Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2010.0229 Mozilla has released versions 3.6.11 and 3.5.14 of Firefox 20 October 2010 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Firefox Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Access Privileged Data -- Remote with User Interaction Modify Arbitrary Files -- Remote with User Interaction Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2010-3183 CVE-2010-3181 CVE-2010-3180 CVE-2010-3179 CVE-2010-3178 CVE-2010-3176 CVE-2010-3175 CVE-2010-3174 CVE-2010-3173 CVE-2010-3170 Member content until: Friday, November 19 2010 Reference: ESB-2010.0943 OVERVIEW Mozilla has released versions 3.6.11 and 3.5.14 of the Firefox web browser, correcting multiple security vulnerabilities. IMPACT The vendor has supplied the following information regarding these vulnerabilities: "Mozilla cryptographer Nelson Bolyard reported that the SSL implementation was permitting servers to use Diffie-Hellman Ephemeral mode (DHE) with too short of a minimum key length. DHE keys of such lengths are trivially breakable on modern hardware so SSL servers operating in this mode were providing very little effective security for their clients." [1] "Mozilla developer Ehsan Akhgari reported that a function used to load external libraries on Windows platforms was using a relative path to a DLL-loading application and was thus vulnerable to binary planting if an attacker was able to place an executable of the same name in the current working directory or any of the other locations that Windows searches for executables. Dmitri Gribenko reported that the script used to launch Mozilla applications on Linux was effectively including the current working directory in the LD_LIBRARY_PATH environment variable. If an attacker was able to place into the current working directory a malicious shared library with the same name as a library that the bootstrapping script depends on the attacker could have their library loaded instead of the legitimate library." [2] "Security researcher Richard Moore reported that when an SSL certificate was created with a common name containing a wildcard followed by a partial IP address a valid SSL connection could be established with a server whose IP address matched the wildcard range by browsing directly to the IP address. It is extremely unlikely that such a certificate would be issued by a Certificate Authority." [3] "Security researcher Eduardo Vela Nava reported that if a web page opened a new window and used a javascript: URL to make a modal call, such as alert(), then subsequently navigated the page to a different domain, once the modal call returned the opener of the window could get access to objects in the navigated window. This is a violation of the same-origin policy and could be used by an attacker to steal information from another web site." [4] "Google security researcher Robert Swiecki reported that functions used by the Gopher parser to convert text to HTML tags could be exploited to turn text into executable JavaScript. If an attacker could create a file or directory on a Gopher server with the encoded script as part of its name the script would then run in a victim's browser within the context of the site." [5] "Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that when window.__lookupGetter__ is called with no arguments the code assumes the top JavaScript stack value is a property name. Since there were no arguments passed into the function, the top value could represent uninitialized memory or a pointer to a previously freed JavaScript object. Under such circumstances the value is passed to another subroutine which calls through the dangling pointer, potentially executing attacker-controlled memory." [6] "Security researcher Sergey Glazunov reported that it was possible to access the locationbar property of a window object after it had been closed. Since the closed window's memory could have been subsequently reused by the system it was possible that an attempt to access the locationbar property could result in the execution of attacker- controlled memory." [7] "Security researcher Alexander Miller reported that passing an excessively long string to document.write could cause text rendering routines to end up in an inconsistent state with sections of stack memory being overwritten with the string data. An attacker could use this flaw to crash a victim's browser and potentially run arbitrary code on their computer." [8] "Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code." [9] MITIGATION It is recommended that users of Firefox upgrade to the latest version. REFERENCES [1] Mozilla Foundation Security Advisory 2010-72 http://www.mozilla.org/security/announce/2010/mfsa2010-72.html [2] Mozilla Foundation Security Advisory 2010-71 http://www.mozilla.org/security/announce/2010/mfsa2010-71.html [3] Mozilla Foundation Security Advisory 2010-70 http://www.mozilla.org/security/announce/2010/mfsa2010-70.html [4] Mozilla Foundation Security Advisory 2010-69 http://www.mozilla.org/security/announce/2010/mfsa2010-69.html [5] Mozilla Foundation Security Advisory 2010-68 http://www.mozilla.org/security/announce/2010/mfsa2010-68.html [6] Mozilla Foundation Security Advisory 2010-67 http://www.mozilla.org/security/announce/2010/mfsa2010-67.html [7] Mozilla Foundation Security Advisory 2010-66 http://www.mozilla.org/security/announce/2010/mfsa2010-66.html [8] Mozilla Foundation Security Advisory 2010-65 http://www.mozilla.org/security/announce/2010/mfsa2010-65.html [9] Mozilla Foundation Security Advisory 2010-64 http://www.mozilla.org/security/announce/2010/mfsa2010-64.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFMvnOQ/iFOrG6YcBERAjp5AKDCIP77S/PKGquiIvLzTxeXFPzKhwCfbdrI 4G9hIxNH4aN/hmPyidM8rr4= =JF7v -----END PGP SIGNATURE-----