Operating System:

[WIN][UNIX/Linux]

Published:

06 April 2010

Protect yourself against future threats.

//Service

Member Security Incident Notifications

Be proactive with your security and receive our daily Member Security Incident Notifications (MSINs) custom to your network.

Read more
Resources > Security Bulletins > ASB-2010.0093.2 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                              ASB-2010.0093.2
               Multiple vulnerabilities corrected in Firefox
                               6 April 2010

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Firefox 3.5.8 and prior
                      Firefox 3.0.18 and prior
                      Thunderbird 3.0.3 and prior
                      SeaMonkey 2.0.3 and prior
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Provide Misleading Information  -- Remote with User Interaction
Resolution:           Mitigation
CVE Names:            CVE-2010-0182 CVE-2010-0181 CVE-2010-0179
                      CVE-2010-0178 CVE-2010-0177 CVE-2010-0176
                      CVE-2010-0175 CVE-2010-0174 CVE-2010-0173
                      CVE-2009-3555  
Member content until: Friday, April 30 2010

Revision History:     April  6 2010: Updated CVE references
                      March 31 2010: Initial Release

OVERVIEW

        Mozilla has released new versions of Firefox for the 3.5 and 3.0
        branches that correct multiple security vulnerabilities.


IMPACT

        MFSA-2010-16 (CVE-2010-0173, CVE-2010-0174)
        Fixed in: Firefox 3.6.2, 3.5.9, 3.0.19
                  Thunderbird 3.0.4
                  SeaMonkey 2.0.4
        
        Firefox crashes with evidence of memory corruption in the core engine.
        This may lead to execution of arbitrary code. More information is 
        available at [1].
        
        
        MFSA-2010-17 (CVE-2010-0175)
        Fixed in: Firefox 3.5.9, 3.0.19
                  Thunderbird 3.0.4
                  SeaMonkey 2.0.4
        
        Remote code execution is possible via "a select event handler for XUL 
        tree items that could be called after the tree was deleted." [2] 
        
        
        MFSA-2010-18 (CVE-2010-0176)
        Fixed in: Firefox 3.6.2, 3.5.9, 3.0.19
                  Thunderbird 3.0.4
                  SeaMonkey 2.0.4
        
        A dangling pointer error in the count of the <option> elements when
        they are insert into a XUL tree <optgroup>. "A live pointer to its 
        old location is kept around and may later be used" [3] which may 
        lead to code execution.
        
        
        MFSA-2010-19 (CVE-2010-0177)
        Fixed in: Firefox 3.6.2, 3.5.9, 3.0.19
                  SeaMonkey 2.0.4
        
        "An error in the implementation of the window.navigator.plugins 
        object. When a page reloads, the plugins array would reallocate all
        of its members without checking for existing references to each
        member. This could result in the deletion of objects for which 
        valid pointers still exist." [4] This could trigger a crash and 
        possibly be used to execute code.
        
        
        MFSA-2010-20 (CVE-2010-0178)
        Fixed in: Firefox 3.6.2, 3.5.9, 3.0.19
                  SeaMonkey 2.0.4
        
        A privilege escalation could occur if "a browser applet could be used
        to turn a simple mouse click into a drag-and-drop action, potentially
        resulting in the unintended loading of resources in a user's 
        browser." [5]
        
        
        MFSA-2010-21 (CVE-2010-0179)
        Fixed in: Firefox 3.5.8, 3.0.19
                  SeaMoneky 2.0.3
        
        "The XMLHttpRequestSpy module in the Firebug add-on was exposing an 
        underlying chrome privilege escalation vulnerability." [6]
        
        
        MFSA-2010-22 (CVE-2009-3555)
        Fixed in: Firefox 3.6.2, 3.5.9
                  Thunderbird 3.0.4
                  SeaMonkey 2.0.4
        
        An update to "the Network Security Services module for preventing a
        type of man-in-the-middle attack against TLS using forced 
        renegotiation." [7]
        
        
        MFSA-2010-23 (CVE-2010-0181)
        Fixed in: Firefox 3.6.2, 3.5.9
                  SeaMonkey 2.0.4
        
        "When an image tag points to a resource that redirects to a mailto:
        URL, the external mail handler application is launched."[8]


MITIGATION

        Some of these vulnerabilities can be mitigated by disabling Javascript.
        This does not mitigate all of them.
        
        It is recommended that you update to the latest version of Firefox
        which is available from
        
            http://www.mozilla.org/firefox


REFERENCES

        [1] MFSA 2010-16: Crashes with evidence of memory corruption
            (rv:1.9.2.2/ 1.9.1.9/ 1.9.0.19)
            http://www.mozilla.org/security/announce/2010/mfsa2010-16.html

        [2] MFSA 2010-17: Remote code execution with use-after-free in
            nsTreeSelection
            http://www.mozilla.org/security/announce/2010/mfsa2010-17.html

        [3] MFSA 2010-18: Dangling pointer vulnerability in nsTreeContentView
            http://www.mozilla.org/security/announce/2010/mfsa2010-18.html

        [4] MFSA 2010-19: Dangling pointer vulnerability in nsPluginArray
            http://www.mozilla.org/security/announce/2010/mfsa2010-19.html

        [5] MFSA 2010-20: Chrome privilege escalation via forced URL drag and
            drop
            http://www.mozilla.org/security/announce/2010/mfsa2010-20.html

        [6] MFSA 2010-21: Arbitrary code execution with Firebug
            XMLHttpRequestSpy
            http://www.mozilla.org/security/announce/2010/mfsa2010-21.html

        [7] MFSA 2010-22: Update NSS to support TLS renegotiation indication
            http://www.mozilla.org/security/announce/2010/mfsa2010-22.html

        [8] MFSA 2010-23: Image src redirect to mailto: URL opens email editor
            http://www.mozilla.org/security/announce/2010/mfsa2010-23.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFLurha/iFOrG6YcBERAjDyAJ91XzYy1ZVXnf7plT/b6D/YdJ9gIACgocxy
QpFfmZZOhxT5avfLGn95DSE=
=X5z1
-----END PGP SIGNATURE-----