Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2012.0082 New versions of Firefox, Thunderbird, and SeaMonkey 6 June 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Firefox Thunderbird SeaMonkey Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Denial of Service -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2012-1947 CVE-2012-1946 CVE-2012-1945 CVE-2012-1944 CVE-2012-1943 CVE-2012-1942 CVE-2012-1941 CVE-2012-1940 CVE-2012-1939 CVE-2012-1938 CVE-2012-1937 CVE-2012-0441 CVE-2011-3101 Member content until: Friday, July 6 2012 Comment: Note: Vulnerability CVE-2012-1945 could potentially affect Linux machines with samba shares enabled. OVERVIEW Multiple vulnerabilities have been fixed in Mozilla Firefox, Thunderbird and in SeaMonkey. [1] IMPACT The vendor has provided the following details about the vulnerabilities: "Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code." MFSA 2012-34 [2] "Security researcher James Forshaw of Context Information Security found two issues with the Mozilla updater and the Mozilla updater service introduced in Firefox 12 for Windows. The first issue allows Mozilla's updater to load a local DLL file in a privileged context. The updater can be called by the Updater Service or independently on systems that do not use the service. The second of these issues allows for the updater service to load an arbitrary local DLL file, which can then be run with the same system privileges used by the service. Both of these issues require local file system access to be exploitable. " MFSA 2012-35 [3] "Security researcher Adam Barth found that inline event handlers, such as onclick, were no longer blocked by Content Security Policy's (CSP) inline-script blocking feature. Web applications relying on this feature of CSP to protect against cross-site scripting (XSS) were not fully protected. " MFSA 2012-36 [4] "Security researcher Paul Stone reported an attack where an HTML page hosted on a Windows share and then loaded could then load Windows shortcut files (.lnk) in the same share. These shortcut files could then link to arbitrary locations on the local file system of the individual loading the HTML page. That page could show the contents of these linked files or directories from the local file system in an iframe, causing information disclosure. " MFSA 2012-37 [5] "Security researcher Arthur Gerkis used the Address Sanitizer tool to find a use-after-free while replacing/inserting a node in a document. This use-after-free could possibly allow for remote code execution. " MFSA 2012-38 [6] "Security researcher Kaspar Brand found a flaw in how the Network Security Services (NSS) ASN.1 decoder handles zero length items. Effects of this issue depend on the field. One known symptom is an unexploitable crash in handling OCSP responses. NSS also mishandles zero-length basic constraints, assuming default values for some types that should be rejected as malformed. These issues have been addressed in NSS 3.13.4, which is now being used by Mozilla. " MFSA 2012-39 [7] "Security researcher Abhishek Arya of Google used the Address Sanitizer tool to uncover several issues: two heap buffer overflow bugs and a use-after-free problem. The first heap buffer overflow was found in conversion from unicode to native character sets when the function fails. The use-after-free occurs in nsFrameList when working with column layout with absolute positioning in a container that changes size. The second buffer overflow occurs in nsHTMLReflowState when a window is resized on a page with nested columns and a combination of absolute and relative positioning. All three of these issues are potentially exploitable. " MFSA 2012-40 [8] MITIGATION Users of the affected versions should upgrade to current versions: - Firefox: 13 or Firefox ESR 10.0.5 - Thunderbird: 13 or Thunderbird ESR 10.0.5 - SeaMonkey: 2.10 REFERENCES [1] Mozilla Foundation Security Advisories http://www.mozilla.org/security/announce/ [2] Mozilla Foundation Security Advisory 2012-34 http://www.mozilla.org/security/announce/2012/mfsa2012-34.html [3] Mozilla Foundation Security Advisory 2012-35 http://www.mozilla.org/security/announce/2012/mfsa2012-35.html [4] Mozilla Foundation Security Advisory 2012-36 http://www.mozilla.org/security/announce/2012/mfsa2012-36.html [5] Mozilla Foundation Security Advisory 2012-37 http://www.mozilla.org/security/announce/2012/mfsa2012-37.html [6] Mozilla Foundation Security Advisory 2012-38 http://www.mozilla.org/security/announce/2012/mfsa2012-38.html [7] Mozilla Foundation Security Advisory 2012-39 http://www.mozilla.org/security/announce/2012/mfsa2012-39.html [8] Mozilla Foundation Security Advisory 2012-40 http://www.mozilla.org/security/announce/2012/mfsa2012-40.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBT87aAO4yVqjM2NGpAQI4Ww//T1pw+y/+NdOfJx6p5I/9xRMRtLAAy8FS 5y9hUoKzqxN62ObvAxOsb+L0geaxtINXFi0x/+BPN/9OxFxAw/2LgUeJI3lyS+x2 W9Rgs3hWpDxhhEPPND7qDJVhff5dHwZkHNZLJgzJ0zmYVtnTrjk/0VS8X8vknNtV PYQMn7ZunRCUmw/2ZnQBqZDSdYGYQCJvoUnY6Ubi643bJHjDZyg5zUAJOzjhP20F yKDMh9S43/mZqeVntVKyDhJlUPr4V1+OGQSionuQt/vRfFkng9Rv4FnWsRpLP+YW ymQERErW7vv4KGXYiHc+YfDw0srzKIquBgzuAj2F/8Fvx0tkVFHXL83+9ar+2WNN yMyy1nEkbxvEsLrPgRCLATF8MLLM8MU6KpO0aEC0CyT/0orLUDWNbaNvpovhTpWP G5a1lAO++nDX3FJTzF68EBbuB0zhcoNdK5jl2XyvctBjNlBUDUEJaRkG8rkT2Kcv OGs35VZPYkLQtLpRCBLWkRvkqpZ/NjZ1WlqfmMs3iq5gD1Y7dR8YqnsOfY12NQYc gMehPfYX5o0iMkbw0m+pmFAWj11AvCep36NQNHNdZBNK7VJDcbXIqr3fhNUtTvKU krMyUpZntwB/AHtYwDQ+lFuakVbDrOHonbosvQyihSToKq8uFd0+nRlLmkT/dn9X UKOL522dD/8= =kclm -----END PGP SIGNATURE-----