Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2013.0003
Multiple vulnerabilities have been fixed in the latest
versions of Mozilla Firefox, Thunderbird, & SeaMonkey
9 January 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Mozilla Firefox
Mozilla Thunderbird
Mozilla SeaMonkey
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Android
Impact/Access: Administrator Compromise -- Remote with User Interaction
Execute Arbitrary Code/Commands -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Unauthorised Access -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2013-0771 CVE-2013-0770 CVE-2013-0769
CVE-2013-0768 CVE-2013-0767 CVE-2013-0766
CVE-2013-0764 CVE-2013-0763 CVE-2013-0762
CVE-2013-0761 CVE-2013-0760 CVE-2013-0759
CVE-2013-0758 CVE-2013-0757 CVE-2013-0756
CVE-2013-0755 CVE-2013-0754 CVE-2013-0753
CVE-2013-0752 CVE-2013-0751 CVE-2013-0750
CVE-2013-0749 CVE-2013-0748 CVE-2013-0747
CVE-2013-0746 CVE-2013-0745 CVE-2013-0744
CVE-2013-0743 CVE-2012-5829 CVE-2012-4206
Member content until: Friday, February 8 2013
Reference: ASB-2012.0162
ESB-2012.1197
ESB-2012.1156
ESB-2012.1099
OVERVIEW
Multiple vulnerabilities have been fixed in the latest versions of
Mozilla Firefox, Thunderbird and SeaMonkey.
IMPACT
CVE-2012-4206:
"Security researcher Robert Kugler reported that when a specifically
named DLL file on a Windows computer is placed in the default
downloads directory with the Firefox installer, the Firefox installer
will load this DLL when it is launched. In circumstances where the
installer is run by an administrator privileged account, this allows
for the downloaded DLL file to be run with administrator privileges.
This can lead to arbitrary code execution from a privileged account.
Note: Additional vulnerable DLL file names were found and fixed in
Firefox 18.0, Firefox ESR 17.0.1, and Firefox ESR 10.0.12 releases."[1]
CVE-2013-0769, CVE-2013-0749 and CVE-2013-0770:
"Mozilla developers identified and fixed several memory safety bugs in
the browser engine used in Firefox and other Mozilla-based products.
Some of these bugs showed evidence of memory corruption under certain
circumstances, and we presume that with enough effort at least some of
these could be exploited to run arbitrary code. Note: In general these
flaws cannot be exploited through email in the Thunderbird and
SeaMonkey products because scripting is disabled, but are potentially
a risk in browser or browser-like contexts in those products."[2]
CVE-2013-0760, CVE-2013-0762, CVE-2013-0766, CVE-2013-0767,
CVE-2013-0761, CVE-2013-0763, CVE-2013-0771 and CVE-2012-5829:
"Security researcher Abhishek Arya (Inferno) of the Google Chrome
Security Team discovered a series critically rated of use-after-free,
out of bounds read, and buffer overflow issues using the Address
Sanitizer tool in shipped software. These issues are potentially
exploitable, allowing for remote code execution. We would also like to
thank Abhishek for reporting three additional user-after-free and out
of bounds read flaws introduced during Firefox development that were
fixed before general release. Note: In general these flaws cannot be
exploited through email in the Thunderbird and SeaMonkey products
because scripting is disabled, but are potentially a risk in browser
or browser-like contexts in those products."[3]
CVE-2013-0768:
"Security researcher miaubiz used the Address Sanitizer tool to
discover a buffer overflow in Canvas when specific bad height and
width values were given through HTML. This could lead to a potentially
exploitable crash.
Miaubiz also found a potentially exploitable crash when 2D and 3D
content was mixed which was introduced during Firefox development and
fixed before general release. Note: In general these flaws cannot be
exploited through email in the Thunderbird and SeaMonkey products
because scripting is disabled, but are potentially a risk in browser
or browser-like contexts in those products."[4]
CVE-2013-0759:
"Security researcher Masato Kinugawa found a flaw in which the
displayed URL values within the addressbar can be spoofed by a page
during loading. This allows for phishing attacks where a malicious
page can spoof the identify of another site. Note: In general these
flaws cannot be exploited through email in the Thunderbird and
SeaMonkey products because scripting is disabled, but are potentially
a risk in browser or browser-like contexts in those products."[5]
CVE-2013-0744:
"Using the Address Sanitizer tool, security researcher Atte Kettunen
from OUSPG discovered that the combination of large numbers of columns
and column groups in a table could cause the array containing the
columns during rendering to overwrite itself. This can lead to a
user-after-free causing a potentially exploitable crash. Note: In
general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but
are potentially a risk in browser or browser-like contexts in those
products."[6]
CVE-2013-0751:
"Mozilla developer Wesley Johnston reported that when there are two or
more iframes on the same HTML page, an iframe is able to see the touch
events and their targets that occur within the other iframes on the
page. If the iframes are from the same origin, they can also access
the properties and methods of the targets of other iframes but
same-origin policy (SOP) restricts access across domains. This allows
for information leakage and possibilities for cross-site scripting
(XSS) if another vulnerability can be used to get around SOP
restrictions. Note: These touch events are only currently used in
Firefox for Android and other products should not be exposed these
this vulnerability."[7]
CVE-2013-0764:
"Mozilla community member Jerry Baker reported a crashing issue found
through Thunderbird when downloading messages over a Secure Sockets
Layer (SSL) connection. This was caused by a bug in the networking
code assuming that secure connections were entirely handled on the
socket transport thread when they can occur on a variety of threads.
