01 February 2012
Protect yourself against future threats.
Drawing on our strong international CERT relationships we have a high success rate in delivering phishing take-downs.
Subscribe for updates.
-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT Security Bulletin
Mozilla Firefox and Mozilla Thunderbird: Multiple vulnerabilities
1 February 2012
AusCERT Security Bulletin Summary
Product: Mozilla Firefox
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Cross-site Request Forgery -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Unauthorised Access -- Existing Account
CVE Names: CVE-2012-0450 CVE-2012-0449 CVE-2012-0447
CVE-2012-0446 CVE-2012-0445 CVE-2012-0444
CVE-2012-0443 CVE-2012-0442 CVE-2011-3670
Member content until: Friday, March 2 2012
Revision History: February 1 2012: Added Mozilla Thunderbird 10.0
February 1 2012: Initial Release
Multiple vulnerabilities have been found in Mozilla Firefox and
Mozilla Thunderbird. These issues are fixed in Mozilla Firefox 10.0 and
Mozilla Thunderbird 10.0. 
Mozilla have provided the following details regarding
CVE-2012-0443: "Mozilla developers identified and fixed several memory
safety bugs in the browser engine used in Firefox and other
Mozilla-based products. Some of these bugs showed evidence of memory
corruption under certain circumstances, and we presume that with enough
effort at least some of these could be exploited to run arbitrary
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled,
but are potentially a risk in browser or browser-like contexts in
CVE-2012-0442: Jesse Ruderman and Bob Clary reported memory safety
problems that were fixed in both Firefox 10 and Firefox 3.6.26." 
CVE-2011-3670: "For historical reasons Firefox has been generous in
its interpretation of web addresses containing square brackets around
the host. If this host was not a valid IPv6 literal address, Firefox
attempted to interpret the host as a regular domain name.
Gregory Fleischer reported that requests made using IPv6 syntax using
XMLHttpRequest objects through a proxy may generate errors depending
on proxy configuration for IPv6. The resulting error messages from the
proxy may disclose sensitive data because Same-Origin Policy (SOP)
will allow the XMLHttpRequest object to read these error messages,
allowing user privacy to be eroded.
Firefox now enforces RFC 3986 IPv6 literal syntax and that may break
links written using the non-standard Firefox-only forms that were
previously accepted." 
CVE-2012-0445: "Alex Dvorov reported that an attacker could replace a
sub-frame in another domain's document by using the name attribute of
the sub-frame as a form submission target. This can potentially allow
for phishing attacks against users and violates the HTML5 frame
navigation policy." 
CVE-2011-3659: "Security researcher regenrecht reported via
TippingPoint's Zero Day Initiative that removed child nodes of
nsDOMAttribute can be accessed under certain circumstances because of
a premature notification of AttributeChildRemoved. This use-after-free
of the child nodes could possibly allow for for remote code
CVE-2012-0446: "Mozilla security researcher moz_bug_r_a4 reported that
frame scripts bypass XPConnect security checks when calling untrusted
objects. This allows for cross-site scripting (XSS) attacks through
web pages and Firefox extensions. The fix enables the Script Security
Manager (SSM) to force security checks on all frame scripts."
CVE-2012-0447: "Mozilla developer Tim Abraldes reported that when
encoding images as image/vnd.microsoft.icon the resulting data was
always a fixed size, with uninitialized memory appended as padding
beyond the size of the actual image. This is the result of
mImageBufferSize in the encoder being initialized with a value
different than the size of the source image. There is the possibility
of sensitive data from uninitialized memory being appended to a PNG
image when converted fron an ICO format image. This sensitive data may
then be disclosed in the resulting image."
CVE-2012-0444: "Security researcher regenrecht reported via
TippingPoint's Zero Day Initiative the possibility of memory corruption
during the decoding of Ogg Vorbis files. This can cause a crash during
decoding and has the potential for remote code execution."
CVE-2012-0449: "Security researchers Nicolas GrÃ©goire and Aki Helin
independently reported that when processing a malformed embedded XSLT
stylesheet, Firefox can crash due to a memory corruption. While there
is no evidence that this is directly exploitable, there is a
possibility of remote code execution."
CVE-2012-0450: "magicant starmen reported that if a user chooses to
export their Firefox Sync key the "Firefox Recovery Key.html" file is
saved with incorrect permissions, making the file contents potentially
readable by other users on Linux and OS X systems."
These vulnerabilities are corrected in the 10.0 release of Mozilla
Firefox and the 10.0 release of Mozilla Thunderbird.
It is recommended that users update to the latest version of
Mozilla Firefox and Mozilla Thunderbird. [10, 11]
 Firefox 10.0 download
 Thunderbird 10.0 download
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----