Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2012.0027
New versions of Firefox, Thunderbird and SeaMonkey correct
the recent libpng vulnerability
21 February 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Firefox
Thunderbird
SeaMonkey
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2011-3026
Member content until: Thursday, March 22 2012
Reference: ESB-2012.0183
ESB-2012.0178
OVERVIEW
A code execution vulnerability has been fixed in Mozilla Firefox and
Thunderbird prior to 10.0.2, and in SeaMonkey prior to version 2.7.2.
Firefox 3.6.27 and Thunderbird 3.1.19 also fix this vulnerability.[1]
IMPACT
The vendor has provided the following details about the vulnerability:
"An integer overflow in the libpng library can lead to a heap-buffer
overflow when decompressing certain PNG images. This leads to a crash,
which may be potentially exploitable." [1]
MITIGATION
Users of the affected versions should upgrade to the latest versions of
Firefox,[2] Thunderbird, [3] and SeaMonkey. [4]
REFERENCES
[1] Mozilla Foundation Security Advisory 2012-11
http://www.mozilla.org/security/announce/2012/mfsa2012-11.html
[2] Mozilla Firefox Web Browser - Free Download
http://www.mozilla.org/firefox/
[3] Thunderbird - Software made to make email easier
http://www.mozilla.org/thunderbird/
[4] The SeaMonkey Project
http://www.seamonkey-project.org/
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBT0Ll1e4yVqjM2NGpAQKBPQ/+OtR5F1RirAhP1+nqzso8OZwEQxxWPYq+
363aS5kmnLDDDDmOy1z2o6NBx9t6UsI5i5pNRcz2AhIA4CGzBi21/yGZj0Csyqgq
Nbwb3grUDoKCzhYnBVFLFtpNoA05M7t5pjma0sSlbO4DdvTfDfflAVY44yL00S25
d8vV8Z+sRAjeaMzsSgh5mTzrMqn6r0guwBfK8WJahdCJsmvqQwm4iKtZP2GgtZzE
nFuKnO030Axbtfmovi3fcQCMb/iKd96gxlr1pBdTZtjeEss5Xr0SWyPTw0OKfcG5
InyR8Y7PAe3TwTzmt6EFu5yoGOYVOHsztlNLSJTfpzFHsYCdXrLowWe0qWqBYJYK
7ZlJQ4d+0dpOrHxIT98v/VlujdFNkR60Wm6JZaOmjeIQkBplGJ1YNbAHMWvVGULX
xzXw7mLZh7oPhV68rNQneoXzNO1K+CW9lF31xT7NUkHn3JMLittrqVdWdnhEFnxF
k9gqw4UtGRYmYHHhyAQgvrKr3JjR59r8qLLLv9lOwvCzdmcrWDJOxNUFQt85BDFD
n+X2jIwnX+oRtU2c+gR8Gzelfulub+lKp6r8bGnkmULYlvzp7do077YUvyMsZtXZ
D2vV6tz0s1P7PCoODrrdDowP+cjw1wTuAgpfu6955KvrPVnSki8LTtVz33MaSjAX
U48mpEI3GdA=
=/BJr
-----END PGP SIGNATURE-----