Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2012.0139 Two vulnerabilities fixed in Mozilla Firefox, Thunderbird, and SeaMonkey 12 October 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Firefox Thunderbird SeaMonkey Operating System: Windows UNIX variants (UNIX, Linux, OSX) Mobile Device Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2012-4193 CVE-2012-4192 CVE-2012-4191 CVE-2012-4190 Member content until: Sunday, November 11 2012 OVERVIEW Multiple vulnerabilities have been fixed in Mozilla Firefox, Thunderbird and in SeaMonkey. [1] IMPACT The vendor has provided the following details about the vulnerabilities: CVE-2012-4190 CVE-2012-4191 "Mozilla developers identified and fixed two top crashing bugs in the browser engine used in Firefox and other Mozilla-based products. These bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. The first of these bugs, a FreeType issue, is a mobile only issue which happens on custom kernels like Cyanogenmod, not on standard Android installations. The second bug is a websockets crash affecting Firefox 16 but not Firefox ESR." MFSA 2012-88 [2] CVE-2012-4192 CVE-2012-4193 "Mozilla security researcher moz_bug_r_a4 reported a regression where security wrappers are unwrapped without doing a security check in defaultValue(). This can allow for improper access access to the Location object. In versions 15 and earlier of affected products, there was also the potential for arbitrary code execution." MFSA 2012-89 [3] MITIGATION Users of the affected versions should upgrade to current versions: - Firefox: 16.0.1 or Firefox ESR 10.0.9 - Thunderbird: 16.0.1 or Thunderbird ESR 10.0.9 - SeaMonkey: 2.13.1 REFERENCES [1] Mozilla Foundation Security Advisories https://www.mozilla.org/security/announce/ [2] Mozilla Foundation Security Advisory 2012-88 https://www.mozilla.org/security/announce/2012/mfsa2012-88.html [3] Mozilla Foundation Security Advisory 2012-89 https://www.mozilla.org/security/announce/2012/mfsa2012-89.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUHexMe4yVqjM2NGpAQLiuBAAsOWXfNb6/WQr3cx4hGFjSx69BKo/GDhW 8fuxs92JeZPaorkImSTJPo5bKHliYe85glAvUinw+s26zw5rlSnaUNn5EasKM0We LROZplVliPoF+IylX6TIsUS0rRDjF4JeewfJ9F2tCBYYpKsyrgeEFQgzErWBpppx aUytZzyKu/fC2pAo1u0QS+gxwYEInq75HYS61Imq/O3sc4R+WLivI5uN8l1LkYpE jbzhHrjT3kSECggD9Q0HqSZNSL+kMuNGjCt3hdjNqtCgLBOymoSiSFzHVT2PWPfN oTNpBeVG0bW6r1QGJHd0TEsnWo1jB/dBK3FoVNELRRFZ/PEYrGUAvEmjIeoGcXCD JA1gX7bGayCLX0RXGy3qXiivHU7avyJQfV8FZccWemHd1Bv2MDw/YxsCwCtHkVWw PFXBAjE29bWlhfodpnrKGRZTfp3COb9anFKkRpAiJerW3iV9MlbiQAWbkM88GS1I v3p+baUvcnJddAhQpkYP57Sh8woqAM2mAKgpzlPDcENBOnA0esOBjIEoAW332yMK 2p51dJjrWiSz6Eyreryt+2f+1Rg7t/BCCXcbvES/HXsiB9wxLFiGxGTt5Rr4nYj1 sI6k44mpnzy1ja4AryN+F0ao1MjmVou4m7OLlJFJwFIyFlrJF+CaZjHlF2J6KR3E /objlayaL2c= =/2gN -----END PGP SIGNATURE-----