Hash: SHA1

                         AUSCERT Security Bulletin

        Mozilla has released versions 3.6.11 and 3.5.14 of Firefox
                              20 October 2010


        AusCERT Security Bulletin Summary

Product:              Firefox
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Access Privileged Data          -- Remote with User Interaction
                      Modify Arbitrary Files          -- Remote with User Interaction
                      Reduced Security                -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2010-3183 CVE-2010-3181 CVE-2010-3180
                      CVE-2010-3179 CVE-2010-3178 CVE-2010-3176
                      CVE-2010-3175 CVE-2010-3174 CVE-2010-3173
Member content until: Friday, November 19 2010
Reference:            ESB-2010.0943


        Mozilla has released versions 3.6.11 and 3.5.14 of the Firefox web 
        browser, correcting multiple security vulnerabilities.


        The vendor has supplied the following information regarding these 
        "Mozilla cryptographer Nelson Bolyard reported that the SSL 
        implementation was permitting servers to use Diffie-Hellman Ephemeral 
        mode (DHE) with too short of a minimum key length. DHE keys of such 
        lengths are trivially breakable on modern hardware so SSL servers 
        operating in this mode were providing very little effective security 
        for their clients." [1]
        "Mozilla developer Ehsan Akhgari reported that a function used to load 
        external libraries on Windows platforms was using a relative path to a 
        DLL-loading application and was thus vulnerable to binary planting if 
        an attacker was able to place an executable of the same name in the 
        current working directory or any of the other locations that Windows 
        searches for executables.
        Dmitri Gribenko reported that the script used to launch Mozilla 
        applications on Linux was effectively including the current working 
        directory in the LD_LIBRARY_PATH environment variable. If an attacker 
        was able to place into the current working directory a malicious 
        shared library with the same name as a library that the bootstrapping 
        script depends on the attacker could have their library loaded instead 
        of the legitimate library." [2]
        "Security researcher Richard Moore reported that when an SSL 
        certificate was created with a common name containing a wildcard 
        followed by a partial IP address a valid SSL connection could be 
        established with a server whose IP address matched the wildcard range 
        by browsing directly to the IP address. It is extremely unlikely that 
        such a certificate would be issued by a Certificate Authority." [3]
        "Security researcher Eduardo Vela Nava reported that if a web page 
        opened a new window and used a javascript: URL to make a modal call, 
        such as alert(), then subsequently navigated the page to a different 
        domain, once the modal call returned the opener of the window could 
        get access to objects in the navigated window. This is a violation of 
        the same-origin policy and could be used by an attacker to steal 
        information from another web site." [4]
        "Google security researcher Robert Swiecki reported that functions used 
        by the Gopher parser to convert text to HTML tags could be exploited to 
        turn text into executable JavaScript. If an attacker could create a 
        file or directory on a Gopher server with the encoded script as part of 
        its name the script would then run in a victim's browser within the 
        context of the site." [5]
        "Security researcher regenrecht reported via TippingPoint's Zero Day 
        Initiative that when window.__lookupGetter__ is called with no 
        arguments the code assumes the top JavaScript stack value is a property 
        name. Since there were no arguments passed into the function, the top 
        value could represent uninitialized memory or a pointer to a previously 
        freed JavaScript object. Under such circumstances the value is passed 
        to another subroutine which calls through the dangling pointer, 
        potentially executing attacker-controlled memory." [6]
        "Security researcher Sergey Glazunov reported that it was possible to 
        access the locationbar property of a window object after it had been 
        closed. Since the closed window's memory could have been subsequently 
        reused by the system it was possible that an attempt to access the 
        locationbar property could result in the execution of attacker-
        controlled memory." [7]
        "Security researcher Alexander Miller reported that passing an 
        excessively long string to document.write could cause text rendering 
        routines to end up in an inconsistent state with sections of stack 
        memory being overwritten with the string data. An attacker could use 
        this flaw to crash a victim's browser and potentially run arbitrary 
        code on their computer." [8]
        "Mozilla developers identified and fixed several memory safety bugs 
        in the browser engine used in Firefox and other Mozilla-based 
        products. Some of these bugs showed evidence of memory corruption 
        under certain circumstances, and we presume that with enough effort 
        at least some of these could be exploited to run arbitrary code." [9]


        It is recommended that users of Firefox upgrade to the latest version.


        [1] Mozilla Foundation Security Advisory 2010-72

        [2] Mozilla Foundation Security Advisory 2010-71

        [3] Mozilla Foundation Security Advisory 2010-70

        [4] Mozilla Foundation Security Advisory 2010-69

        [5] Mozilla Foundation Security Advisory 2010-68

        [6] Mozilla Foundation Security Advisory 2010-67

        [7] Mozilla Foundation Security Advisory 2010-66

        [8] Mozilla Foundation Security Advisory 2010-65

        [9] Mozilla Foundation Security Advisory 2010-64

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967