Hash: SHA1

                         AUSCERT Security Bulletin

            New versions of Firefox, Thunderbird, and SeaMonkey
                                6 June 2012


        AusCERT Security Bulletin Summary

Product:              Firefox
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Cross-site Scripting            -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
                      Access Confidential Data        -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2012-1947 CVE-2012-1946 CVE-2012-1945
                      CVE-2012-1944 CVE-2012-1943 CVE-2012-1942
                      CVE-2012-1941 CVE-2012-1940 CVE-2012-1939
                      CVE-2012-1938 CVE-2012-1937 CVE-2012-0441
Member content until: Friday, July  6 2012

Comment: Note: Vulnerability CVE-2012-1945 could potentially affect Linux 
         machines with samba shares enabled.


        Multiple vulnerabilities have been fixed in Mozilla Firefox, 
        Thunderbird and in SeaMonkey. [1]


        The vendor has provided the following details about the vulnerabilities:
        "Mozilla developers identified and fixed several memory safety bugs in 
        the browser engine used in Firefox and other Mozilla-based products. 
        Some of these bugs showed evidence of memory corruption under certain 
        circumstances, and we presume that with enough effort at least some of 
        these could be exploited to run arbitrary code." MFSA 2012-34 [2]
        "Security researcher James Forshaw of Context Information Security found 
        two issues with the Mozilla updater and the Mozilla updater service 
        introduced in Firefox 12 for Windows. The first issue allows Mozilla's 
        updater to load a local DLL file in a privileged context. The updater 
        can be called by the Updater Service or independently on systems that 
        do not use the service. The second of these issues allows for the 
        updater service to load an arbitrary local DLL file, which can then be 
        run with the same system privileges used by the service. Both of these 
        issues require local file system access to be exploitable. " 
        MFSA 2012-35 [3]
        "Security researcher Adam Barth found that inline event handlers, such 
        as onclick, were no longer blocked by Content Security Policy's (CSP) 
        inline-script blocking feature. Web applications relying on this 
        feature of CSP to protect against cross-site scripting (XSS) were not 
        fully protected. " MFSA 2012-36 [4]
        "Security researcher Paul Stone reported an attack where an HTML page 
        hosted on a Windows share and then loaded could then load Windows 
        shortcut files (.lnk) in the same share. These shortcut files could 
        then link to arbitrary locations on the local file system of the 
        individual loading the HTML page. That page could show the contents 
        of these linked files or directories from the local file system in an 
        iframe, causing information disclosure. " MFSA 2012-37 [5]
        "Security researcher Arthur Gerkis used the Address Sanitizer tool to 
        find a use-after-free while replacing/inserting a node in a document. 
        This use-after-free could possibly allow for remote code execution. " 
        MFSA 2012-38 [6]
        "Security researcher Kaspar Brand found a flaw in how the Network 
        Security Services (NSS) ASN.1 decoder handles zero length items. 
        Effects of this issue depend on the field. One known symptom is an 
        unexploitable crash in handling OCSP responses. NSS also mishandles 
        zero-length basic constraints, assuming default values for some types 
        that should be rejected as malformed. These issues have been addressed 
        in NSS 3.13.4, which is now being used by Mozilla. " MFSA 2012-39 [7]
        "Security researcher Abhishek Arya of Google used the Address Sanitizer 
        tool to uncover several issues: two heap buffer overflow bugs and a 
        use-after-free problem. The first heap buffer overflow was found in 
        conversion from unicode to native character sets when the function fails. 
        The use-after-free occurs in nsFrameList when working with column layout 
        with absolute positioning in a container that changes size. The second 
        buffer overflow occurs in nsHTMLReflowState when a window is resized on 
        a page with nested columns and a combination of absolute and relative 
        positioning. All three of these issues are potentially exploitable. " 
        MFSA 2012-40 [8]


        Users of the affected versions should upgrade to current versions:
        - Firefox: 13 or Firefox ESR 10.0.5
        - Thunderbird: 13 or Thunderbird ESR 10.0.5
        - SeaMonkey: 2.10


        [1] Mozilla Foundation Security Advisories

        [2] Mozilla Foundation Security Advisory 2012-34

        [3] Mozilla Foundation Security Advisory 2012-35

        [4] Mozilla Foundation Security Advisory 2012-36

        [5] Mozilla Foundation Security Advisory 2012-37

        [6] Mozilla Foundation Security Advisory 2012-38

        [7] Mozilla Foundation Security Advisory 2012-39

        [8] Mozilla Foundation Security Advisory 2012-40

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967