13 February 2012
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2012.0020 Mozilla Firefox, Thunderbird, and SeaMonkey: Execute arbitrary code/commands - Remote with user interaction 13 February 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Mozilla Firefox Mozilla Thunderbird Mozilla SeaMonkey Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2012-0452 Member content until: Wednesday, March 14 2012 OVERVIEW A denial of service vulnerability has been fixed in Mozilla Firefox and Thunderbird prior to 10.0.1, and in Seamonkey prior to version 2.7.1. Firefox 9 and earlier are not affected by this vulnerability. IMPACT The vendor has provided the following details about the vulnerability: "Mozilla developers Andrew McCreight and Olli Pettay found that ReadPrototypeBindings will leave a XBL binding in a hash table even when the function fails. If this occurs, when the cycle collector reads this hash table and attempts to do a virtual method on this binding a crash will occur. This crash may be potentially exploitable." MITIGATION Users of the affected versions should upgrade to the latest versions of Firefox, Thunderbird,  and SeaMonkey.  REFERENCES  Mozilla Foundation Security Advisory 2012-10 http://www.mozilla.org/security/announce/2012/mfsa2012-10.html  Mozilla Firefox Web Browser - Free Download http://www.mozilla.org/firefox/  Thunderbird - Software made to make email easier http://www.mozilla.org/thunderbird/  The SeaMonkey Project http://www.seamonkey-project.org/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: email@example.com Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBTzhwgu4yVqjM2NGpAQJVWA//Sh2jdgFnHfyskD03PsQEDs9/smtkexup jLUdckuBqUzWVeGdvj4Xd8bQLadnYzT7/kECqk6A11f8cwTTtKYlqKVwINVN8IsP 6qa4LOQNJlzclGfC9OCVSuIr8PTR9gk2APG4lwkJ3BEm/pqRgpbqwIkIRjjkCe4N 2pEVXwDDAxzxRfqnScC5LcIoJViCr0oN547ZxoWGEx9iR/A5G5lQKClEiz8RFzID YDhlmXWfc4HY1ofk87KZ3O6D4jKl4EzYsXUhSFZsn7G8nf5VZG5Fpx5aFLxkRrBf trO9OLtGZWZuQgN2URYO10FKlrGzR8B+J0bTrYPCluC30XImcsobkWYTgvvCbwpg AmMvz9yqCUWUAhFseFJf+9dDPf+X72c7fTnlxmyLLt8pfUGQ7tIv2pHx4KBvWoMi 2BD51ck0huRCSkwktZYixDAL3vzCmLwtGMN8HTrblfrgjeLho7lgJ18zMhghQxN6 IcGdqBExi4IQ1z4nJPsMsXjgYchotJyugqg9H6jcF7XHsAK7oF5X70S2Q6WuqX01 n8gdgDfNbcNFwCoiZT1OziXy69DGfcSPZMSSMcqEJ0xW2V4xueepbcdLSfjkB7nC ey5sU2NM/YqK853f21CYf1ZrPuST8TfAm1fYt7e2rF6q5kV6ZD8ubxyIF5yFYuMJ inAdTSujbRc= =/AZi -----END PGP SIGNATURE-----