Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2011.0100 A number of vulnerabilities have been identified in Mozilla Firefox and Mozilla Thunderbird 9 November 2011 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Mozilla Firefox Mozilla Thunderbird Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Increased Privileges -- Remote with User Interaction Denial of Service -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2011-3655 CVE-2011-3654 CVE-2011-3653 CVE-2011-3652 CVE-2011-3651 CVE-2011-3650 CVE-2011-3649 CVE-2011-3648 Member content until: Friday, December 9 2011 OVERVIEW A number of vulnerabilities have been identified in Mozilla Firefox prior to versions 8.0 and 3.6.24, and Mozilla Thunderbird prior to versions 8.0 and 3.6.16. IMPACT The vendor has provided the following details regarding a vulnerability which affects Mozilla Firefox prior to version 3.6.24 and Mozilla Thunderbird prior to version 3.6.16: CVE-2011-3647: "Mozilla security researcher moz_bug_r_a4 reported that the problem described in MFSA 2011-43 and fixed in Firefox 7 also affected Firefox 3.6: a malicious page could potentially exploit a Firefox user who had installed an add-on that used loadSubscript in vulnerable ways." [1] The vendor has provided the following details regarding vulnerabilities which affect Mozilla Firefox prior to versions 3.6.24 and 8.0, and Mozilla Thunderbird prior to versions 3.6.16 and 8.0: CVE-2011-3648: "Yosuke Hasegawa reported that the Mozilla browser engine mishandled invalid sequences in the Shift-JIS encoding. When encountering an invalid pair Mozilla would turn the entire two-byte sequence into a single unknown character rather than an unknown character followed by a valid single-byte character. On some sites attackers may have been able to end their input with the first byte of a two byte sequence; when that input was later put into a page context it might cause the following delimiter (such as a double-quote) to be consumed, breaking the format of the page. Depending on the page this could potentially be used to steal data or inject script into the page." [2] CVE-2011-3650: "Marc Schoenefeld reported a crash when using Firebug to profile a JavaScript file with many functions. It may be possible to trigger this crash without the use of debugging APIs, and if so this could be exploitable." [3] The vendor has provided the following details regarding a vulnerability which affects Mozilla Firefox prior to version 8.0 and Mozilla Thunderbird prior to version 8.0: CVE-2011-3651, CVE-2011-3652, CVE-2011-3654: "Mozilla developers fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products." [4] CVE-2011-3649: "Mozilla developer Bas Schouten reported that the introduction of the "Azure" graphics back-end on Windows in Firefox 7 re-introduced the cross-origin data theft issue reported by nasalislarvatus3000 as described in MFSA 2011-29." [5] CVE-2011-3653: "Claus Wahlers reported that random images from GPU memory were showing up in WebGL textures. Once incorporated into the WebGL graphics it is possible for a site to programatically read the image data and potentially gain sensitive data from other things that had been displayed earlier. This problem is due to a bug in the driver for Intel integrated GPUs on recent Mac OS X hardware, and the problem can be seen in WebGL implementations from other vendors. Mozilla has implemented a work-around to prevent this from happening with this hardware-driver combination." [6] CVE-2011-3655: "Mozilla security researcher moz_bug_r_a4 reported that an internal privilege check failed to respect the NoWaiverWrappers introduced with Firefox 4. This could result in elevated privilege being granted to web content." [7] MITIGATION The vendor recommends that users upgrade to the latest version of Mozilla Firefox and Mozilla Thunderbird. [8, 9] Regarding the 3.6.x branch of Mozilla Firefox, the vendor has stated: "Firefox 3.6.x will be maintained with security and stability updates for a short amount of time. All users are strongly encouraged to upgrade to the latest version of Firefox." [10] Regarding the 3.6.x branch of Mozilla Thunderbird, the vendor has stated: "Thunderbird 3.1.x will be maintained with security and stability releases for a short period of time. All users are strongly encouraged to upgrade to the latest Thunderbird release" [11] REFERENCES [1] Mozilla Foundation Security Advisory 2011-46 http://www.mozilla.org/security/announce/2011/mfsa2011-46.html [2] Mozilla Foundation Security Advisory 2011-47 http://www.mozilla.org/security/announce/2011/mfsa2011-47.html [3] Mozilla Foundation Security Advisory 2011-49 http://www.mozilla.org/security/announce/2011/mfsa2011-49.html [4] Mozilla Foundation Security Advisory 2011-48 http://www.mozilla.org/security/announce/2011/mfsa2011-48.html [5] Mozilla Foundation Security Advisory 2011-50 http://www.mozilla.org/security/announce/2011/mfsa2011-50.html [6] Mozilla Foundation Security Advisory 2011-51 http://www.mozilla.org/security/announce/2011/mfsa2011-51.html [7] Mozilla Foundation Security Advisory 2011-52 http://www.mozilla.org/security/announce/2011/mfsa2011-52.html [8] Firefox Release Notes http://www.mozilla.org/en-US/firefox/8.0/releasenotes/ [9] Thunderbird Release Notes https://www.mozilla.org/en-US/thunderbird/8.0/releasenotes/ [10] Download Firefox 3.6 http://www.mozilla.org/en-US/firefox/all-older.html [11] Download Thunderbird 3.1 http://www.mozilla.org/en-US/thunderbird/all-older.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBTrngIu4yVqjM2NGpAQKtexAAkXLYN6pLlG9b6mxza2MnZzCa5YDEFz3P Ia5AevPiH8BpsDLrJ6MweBKqTXgGcHnEKAjG82rUqQo2vHAjSwUpU8wWo9M3zJAP YbA8cLKjFMR5AXv0TQYRuFOFKcNa99I1PJDWxAfgBq8+gD6xylBcPoIHE081nXCU V3KBQCoQR2ara9/ZvNOCG++u9OjxCCvjN+lWkZzlOz/GIYuvSNXDLSI2UI1MfE6b zH57OcVMEXXYkJXONLgRiVj+oJNsD6ZqJWCbpTgapM2UgrQgGX+lZZEi8kz5eF27 GpVxCgHnitr4A75fFFQhuAKEFR5pMirg/H9hT+Fyd5uI41k8eWTjiOFtbGKYuuK0 wLoG6qmy8PqlYISA2+vrx2VJ3a8gSiyap2SywcZeRxmLTt5BKpTvvPIzF0HNFCcO oiSKEFYri5pXZQp1XrJxrr9DyRibgJsU3TVgHgaXgfMRvyS2fcu0ceH3Q68yBG+O SalNsG+EoQpjua1WCvrSlh3XwJhXlYvCEUCivGsZHhUoLCtv5qLT5lxEtzv0wTFc OjgyAoQ6Rm0MBitoA+yoRHgR0HREywT4oOLzOK0O0oMJ5hdF/pIaXZGwjtqWThSU SjFTXWCzT3ATn60o88UUxuTtSGK/TUxxvDlIfrB1E7+k+3JBrwTR41rBl1DrTF2E RDGDixJWNhg= =gkDD -----END PGP SIGNATURE-----