-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2009.1114
               Firefox updates fix multiple vulnerabilities
                              28 October 2009

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Firefox
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact/Access:        Denial of Service               -- Remote with User Interaction
                      Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Access Confidential Data        -- Remote with User Interaction
                      Provide Misleading Information  -- Remote with User Interaction
                      Overwrite Arbitrary Files       -- Console/Physical            
Resolution:           Patch/Upgrade
CVE Names:            CVE-2009-1563 CVE-2009-3370 CVE-2009-3274
                      CVE-2009-3371 CVE-2009-3372 CVE-2009-3373
                      CVE-2009-3374 CVE-2009-3375 CVE-2009-3376
                      CVE-2009-3377 CVE-2009-3378 CVE-2009-3379
                      CVE-2009-3380 CVE-2009-3381 CVE-2009-3382
                      CVE-2009-3383  
Member content until: Friday, November 27 2009

OVERVIEW

        Mozilla has released 11 advisories relating to Firefox describing a
        total of 14 vulnerabilities. Mozilla has rated 6 of these 
        advisories as "Critical", 3 as "Moderate" and 2 as "Low" impact.


IMPACT

        According to Mozilla, the vulnerabilties corrected in this
        update are:
        
        o MFSA 2009-52 (CVE-2009-3370): "...a user's form history, both from
          web content as well as the smart location bar, was vulnerable to
          theft. A malicious web page could synthesize events such as mouse
          focus and key presses on behalf of the victim and trick the browser
          into auto-filling the form fields with history entries and then
          reading the entries." [1]
        
        o MFSA 2009-53 (CVE-2009-3274): "...the file naming scheme used for
          downloading a file which already exists in the downloads folder is
          predictable. If an attacker had local access to a victim's computer
          and knew the name of a file the victim intended to open through the
          Download Manager, he could use this vulnerability to place a malicious
          file in the world-writable directory used to save temporary downloaded
          files and cause the browser to choose the incorrect file when opening
          it." [2]
        
        o MFSA 2009-54 (CVE-2009-3371): "...recursive creation of JavaScript
          web-workers can be used to create a set of objects whose memory
          could be freed prior to their use. These conditions often result in
          a crash which could potentially be used by an attacker to run
          arbitrary code on a victim's computer." [3]
        
        o MFSA 2009-55 (CVE-2009-3372): "...a flaw in the parsing of regular
          expressions used in Proxy Auto-configuration (PAC) files. In certain
          cases this flaw could be used by an attacker to crash a victim's
          browser and run arbitrary code on their computer." [4]
        
        o MFSA 2009-56 (CVE-2009-3373): "...a heap-based buffer overflow in
          Mozilla's GIF image parser. This vulnerability could potentially be
          used by an attacker to crash a victim's browser and run arbitrary code
          on their computer." [5]
        
        o MFSA 2009-57 (CVE-2009-3374): "...the XPCOM utility
          XPCVariant::VariantDataToJS unwrapped doubly-wrapped objects before
          returning them to chrome callers. This could result in chrome
          privileged code calling methods on an object which had previously
          been created or modified by web content, potentially executing
          malicious JavaScript code with chrome privileges." [6]
        
        o MFSA 2009-59 (CVE-2009-1563): "...a heap-based buffer overflow in
          Mozilla's string to floating point number conversion routines. Using
          this vulnerability an attacker could craft some malicious JavaScript
          code containing a very long string to be converted to a floating
          point number which would result in improper memory allocation and the
          execution of an arbitrary memory location. This vulnerability could
          thus be leveraged by the attacker to run arbitrary code on a
          victim's computer." [7]
        
        o MFSA 2009-61 (CVE-2009-3375): "...text within a selection on a web page
          can be read by JavaScript in a different domain using the
          document.getSelection function, violating the same-origin policy." [8]
        
        o MFSA 2009-62 (CVE-2009-3376): "...when downloading a file containing a
          right-to-left override character (RTL) in the filename, the name
          displayed in the dialog title bar conflicts with the name of the file
          shown in the dialog body. An attacker could use this vulnerability to
          obfuscate the name and file extension of a file to be downloaded and
          opened, potentially causing a user to run an executable file when they
          expected to open a non-executable file." [9]
        
        o MFSA 2009-63 (CVE-2009-3377,CVE-2009-3378,CVE-2009-3379): "Mozilla
          upgraded several third party libraries used in media rendering to
          address multiple memory safety and stability bugs identified by
          members of the Mozilla community. Some of the bugs discovered could
          potentially be used by an attacker to crash a victim's browser and
          execute arbitrary code on their computer." [10]
        
        o MFSA 2009-64 (CVE-2009-3380,CVE-2009-3381,CVE-2009-3382,
          CVE-2009-3383): "Mozilla developers and community members identified and
          fixed several stability bugs in the browser engine used in Firefox and
          other Mozilla-based products. Some of these crashes showed evidence of
          memory corruption under certain circumstances and we presume that with
          enough effort at least some of these could be exploited to run
          arbitrary code." [11]


MITIGATION

        These vulnerabilities have been fixed in Firefox 3.5.4 and 
        Firefox 3.0.15. Updated versions of these programs are available from
        the Mozilla web site. [12]


REFERENCES

        [1] Mozilla Foundation Security Advisory 2009-52
            http://www.mozilla.org/security/announce/2009/mfsa2009-52.html

        [2] Mozilla Foundation Security Advisory 2009-53
            http://www.mozilla.org/security/announce/2009/mfsa2009-53.html

        [3] Mozilla Foundation Security Advisory 2009-54
            http://www.mozilla.org/security/announce/2009/mfsa2009-54.html

        [4] Mozilla Foundation Security Advisory 2009-55
            http://www.mozilla.org/security/announce/2009/mfsa2009-55.html

        [5] Mozilla Foundation Security Advisory 2009-56
            http://www.mozilla.org/security/announce/2009/mfsa2009-56.html

        [6] Mozilla Foundation Security Advisory 2009-57
            http://www.mozilla.org/security/announce/2009/mfsa2009-57.html

        [7] Mozilla Foundation Security Advisory 2009-59
            http://www.mozilla.org/security/announce/2009/mfsa2009-59.html

        [8] Mozilla Foundation Security Advisory 2009-61
            http://www.mozilla.org/security/announce/2009/mfsa2009-61.html

        [9] Mozilla Foundation Security Advisory 2009-62
            http://www.mozilla.org/security/announce/2009/mfsa2009-62.html

        [10] Mozilla Foundation Security Advisory 2009-63
             http://www.mozilla.org/security/announce/2009/mfsa2009-63.html

        [11] Mozilla Foundation Security Advisory 2009-64
             http://www.mozilla.org/security/announce/2009/mfsa2009-64.html

        [12] Mozilla Firefox web browser
             http://www.mozilla.org/firefox

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFK56FGNVH5XJJInbgRAs3vAJ4i+2YcUq3G42u1HOmpzALWlAQuigCdFisL
Y7mIiR6PH6izjC+oJFr4eHc=
=WzrH
-----END PGP SIGNATURE-----