Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2012.0027 New versions of Firefox, Thunderbird and SeaMonkey correct the recent libpng vulnerability 21 February 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Firefox Thunderbird SeaMonkey Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2011-3026 Member content until: Thursday, March 22 2012 Reference: ESB-2012.0183 ESB-2012.0178 OVERVIEW A code execution vulnerability has been fixed in Mozilla Firefox and Thunderbird prior to 10.0.2, and in SeaMonkey prior to version 2.7.2. Firefox 3.6.27 and Thunderbird 3.1.19 also fix this vulnerability.[1] IMPACT The vendor has provided the following details about the vulnerability: "An integer overflow in the libpng library can lead to a heap-buffer overflow when decompressing certain PNG images. This leads to a crash, which may be potentially exploitable." [1] MITIGATION Users of the affected versions should upgrade to the latest versions of Firefox,[2] Thunderbird, [3] and SeaMonkey. [4] REFERENCES [1] Mozilla Foundation Security Advisory 2012-11 http://www.mozilla.org/security/announce/2012/mfsa2012-11.html [2] Mozilla Firefox Web Browser - Free Download http://www.mozilla.org/firefox/ [3] Thunderbird - Software made to make email easier http://www.mozilla.org/thunderbird/ [4] The SeaMonkey Project http://www.seamonkey-project.org/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBT0Ll1e4yVqjM2NGpAQKBPQ/+OtR5F1RirAhP1+nqzso8OZwEQxxWPYq+ 363aS5kmnLDDDDmOy1z2o6NBx9t6UsI5i5pNRcz2AhIA4CGzBi21/yGZj0Csyqgq Nbwb3grUDoKCzhYnBVFLFtpNoA05M7t5pjma0sSlbO4DdvTfDfflAVY44yL00S25 d8vV8Z+sRAjeaMzsSgh5mTzrMqn6r0guwBfK8WJahdCJsmvqQwm4iKtZP2GgtZzE nFuKnO030Axbtfmovi3fcQCMb/iKd96gxlr1pBdTZtjeEss5Xr0SWyPTw0OKfcG5 InyR8Y7PAe3TwTzmt6EFu5yoGOYVOHsztlNLSJTfpzFHsYCdXrLowWe0qWqBYJYK 7ZlJQ4d+0dpOrHxIT98v/VlujdFNkR60Wm6JZaOmjeIQkBplGJ1YNbAHMWvVGULX xzXw7mLZh7oPhV68rNQneoXzNO1K+CW9lF31xT7NUkHn3JMLittrqVdWdnhEFnxF k9gqw4UtGRYmYHHhyAQgvrKr3JjR59r8qLLLv9lOwvCzdmcrWDJOxNUFQt85BDFD n+X2jIwnX+oRtU2c+gR8Gzelfulub+lKp6r8bGnkmULYlvzp7do077YUvyMsZtXZ D2vV6tz0s1P7PCoODrrdDowP+cjw1wTuAgpfu6955KvrPVnSki8LTtVz33MaSjAX U48mpEI3GdA= =/BJr -----END PGP SIGNATURE-----