2005-0255 to this issue.

A bug was found in the way Firefox handles pop-up windows. It is possible
for a malicious website to control the content in an unrelated site's
pop-up window. (CAN-2004-1156)

A bug was found in the way Firefox allows plug-ins to load privileged
content into a frame. It is possible that a malicious webpage could trick a
user into clicking in certain places to modify configuration settings or
execute arbitrary code. (CAN-2005-0232 and CAN-2005-0527).

A flaw was found in the way Firefox displays international domain names. It
is possible for an attacker to display a valid URL, tricking the user into
thinking they are viewing a legitimate webpage when they are not.
(CAN-2005-0233)

A bug was found in the way Firefox handles plug-in temporary files. A
malicious local user could create a symlink to a victims directory, causing
it to be deleted when the victim exits Firefox. (CAN-2005-0578)

A bug has been found in one of Firefox's UTF-8 converters. It may be
possible for an attacker to supply a specially crafted UTF-8 string to the
buggy converter, leading to arbitrary code execution. (CAN-2005-0592)

A bug was found in the Firefox javascript security manager. If a user drags
a malicious link to a tab, the javascript security manager is bypassed
which could result in remote code execution or information disclosure.
(CAN-2005-0231)

A bug was found in the way Firefox displays the HTTP authentication prompt.
When a user is prompted for authentication, the dialog window is displayed
over the active tab, regardless of the tab that caused the pop-up to appear
and could trick a user into entering their username and password for a
trusted site.  (CAN-2005-0584)

A bug was found in the way Firefox displays the save file dialog. It is
possible for a malicious webserver to spoof the Content-Disposition header,
tricking the user into thinking they are downloading a different filetype.
(CAN-2005-0586)

A bug was found in the way Firefox handles users "down-arrow" through auto
completed choices. When an autocomplete choice is selected, the information
is copied into the input control, possibly allowing a malicious web site to
steal information by tricking a user into arrowing through autocompletion
choices. (CAN-2005-0589)

Several bugs were found in the way Firefox displays the secure site icon.
It is possible that a malicious website could display the secure site icon
along with incorrect certificate information. (CAN-2005-0593)

A bug was found in the way Firefox displays the download dialog window. A
malicious site can obfuscate the content displayed in the source field,
tricking a user into thinking they are downloading content from a trusted
source. (CAN-2005-0585)

A bug was found in the way Firefox handles xsl:include and xsl:import
directives. It is possible for a malicious website to import XSLT
stylesheets from a domain behind a firewall, leaking information to an
attacker. (CAN-2005-0588)

A bug was found in the way Firefox displays the installation confirmation
dialog. An attacker could add a long user:pass before the true hostname,
tricking a user into thinking they were installing content from a trusted
source. (CAN-2005-0590)

A bug was found in the way Firefox displays download and security dialogs.
An attacker could cover up part of a dialog window tricking the user into
clicking "Allow" or "Open", which could potentially lead to arbitrary code
execution. (CAN-2005-0591)

Users of Firefox are advised to upgrade to this updated package which
contains Firefox version 1.0.1 and is not vulnerable to these issues.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.  Use Red Hat
Network to download and update your packages.  To launch the Red Hat
Update Agent, use the following command:

    up2date

For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:

    http://www.redhat.com/docs/manuals/enterprise/

5. Bug IDs fixed (http://bugzilla.redhat.com/):

147727 - CAN-2005-0232 fireflashing vulnerability (CAN-2005-0527)
149876 - CAN-2005-0255 Memory overwrite in string library
147735 - CAN-2005-0231 firefox javascript tab security bypass
147402 - CAN-2005-0233 homograph spoofing
142506 - CAN-2004-1156 Frame injection vulnerability.
144216 - CAN-2005-0585 download dialog URL spoofing
149923 - CAN-2005-0578 Unsafe /tmp/plugtmp directory exploitable to erase user's files
149929 - CAN-2005-0584 HTTP auth prompt tab spoofing
149930 - CAN-2005-0586 Download dialog spoofing using Content-Disposition header
149931 - CAN-2005-0588 XSLT can include stylesheets from arbitrary hosts
149934 - CAN-2005-0589 Autocomplete data leak
149936 - CAN-2005-0590 Install source spoofing with user:pass@host
149937 - CAN-2005-0591 Spoofing download and security dialogs with overlapping windows
149938 - CAN-2005-0592 Heap overflow possible in UTF8 to Unicode conversion
149939 - CAN-2005-0593 SSL "secure site" indicator spoofing

