Hash: SHA1

                         AUSCERT Security Bulletin

          Two new versions of Mozilla Firefox have been released
              correcting a number of security vulnerabilities
                              24 August 2009


        AusCERT Security Bulletin Summary

Product:              Firefox 3.5.1
                      Firefox 3.0.12
Operating System:     UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Provide Misleading Information  -- Remote with User Interaction
                      Reduced Security                -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2009-2665 CVE-2009-2664 CVE-2009-2663
                      CVE-2009-2662 CVE-2009-2654 CVE-2009-2470
                      CVE-2009-2408 CVE-2009-2404 
Member content until: Thursday, September  3 2009

Revision History:     August 24 2009: Added additional fixes
                      August 19 2009: Updated impact section to included Mozilla 
                                      reference to CVE reference
                      August  5 2009: Added CVE references
                      August  4 2009: Version number correction
                      August  4 2009: Initial Release


        Mozilla has released four advisories relating to Firefox. Mozilla has
        rated two of these advisories as "Critical", one as "Moderate", and
        one as "Low" impact.


        According to Mozilla, the vulnerabilities corrected in this update are:
         o MFSA 2009-38 (CVE-2009-2470): "Andrej Andolsek reported that when 
           Firefox receives a reply from a SOCKS5 proxy which contains a DNS 
           name longer than 15 characters, the subsequent data stream in the 
           response can become corrupted. There was no evidence of memory 
           corruption, however, and the severity of the issue was determined 
           to be low." [1]
         o MFSA 2009-44 (CVE-2009-2654): "Security researcher Juan Pablo Lopez 
           Yacubian reported that an attacker could call window.open() on an 
           invalid URL which looks similar to a legitimate URL and then use 
           document.write() to place content within the new document, appearing 
           to have come from the spoofed location. Additionally, if the spoofed 
           document was created by a document with a valid SSL certificate, the 
           SSL indicators would be carried over into the spoofed document. An 
           attacker could use these issues to display misleading location and 
           SSL information for a malicious web page." [2]
         o MFSA 2009-45 (CVE-2009-2663): "Mozilla developers and community members identified 
           and fixed several stability bugs in the browser engine used in 
           Firefox and other Mozilla-based products. Some of these crashes 
           showed evidence of memory corruption under certain circumstances 
           and we presume that with enough effort at least some of these could 
           be exploited to run arbitrary code." [3]
         o MFSA 2009-46: "Mozilla add-on developer and community member 
           Wladimir Palant reported broken functionality on pages that had a 
           Link: HTTP header when an add-on was installed which implemented a 
           Content Policy in JavaScript, such as AdBlock Plus or NoScript. 
           Mozilla security researcher moz_bug_r_a4 demonstrated that the 
           broken functionality was due to the window's global object receiving 
           an incorrect security wrapper and that this issue could be used to 
           execute arbitrary JavaScript with chrome privileges.
           Note: This vulnerability does not affect Firefox prior to version 
           3.5" [4]
         o MFSA 2009-42 (CVE-2009-2408): "IOActive security researcher Dan 
           Kaminsky reported a mismatch in the treatment of domain names in 
           SSL certificates between SSL clients and the Certificate 
           Authorities (CA) which issue server certificates. In particular, 
           if a malicious person requested a certificate for a host name with 
           an invalid null character in it most CAs would issue the certificate 
           if the requester owned the domain specified after the null, while 
           most SSL clients (browsers) ignored that part of the name and used 
           the unvalidated part in front of the null. This made it possible for 
           attackers to obtain certificates that would function for any site 
           they wished to target. These certificates could be used to intercept 
           and potentially alter encrypted communication between the client and 
           a server such as sensitive bank account transactions." [5]
         o MFSA 2009-43 (CVE-2009-2404): "Moxie Marlinspike reported a heap 
           overflow vulnerability in the code that handles regular expressions 
           in certificate names. This vulnerability could be used to compromise 
           the browser and run arbitrary code by presenting a specially crafted 
           certificate to the client. This code provided compatibility with the 
           non-standard regular expression syntax historically supported by 
           Netscape clients and servers. With version 3.5 Firefox switched to 
           the more limited industry-standard wildcard syntax instead and is not 
           vulnerable to this flaw." [6]


        These vulnerabilities have been fixed in Firefox 3.0.13, and Firefox
        3.5.2 and can be downloaded from the Mozilla web site.


        [1] Mozilla Foundation Security Advisory 2009-38

        [2] Mozilla Foundation Security Advisory 2009-44

        [3] Mozilla Foundation Security Advisory 2009-45

        [4] Mozilla Foundation Security Advisory 2009-46

        [5] Mozilla Foundation Security Advisory 2009-42

        [6] Mozilla Foundation Security Advisory 2009-43

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967