Hash: SHA1

                         AUSCERT Security Bulletin

        New versions of Mozilla Firefox, Thunderbird, and SeaMonkey
                       fix multiple vulnerabilities.
                              11 October 2012


        AusCERT Security Bulletin Summary

Product:              Firefox
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
                      Mobile Device
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Cross-site Scripting            -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
                      Provide Misleading Information  -- Remote with User Interaction
                      Unauthorised Access             -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2012-4188 CVE-2012-4187 CVE-2012-4186
                      CVE-2012-4185 CVE-2012-4184 CVE-2012-4183
                      CVE-2012-4182 CVE-2012-4181 CVE-2012-4180
                      CVE-2012-4179 CVE-2012-3995 CVE-2012-3994
                      CVE-2012-3993 CVE-2012-3992 CVE-2012-3991
                      CVE-2012-3990 CVE-2012-3989 CVE-2012-3988
                      CVE-2012-3987 CVE-2012-3986 CVE-2012-3985
                      CVE-2012-3984 CVE-2012-3983 CVE-2012-3982
Member content until: Saturday, November 10 2012


        Multiple vulnerabilities have been fixed in Mozilla Firefox, 
        Thunderbird and in SeaMonkey. [1]


        The vendor has provided the following details about the vulnerabilities:
        "Mozilla developers identified and fixed several memory safety bugs in 
        the browser engine used in Firefox and other Mozilla-based products. 
        Some of these bugs showed evidence of memory corruption under certain 
        circumstances, and we presume that with enough effort at least some of 
        these could be exploited to run arbitrary code." MFSA 2012-74 [2]
        "Security researcher David Bloom of Cue discovered that <select> 
        elements are always-on-top chromeless windows and that navigation away 
        from a page with an active <select> menu does not remove this window. 
        When another menu is opened programmatically on a new page, the original 
        <select> menu can be retained and arbitrary HTML content within it 
        rendered, allowing an attacker to cover arbitrary portions of the new 
        page through absolute positioning/scrolling, leading to spoofing attacks. 
        Security researcher Jordi Chancel found a variation that would allow for 
        click-jacking attacks was well." MFSA 2012-75 [3]
        "Security researcher Collin Jackson reported a violation of the HTML5 
        specifications for document.domain behavior. Specified behavior 
        requires pages to only have access to windows in a new document.domain 
        but the observed violation allowed pages to retain access to windows 
        from the page's initial origin in addition to the new document.domain. 
        This could potentially lead to cross-site scripting (XSS) attacks."
        MFSA 2012-76 [4]
        "Mozilla developer Johnny Stenback discovered that several methods of a 
        feature used for testing (DOMWindowUtils) are not protected by existing 
        security checks, allowing these methods to be called through script by 
        web pages. This was addressed by adding the existing security checks to 
        these methods." MFSA 2012-77 [5]
        "Security researcher Warren He reported that when a page is 
        transitioned into Reader Mode in Firefox for Android, the resulting 
        page has chrome privileges and its content is not thoroughly sanitized. 
        A successful attack requires user enabling of reader mode for a 
        malicious page, which could then perform an attack similar to 
        cross-site scripting (XSS) to gain the privileges allowed to Firefox on 
        an Android device. This has been fixed by changing the Reader Mode page 
        into an unprivileged page. 
        Note: This vulnerability only affects Firefox for Android." 
        MFSA 2012-78 [6]
        "Security researcher Soroush Dalili reported that a combination of 
        invoking full screen mode and navigating backwards in history could, in 
        some circumstances, cause a hang or crash due to a timing dependent 
        use-after-free pointer reference. This crash may be potentially 
        exploitable." MFSA 2012-79 [7]
        "Mozilla community member Ms2ger reported a crash due to an invalid cast 
        when using the instanceof operator on certain types of JavaScript 
        objects. This can lead to a potentially exploitable crash." 
        MFSA 2012-80 [8]
        "Mozilla community member Alice White reported that when the GetProperty 
        function is invoked through JSAPI, security checking can be bypassed 
        when getting cross-origin properties. This potentially allowed for 
        arbitrary code execution."  MFSA 2012-81 [9]
        "Security researcher Mariusz Mlynski reported that the location property 
        can be accessed by binary plugins through top.location and top can be 
        shadowed by Object.defineProperty as well. This can allow for possible 
        cross-site scripting (XSS) attacks through plugins." MFSA 2012-82 [10]
        "Security researcher Mariusz Mlynski reported that when InstallTrigger 
        fails, it throws an error wrapped in a Chrome Object Wrapper (COW) that 
        fails to specify exposed properties. These can then be added to the 
        resulting object by an attacker, allowing access to chrome privileged 
        functions through script.
        While investigating this issue, Mozilla security researcher moz_bug_r_a4 
        found that COW did not disallow accessing of properties from a standard 
        prototype in some situations, even when the original issue had been 
        These issues could allow for a cross-site scripting (XSS) attack or 
        arbitrary code execution." MFSA 2012-83 [11]
        "Security researcher Mariusz Mlynski reported an issue with spoofing of 
        the location property. In this issue, writes to location.hash can be 
        used in concert with scripted history navigation to cause a specific 
        website to be loaded into the history object. The baseURI can then be 
        changed to this stored site, allowing an attacker to inject a script or 
        intercept posted data posted to a location specified with a relative 
        path." MFSA 2012-84 [12]
        "Security researcher Abhishek Arya (Inferno) of the Google Chrome 
        Security Team discovered a series of use-after-free, buffer overflow, 
        and out of bounds read issues using the Address Sanitizer tool in 
        shipped software. These issues are potentially exploitable, allowing 
        for remote code execution. We would also like to thank Abhishek for 
        reporting two additional use-after-free flaws introduced during Firefox 
        16 development and fixed before general release." MFSA 2012-85 [13]
        "Security researcher Atte Kettunen from OUSPG reported several heap 
        memory corruption issues found using the Address Sanitizer tool. These 
        issues are potentially exploitable, allowing for remote code 
        execution." MFSA 2012-86 [14]
        "Security researcher miaubiz used the Address Sanitizer tool to 
        discover a use-after-free in the IME State Manager code. This could 
        lead to a potentially exploitable crash." MFSA 2012-87 [15]


        Users of the affected versions should upgrade to current versions:
        - Firefox: 16 or Firefox ESR 10.0.8
        - Thunderbird: 16 or Thunderbird ESR 10.0.8
        - SeaMonkey: 2.13


        [1] Mozilla Foundation Security Advisories

        [2] Mozilla Foundation Security Advisory 2012-74

        [3] Mozilla Foundation Security Advisory 2012-75

        [4] Mozilla Foundation Security Advisory 2012-76

        [5] Mozilla Foundation Security Advisory 2012-77

        [6] Mozilla Foundation Security Advisory 2012-78

        [7] Mozilla Foundation Security Advisory 2012-79

        [8] Mozilla Foundation Security Advisory 2012-80

        [9] Mozilla Foundation Security Advisory 2012-81

        [10] Mozilla Foundation Security Advisory 2012-82

        [11] Mozilla Foundation Security Advisory 2012-83

        [12] Mozilla Foundation Security Advisory 2012-84

        [13] Mozilla Foundation Security Advisory 2012-85

        [14] Mozilla Foundation Security Advisory 2012-86

        [15] Mozilla Foundation Security Advisory 2012-87

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967