-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                              ASB-2012.0014.2
     Mozilla Firefox and Mozilla Thunderbird: Multiple vulnerabilities
                              1 February 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Mozilla Firefox
                      Mozilla Thunderbird
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Cross-site Request Forgery      -- Remote with User Interaction
                      Cross-site Scripting            -- Remote with User Interaction
                      Access Confidential Data        -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
                      Unauthorised Access             -- Existing Account            
Resolution:           Patch/Upgrade
CVE Names:            CVE-2012-0450 CVE-2012-0449 CVE-2012-0447
                      CVE-2012-0446 CVE-2012-0445 CVE-2012-0444
                      CVE-2012-0443 CVE-2012-0442 CVE-2011-3670
                      CVE-2011-3659  
Member content until: Friday, March  2 2012

Revision History:     February 1 2012: Added Mozilla Thunderbird 10.0
                      February 1 2012: Initial Release

OVERVIEW

        Multiple vulnerabilities have been found in Mozilla Firefox and 
        Mozilla Thunderbird. These issues are fixed in Mozilla Firefox 10.0 and 
        Mozilla Thunderbird 10.0. [10]


IMPACT

        Mozilla have provided the following details regarding 
        these vulnerabilities:
        
        CVE-2012-0443: "Mozilla developers identified and fixed several memory 
        safety bugs in the browser engine used in Firefox and other 
        Mozilla-based products. Some of these bugs showed evidence of memory 
        corruption under certain circumstances, and we presume that with enough 
        effort at least some of these could be exploited to run arbitrary 
        code.
        
        In general these flaws cannot be exploited through email in the 
        Thunderbird and SeaMonkey products because scripting is disabled, 
        but are potentially a risk in browser or browser-like contexts in 
        those products.
        
        CVE-2012-0442: Jesse Ruderman and Bob Clary reported memory safety 
        problems that were fixed in both Firefox 10 and Firefox 3.6.26." [1]
        
        CVE-2011-3670: "For historical reasons Firefox has been generous in 
        its interpretation of web addresses containing square brackets around 
        the host. If this host was not a valid IPv6 literal address, Firefox 
        attempted to interpret the host as a regular domain name. 
        Gregory Fleischer reported that requests made using IPv6 syntax using 
        XMLHttpRequest objects through a proxy may generate errors depending 
        on proxy configuration for IPv6. The resulting error messages from the 
        proxy may disclose sensitive data because Same-Origin Policy (SOP) 
        will allow the XMLHttpRequest object to read these error messages, 
        allowing user privacy to be eroded. 
        Firefox now enforces RFC 3986 IPv6 literal syntax and that may break 
        links written using the non-standard Firefox-only forms that were 
        previously accepted." [2]
        
        CVE-2012-0445: "Alex Dvorov reported that an attacker could replace a 
        sub-frame in another domain's document by using the name attribute of 
        the sub-frame as a form submission target. This can potentially allow 
        for phishing attacks against users and violates the HTML5 frame 
        navigation policy." [3]
        
        CVE-2011-3659: "Security researcher regenrecht reported via 
        TippingPoint's Zero Day Initiative that removed child nodes of 
        nsDOMAttribute can be accessed under certain circumstances because of 
        a premature notification of AttributeChildRemoved. This use-after-free 
        of the child nodes could possibly allow for for remote code 
        execution."[4]
        
        CVE-2012-0446: "Mozilla security researcher moz_bug_r_a4 reported that 
        frame scripts bypass XPConnect security checks when calling untrusted 
        objects. This allows for cross-site scripting (XSS) attacks through 
        web pages and Firefox extensions. The fix enables the Script Security 
        Manager (SSM) to force security checks on all frame scripts."[5]
        
        CVE-2012-0447: "Mozilla developer Tim Abraldes reported that when 
        encoding images as image/vnd.microsoft.icon the resulting data was 
        always a fixed size, with uninitialized memory appended as padding 
        beyond the size of the actual image. This is the result of 
        mImageBufferSize in the encoder being initialized with a value 
        different than the size of the source image. There is the possibility 
        of sensitive data from uninitialized memory being appended to a PNG 
        image when converted fron an ICO format image. This sensitive data may 
        then be disclosed in the resulting image."[6]
        
