Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2012.0082
New versions of Firefox, Thunderbird, and SeaMonkey
6 June 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Firefox
Thunderbird
SeaMonkey
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2012-1947 CVE-2012-1946 CVE-2012-1945
CVE-2012-1944 CVE-2012-1943 CVE-2012-1942
CVE-2012-1941 CVE-2012-1940 CVE-2012-1939
CVE-2012-1938 CVE-2012-1937 CVE-2012-0441
CVE-2011-3101
Member content until: Friday, July 6 2012
Comment: Note: Vulnerability CVE-2012-1945 could potentially affect Linux
machines with samba shares enabled.
OVERVIEW
Multiple vulnerabilities have been fixed in Mozilla Firefox,
Thunderbird and in SeaMonkey. [1]
IMPACT
The vendor has provided the following details about the vulnerabilities:
"Mozilla developers identified and fixed several memory safety bugs in
the browser engine used in Firefox and other Mozilla-based products.
Some of these bugs showed evidence of memory corruption under certain
circumstances, and we presume that with enough effort at least some of
these could be exploited to run arbitrary code." MFSA 2012-34 [2]
"Security researcher James Forshaw of Context Information Security found
two issues with the Mozilla updater and the Mozilla updater service
introduced in Firefox 12 for Windows. The first issue allows Mozilla's
updater to load a local DLL file in a privileged context. The updater
can be called by the Updater Service or independently on systems that
do not use the service. The second of these issues allows for the
updater service to load an arbitrary local DLL file, which can then be
run with the same system privileges used by the service. Both of these
issues require local file system access to be exploitable. "
MFSA 2012-35 [3]
"Security researcher Adam Barth found that inline event handlers, such
as onclick, were no longer blocked by Content Security Policy's (CSP)
inline-script blocking feature. Web applications relying on this
feature of CSP to protect against cross-site scripting (XSS) were not
fully protected. " MFSA 2012-36 [4]
"Security researcher Paul Stone reported an attack where an HTML page
hosted on a Windows share and then loaded could then load Windows
shortcut files (.lnk) in the same share. These shortcut files could
then link to arbitrary locations on the local file system of the
individual loading the HTML page. That page could show the contents
of these linked files or directories from the local file system in an
iframe, causing information disclosure. " MFSA 2012-37 [5]
"Security researcher Arthur Gerkis used the Address Sanitizer tool to
find a use-after-free while replacing/inserting a node in a document.
This use-after-free could possibly allow for remote code execution. "
MFSA 2012-38 [6]
"Security researcher Kaspar Brand found a flaw in how the Network
Security Services (NSS) ASN.1 decoder handles zero length items.
Effects of this issue depend on the field. One known symptom is an
unexploitable crash in handling OCSP responses. NSS also mishandles
zero-length basic constraints, assuming default values for some types
that should be rejected as malformed. These issues have been addressed
in NSS 3.13.4, which is now being used by Mozilla. " MFSA 2012-39 [7]
"Security researcher Abhishek Arya of Google used the Address Sanitizer
tool to uncover several issues: two heap buffer overflow bugs and a
use-after-free problem. The first heap buffer overflow was found in
conversion from unicode to native character sets when the function fails.
The use-after-free occurs in nsFrameList when working with column layout
with absolute positioning in a container that changes size. The second
buffer overflow occurs in nsHTMLReflowState when a window is resized on
a page with nested columns and a combination of absolute and relative
positioning. All three of these issues are potentially exploitable. "
MFSA 2012-40 [8]
MITIGATION
Users of the affected versions should upgrade to current versions:
- Firefox: 13 or Firefox ESR 10.0.5
- Thunderbird: 13 or Thunderbird ESR 10.0.5
- SeaMonkey: 2.10
REFERENCES
[1] Mozilla Foundation Security Advisories
http://www.mozilla.org/security/announce/
[2] Mozilla Foundation Security Advisory 2012-34
http://www.mozilla.org/security/announce/2012/mfsa2012-34.html
[3] Mozilla Foundation Security Advisory 2012-35
http://www.mozilla.org/security/announce/2012/mfsa2012-35.html
[4] Mozilla Foundation Security Advisory 2012-36
http://www.mozilla.org/security/announce/2012/mfsa2012-36.html
[5] Mozilla Foundation Security Advisory 2012-37
http://www.mozilla.org/security/announce/2012/mfsa2012-37.html
[6] Mozilla Foundation Security Advisory 2012-38
http://www.mozilla.org/security/announce/2012/mfsa2012-38.html
[7] Mozilla Foundation Security Advisory 2012-39
http://www.mozilla.org/security/announce/2012/mfsa2012-39.html
[8] Mozilla Foundation Security Advisory 2012-40
http://www.mozilla.org/security/announce/2012/mfsa2012-40.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBT87aAO4yVqjM2NGpAQI4Ww//T1pw+y/+NdOfJx6p5I/9xRMRtLAAy8FS
5y9hUoKzqxN62ObvAxOsb+L0geaxtINXFi0x/+BPN/9OxFxAw/2LgUeJI3lyS+x2
W9Rgs3hWpDxhhEPPND7qDJVhff5dHwZkHNZLJgzJ0zmYVtnTrjk/0VS8X8vknNtV
PYQMn7ZunRCUmw/2ZnQBqZDSdYGYQCJvoUnY6Ubi643bJHjDZyg5zUAJOzjhP20F
yKDMh9S43/mZqeVntVKyDhJlUPr4V1+OGQSionuQt/vRfFkng9Rv4FnWsRpLP+YW
ymQERErW7vv4KGXYiHc+YfDw0srzKIquBgzuAj2F/8Fvx0tkVFHXL83+9ar+2WNN
yMyy1nEkbxvEsLrPgRCLATF8MLLM8MU6KpO0aEC0CyT/0orLUDWNbaNvpovhTpWP
G5a1lAO++nDX3FJTzF68EBbuB0zhcoNdK5jl2XyvctBjNlBUDUEJaRkG8rkT2Kcv
OGs35VZPYkLQtLpRCBLWkRvkqpZ/NjZ1WlqfmMs3iq5gD1Y7dR8YqnsOfY12NQYc
gMehPfYX5o0iMkbw0m+pmFAWj11AvCep36NQNHNdZBNK7VJDcbXIqr3fhNUtTvKU
krMyUpZntwB/AHtYwDQ+lFuakVbDrOHonbosvQyihSToKq8uFd0+nRlLmkT/dn9X
UKOL522dD/8=
=kclm
-----END PGP SIGNATURE-----