Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2012.0014.2 Mozilla Firefox and Mozilla Thunderbird: Multiple vulnerabilities 1 February 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Mozilla Firefox Mozilla Thunderbird Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Cross-site Request Forgery -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Denial of Service -- Remote with User Interaction Unauthorised Access -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2012-0450 CVE-2012-0449 CVE-2012-0447 CVE-2012-0446 CVE-2012-0445 CVE-2012-0444 CVE-2012-0443 CVE-2012-0442 CVE-2011-3670 CVE-2011-3659 Member content until: Friday, March 2 2012 Revision History: February 1 2012: Added Mozilla Thunderbird 10.0 February 1 2012: Initial Release OVERVIEW Multiple vulnerabilities have been found in Mozilla Firefox and Mozilla Thunderbird. These issues are fixed in Mozilla Firefox 10.0 and Mozilla Thunderbird 10.0. [10] IMPACT Mozilla have provided the following details regarding these vulnerabilities: CVE-2012-0443: "Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products. CVE-2012-0442: Jesse Ruderman and Bob Clary reported memory safety problems that were fixed in both Firefox 10 and Firefox 3.6.26." [1] CVE-2011-3670: "For historical reasons Firefox has been generous in its interpretation of web addresses containing square brackets around the host. If this host was not a valid IPv6 literal address, Firefox attempted to interpret the host as a regular domain name. Gregory Fleischer reported that requests made using IPv6 syntax using XMLHttpRequest objects through a proxy may generate errors depending on proxy configuration for IPv6. The resulting error messages from the proxy may disclose sensitive data because Same-Origin Policy (SOP) will allow the XMLHttpRequest object to read these error messages, allowing user privacy to be eroded. Firefox now enforces RFC 3986 IPv6 literal syntax and that may break links written using the non-standard Firefox-only forms that were previously accepted." [2] CVE-2012-0445: "Alex Dvorov reported that an attacker could replace a sub-frame in another domain's document by using the name attribute of the sub-frame as a form submission target. This can potentially allow for phishing attacks against users and violates the HTML5 frame navigation policy." [3] CVE-2011-3659: "Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that removed child nodes of nsDOMAttribute can be accessed under certain circumstances because of a premature notification of AttributeChildRemoved. This use-after-free of the child nodes could possibly allow for for remote code execution."[4] CVE-2012-0446: "Mozilla security researcher moz_bug_r_a4 reported that frame scripts bypass XPConnect security checks when calling untrusted objects. This allows for cross-site scripting (XSS) attacks through web pages and Firefox extensions. The fix enables the Script Security Manager (SSM) to force security checks on all frame scripts."[5] CVE-2012-0447: "Mozilla developer Tim Abraldes reported that when encoding images as image/vnd.microsoft.icon the resulting data was always a fixed size, with uninitialized memory appended as padding beyond the size of the actual image. This is the result of mImageBufferSize in the encoder being initialized with a value different than the size of the source image. There is the possibility of sensitive data from uninitialized memory being appended to a PNG image when converted fron an ICO format image. This sensitive data may then be disclosed in the resulting image."[6] CVE-2012-0444: "Security researcher regenrecht reported via TippingPoint's Zero Day Initiative the possibility of memory corruption during the decoding of Ogg Vorbis files. This can cause a crash during decoding and has the potential for remote code execution."[7] CVE-2012-0449: "Security researchers Nicolas Grégoire and Aki Helin independently reported that when processing a malformed embedded XSLT stylesheet, Firefox can crash due to a memory corruption. While there is no evidence that this is directly exploitable, there is a possibility of remote code execution."[8] CVE-2012-0450: "magicant starmen reported that if a user chooses to export their Firefox Sync key the "Firefox Recovery Key.html" file is saved with incorrect permissions, making the file contents potentially readable by other users on Linux and OS X systems."[9] MITIGATION These vulnerabilities are corrected in the 10.0 release of Mozilla Firefox and the 10.0 release of Mozilla Thunderbird. It is recommended that users update to the latest version of Mozilla Firefox and Mozilla Thunderbird. [10, 11] REFERENCES [1] mfsa2012-01 http://www.mozilla.org/security/announce/2012/mfsa2012-01.html [2] mfsa2012-02 http://www.mozilla.org/security/announce/2012/mfsa2012-02.html [3] mfsa2012-03 http://www.mozilla.org/security/announce/2012/mfsa2012-03.html [4] mfsa2012-04 http://www.mozilla.org/security/announce/2012/mfsa2012-04.html [5] mfsa2012-05 http://www.mozilla.org/security/announce/2012/mfsa2012-05.html [6] mfsa2012-06 http://www.mozilla.org/security/announce/2012/mfsa2012-06.html [7] mfsa2012-07 http://www.mozilla.org/security/announce/2012/mfsa2012-07.html [8] mfsa2012-08 http://www.mozilla.org/security/announce/2012/mfsa2012-08.html [9] mfsa2012-09 http://www.mozilla.org/security/announce/2012/mfsa2012-09.html [10] Firefox 10.0 download http://www.mozilla.org/en-US/firefox/new/ [11] Thunderbird 10.0 download http://www.mozilla.org/en-US/thunderbird/download AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBTyjd0+4yVqjM2NGpAQJdhxAAgQ+s3R24vpZNRA/Bk0dFp/etn5PpTmFx lMjtGjcGOVb7H7RLgjbAeJvfc8Kxt2dOjkOWtQDvt/sz9oSxSA+awjkzavJ/N4qO TdBVgT+JnYiPgBCYY2UQfWJI3lcxIwg/gYjzy2fbmU3B3HqCdxePddWnJObfkPTF 8ro1BeZNEyTMbYUagfP5wbg/RqzCxoX8TbtTo2SnWuKpsltFc3yC6Gq8x0hMhsZJ X9v3TNFW/JM6+KKROijwzgfX35RN/GhXoXfWW6N07pbcMcMsgLC6jUBk4j+3kJpp NoraA9jd9sDCg3qD4VxPzmib0pmJwWjmQImBA0oZq1nqOZY1egVnBX7Smthu/O6/ 35A91Rvur5Kgeq60a+RI8leGXd4gB/b0OY/oSSvBENlyImK1321RvDrtM4WEHehs Ic8VW1LgqojnDGD4PqrycV4Dxju0Re18vEl2BRY9nvcWtGujUxKjgv6ykGkJL/85 xAPIkh2yP5ATKBMGFPgpijY+lgoGvgb6pHfogxPEWpilgWshPs00hxQBZ9wuW0G1 hfOHDjxG2IzPSVRQwRP3sdcVeLIVDixaHGxHHAhGCkZ2XFUVRJtXuLDTd9eqtsnT pB7D3VtO+K98pgu5YZpLpTkrWvmpuhsLgP+SnEzK9fKpTdneH9E3k+i4qnKEgmoM c4wmi+afnDQ= =kR9B -----END PGP SIGNATURE-----