        CVE-2012-0444: "Security researcher regenrecht reported via 
        TippingPoint's Zero Day Initiative the possibility of memory corruption
        during the decoding of Ogg Vorbis files. This can cause a crash during 
        decoding and has the potential for remote code execution."[7]
        
        CVE-2012-0449: "Security researchers Nicolas Grégoire and Aki Helin 
        independently reported that when processing a malformed embedded XSLT 
        stylesheet, Firefox can crash due to a memory corruption. While there 
        is no evidence that this is directly exploitable, there is a 
        possibility of remote code execution."[8]
        
        CVE-2012-0450: "magicant starmen reported that if a user chooses to 
        export their Firefox Sync key the "Firefox Recovery Key.html" file is 
        saved with incorrect permissions, making the file contents potentially 
        readable by other users on Linux and OS X systems."[9]


MITIGATION

        These vulnerabilities are corrected in the 10.0 release of Mozilla 
        Firefox and the 10.0 release of Mozilla Thunderbird.
        
        It is recommended that users update to the latest version of
        Mozilla Firefox and Mozilla Thunderbird. [10, 11]


REFERENCES

        [1] mfsa2012-01
            http://www.mozilla.org/security/announce/2012/mfsa2012-01.html

        [2] mfsa2012-02
            http://www.mozilla.org/security/announce/2012/mfsa2012-02.html

        [3] mfsa2012-03
            http://www.mozilla.org/security/announce/2012/mfsa2012-03.html

        [4] mfsa2012-04
            http://www.mozilla.org/security/announce/2012/mfsa2012-04.html

        [5] mfsa2012-05
            http://www.mozilla.org/security/announce/2012/mfsa2012-05.html

        [6] mfsa2012-06
            http://www.mozilla.org/security/announce/2012/mfsa2012-06.html

        [7] mfsa2012-07
            http://www.mozilla.org/security/announce/2012/mfsa2012-07.html

        [8] mfsa2012-08
            http://www.mozilla.org/security/announce/2012/mfsa2012-08.html

        [9] mfsa2012-09
            http://www.mozilla.org/security/announce/2012/mfsa2012-09.html

        [10] Firefox 10.0 download
             http://www.mozilla.org/en-US/firefox/new/

        [11] Thunderbird 10.0 download
             http://www.mozilla.org/en-US/thunderbird/download

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBTyjd0+4yVqjM2NGpAQJdhxAAgQ+s3R24vpZNRA/Bk0dFp/etn5PpTmFx
lMjtGjcGOVb7H7RLgjbAeJvfc8Kxt2dOjkOWtQDvt/sz9oSxSA+awjkzavJ/N4qO
TdBVgT+JnYiPgBCYY2UQfWJI3lcxIwg/gYjzy2fbmU3B3HqCdxePddWnJObfkPTF
8ro1BeZNEyTMbYUagfP5wbg/RqzCxoX8TbtTo2SnWuKpsltFc3yC6Gq8x0hMhsZJ
X9v3TNFW/JM6+KKROijwzgfX35RN/GhXoXfWW6N07pbcMcMsgLC6jUBk4j+3kJpp
NoraA9jd9sDCg3qD4VxPzmib0pmJwWjmQImBA0oZq1nqOZY1egVnBX7Smthu/O6/
35A91Rvur5Kgeq60a+RI8leGXd4gB/b0OY/oSSvBENlyImK1321RvDrtM4WEHehs
Ic8VW1LgqojnDGD4PqrycV4Dxju0Re18vEl2BRY9nvcWtGujUxKjgv6ykGkJL/85
xAPIkh2yP5ATKBMGFPgpijY+lgoGvgb6pHfogxPEWpilgWshPs00hxQBZ9wuW0G1
hfOHDjxG2IzPSVRQwRP3sdcVeLIVDixaHGxHHAhGCkZ2XFUVRJtXuLDTd9eqtsnT
pB7D3VtO+K98pgu5YZpLpTkrWvmpuhsLgP+SnEzK9fKpTdneH9E3k+i4qnKEgmoM
c4wmi+afnDQ=
=kR9B
-----END PGP SIGNATURE-----