Hash: SHA1

                         AUSCERT Security Bulletin

               Multiple vulnerabilities corrected in Firefox
                               6 April 2010


        AusCERT Security Bulletin Summary

Product:              Firefox 3.5.8 and prior
                      Firefox 3.0.18 and prior
                      Thunderbird 3.0.3 and prior
                      SeaMonkey 2.0.3 and prior
Operating System:     UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Provide Misleading Information  -- Remote with User Interaction
Resolution:           Mitigation
CVE Names:            CVE-2010-0182 CVE-2010-0181 CVE-2010-0179
                      CVE-2010-0178 CVE-2010-0177 CVE-2010-0176
                      CVE-2010-0175 CVE-2010-0174 CVE-2010-0173
Member content until: Friday, April 30 2010

Revision History:     April  6 2010: Updated CVE references
                      March 31 2010: Initial Release


        Mozilla has released new versions of Firefox for the 3.5 and 3.0
        branches that correct multiple security vulnerabilities.


        MFSA-2010-16 (CVE-2010-0173, CVE-2010-0174)
        Fixed in: Firefox 3.6.2, 3.5.9, 3.0.19
                  Thunderbird 3.0.4
                  SeaMonkey 2.0.4
        Firefox crashes with evidence of memory corruption in the core engine.
        This may lead to execution of arbitrary code. More information is 
        available at [1].
        MFSA-2010-17 (CVE-2010-0175)
        Fixed in: Firefox 3.5.9, 3.0.19
                  Thunderbird 3.0.4
                  SeaMonkey 2.0.4
        Remote code execution is possible via "a select event handler for XUL 
        tree items that could be called after the tree was deleted." [2] 
        MFSA-2010-18 (CVE-2010-0176)
        Fixed in: Firefox 3.6.2, 3.5.9, 3.0.19
                  Thunderbird 3.0.4
                  SeaMonkey 2.0.4
        A dangling pointer error in the count of the <option> elements when
        they are insert into a XUL tree <optgroup>. "A live pointer to its 
        old location is kept around and may later be used" [3] which may 
        lead to code execution.
        MFSA-2010-19 (CVE-2010-0177)
        Fixed in: Firefox 3.6.2, 3.5.9, 3.0.19
                  SeaMonkey 2.0.4
        "An error in the implementation of the window.navigator.plugins 
        object. When a page reloads, the plugins array would reallocate all
        of its members without checking for existing references to each
        member. This could result in the deletion of objects for which 
        valid pointers still exist." [4] This could trigger a crash and 
        possibly be used to execute code.
        MFSA-2010-20 (CVE-2010-0178)
        Fixed in: Firefox 3.6.2, 3.5.9, 3.0.19
                  SeaMonkey 2.0.4
        A privilege escalation could occur if "a browser applet could be used
        to turn a simple mouse click into a drag-and-drop action, potentially
        resulting in the unintended loading of resources in a user's 
        browser." [5]
        MFSA-2010-21 (CVE-2010-0179)
        Fixed in: Firefox 3.5.8, 3.0.19
                  SeaMoneky 2.0.3
        "The XMLHttpRequestSpy module in the Firebug add-on was exposing an 
        underlying chrome privilege escalation vulnerability." [6]
        MFSA-2010-22 (CVE-2009-3555)
        Fixed in: Firefox 3.6.2, 3.5.9
                  Thunderbird 3.0.4
                  SeaMonkey 2.0.4
        An update to "the Network Security Services module for preventing a
        type of man-in-the-middle attack against TLS using forced 
        renegotiation." [7]
        MFSA-2010-23 (CVE-2010-0181)
        Fixed in: Firefox 3.6.2, 3.5.9
                  SeaMonkey 2.0.4
        "When an image tag points to a resource that redirects to a mailto:
        URL, the external mail handler application is launched."[8]


        Some of these vulnerabilities can be mitigated by disabling Javascript.
        This does not mitigate all of them.
        It is recommended that you update to the latest version of Firefox
        which is available from


        [1] MFSA 2010-16: Crashes with evidence of memory corruption

        [2] MFSA 2010-17: Remote code execution with use-after-free in

        [3] MFSA 2010-18: Dangling pointer vulnerability in nsTreeContentView

        [4] MFSA 2010-19: Dangling pointer vulnerability in nsPluginArray

        [5] MFSA 2010-20: Chrome privilege escalation via forced URL drag and

        [6] MFSA 2010-21: Arbitrary code execution with Firebug

        [7] MFSA 2010-22: Update NSS to support TLS renegotiation indication

        [8] MFSA 2010-23: Image src redirect to mailto: URL opens email editor

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967