6. RPMs required:

Red Hat Enterprise Linux AS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/firefox-1.0.1-1.4.3.src.rpm
8a6aedb095f62077e64124ddc577b9fb  firefox-1.0.1-1.4.3.src.rpm

i386:
b892ffeb126d1ef24f2c9059650d1000  firefox-1.0.1-1.4.3.i386.rpm

ia64:
303645b51596c4d7d0f0de81c3efdf4b  firefox-1.0.1-1.4.3.ia64.rpm

ppc:
7b3535d928649b7e2ae3c594fa4635bd  firefox-1.0.1-1.4.3.ppc.rpm

s390:
73ea97180b4ca648b996c3e33e4b8ed8  firefox-1.0.1-1.4.3.s390.rpm

s390x:
5cacc37451e98bcc57134d5e4fb9542b  firefox-1.0.1-1.4.3.s390x.rpm

x86_64:
5d826defe063b94510651a6b68e6e719  firefox-1.0.1-1.4.3.x86_64.rpm

Red Hat Enterprise Linux Desktop version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/firefox-1.0.1-1.4.3.src.rpm
8a6aedb095f62077e64124ddc577b9fb  firefox-1.0.1-1.4.3.src.rpm

i386:
b892ffeb126d1ef24f2c9059650d1000  firefox-1.0.1-1.4.3.i386.rpm

x86_64:
5d826defe063b94510651a6b68e6e719  firefox-1.0.1-1.4.3.x86_64.rpm

Red Hat Enterprise Linux ES version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/firefox-1.0.1-1.4.3.src.rpm
8a6aedb095f62077e64124ddc577b9fb  firefox-1.0.1-1.4.3.src.rpm

i386:
b892ffeb126d1ef24f2c9059650d1000  firefox-1.0.1-1.4.3.i386.rpm

ia64:
303645b51596c4d7d0f0de81c3efdf4b  firefox-1.0.1-1.4.3.ia64.rpm

x86_64:
5d826defe063b94510651a6b68e6e719  firefox-1.0.1-1.4.3.x86_64.rpm

Red Hat Enterprise Linux WS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/firefox-1.0.1-1.4.3.src.rpm
8a6aedb095f62077e64124ddc577b9fb  firefox-1.0.1-1.4.3.src.rpm

i386:
b892ffeb126d1ef24f2c9059650d1000  firefox-1.0.1-1.4.3.i386.rpm

ia64:
303645b51596c4d7d0f0de81c3efdf4b  firefox-1.0.1-1.4.3.ia64.rpm

x86_64:
5d826defe063b94510651a6b68e6e719  firefox-1.0.1-1.4.3.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://www.mozilla.org/projects/security/known-vulnerabilities.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1156
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0231
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0232
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0233
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0255
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0527
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0578
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0584
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0585
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0586
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0588
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0589
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0590
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0591
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0592
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0593

8. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2005 Red Hat, Inc.

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFCJLyZXlSAg2UNWIIRAj+bAKDErHriZ1+v4OVoNWYECs1tSwqFCQCgrG1Y
6wk5QA0uUCLRdPJWeWAQPOo=
=6TrL
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBQiUZJCh9+71yA2DNAQIQnwP/eel4R2DgTDgopeuDXTcUtgDLb4Y4DYU1
p7FH6JMlofHTXW6szm7ieJbPsuB+C8t2dV52ym+EEs+uQz9qPT0PyXn5FBTNB8gG
lL5FbGLco772RTf8FUkWgcB20CWdAFMGbeKJ03vkf7GALF912HLX+LfInuCP+8wE
5QAF2VU9vKY=
=VvbX
-----END PGP SIGNATURE-----