The resulting crash was potentially exploitable. Note: While the
initial issue was found through Thunderbird, the affected networking
library is common to Mozilla code."[8]
CVE-2013-0745:
"Mozilla developer Olli Pettay discovered that the AutoWrapperChanger
class fails to keep some javascript objects alive during garbage
collection. This can lead to an exploitable crash allowing for
arbitrary code execution. Note: In general these flaws cannot be
exploited through email in the Thunderbird and SeaMonkey products
because scripting is disabled, but are potentially a risk in browser
or browser-like contexts in those products."[9]
CVE-2013-0746:
"Mozilla developer Boris Zbarsky reported reported a problem where
jsval-returning quickstubs fail to wrap their return values, causing a
compartment mismatch. This mismatch can cause garbage collection to
occur incorrectly and lead to a potentially exploitable crash. Note:
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but
are potentially a risk in browser or browser-like contexts in those
products."[10]
CVE-2013-0747:
"Mozilla security researcher Jesse Ruderman reported that events in
the plugin handler can be manipulated by web content to bypass
same-origin policy (SOP) restrictions. This can allow for clickjacking
on malicious web pages. Note: In general these flaws cannot be
exploited through email in the Thunderbird and SeaMonkey products
because scripting is disabled, but are potentially a risk in browser
or browser-like contexts in those products."[11]
CVE-2013-0748:
"Mozilla security researcher Jesse Ruderman discovered that using the
toString function of XBL objects can lead to inappropriate information
leakage by revealing the address space layout instead of just the ID
of the object. This layout information could potentially be used to
bypass ASLR and other security protections. Note: In general these
flaws cannot be exploited through email in the Thunderbird and
SeaMonkey products because scripting is disabled, but are potentially
a risk in browser or browser-like contexts in those products."[12]
CVE-2013-0750:
"Security researcher pa_kt reported a flaw via TippingPoint's Zero Day
Initiative that an integer overflow is possible when calculating the
length for a Javascript string concatenation, which is then used for
memory allocation. This results in a buffer overflow, leading to a
potentially exploitable memory corruption. Note: In general these
flaws cannot be exploited through email in the Thunderbird and
SeaMonkey products because scripting is disabled, but are potentially
a risk in browser or browser-like contexts in those products."[13]
CVE-2013-0752:
"Security researcher Sviatoslav Chagaev reported that when using an
XBL file containing multiple XML bindings with SVG content, a memory
corruption can occur. In concern with remote XUL, this can lead to an
exploitable crash. Note: In general these flaws cannot be exploited
through email in the Thunderbird and SeaMonkey products because
scripting is disabled, but are potentially a risk in browser or
browser-like contexts in those products."[14]
CVE-2013-0757:
"Security researcher Mariusz Mlynski reported that it is possible to
change the prototype of an object and bypass Chrome Object Wrappers
(COW) to gain access to chrome privileged functions. This could allow
for arbitrary code execution. Note: In general these flaws cannot be
exploited through email in the Thunderbird and SeaMonkey products
because scripting is disabled, but are potentially a risk in browser
or browser-like contexts in those products."[15]
CVE-2013-0758:
"Security researcher Mariusz Mlynski reported that it is possible to
open a chrome privileged web page through plugin objects through
interaction with SVG elements. This could allow for arbitrary code
execution. Note: In general these flaws cannot be exploited through
email in the Thunderbird and SeaMonkey products because scripting is
disabled, but are potentially a risk in browser or browser-like
contexts in those products."[16]
CVE-2013-0753:
"Security researcher regenrecht reported, via TippingPoint's Zero Day
Initiative, a use-after-free in XMLSerializer by the exposing of
serializeToStream to web content. This can lead to arbitrary code
execution when exploited. Note: In general these flaws cannot be
exploited through email in the Thunderbird and SeaMonkey products
because scripting is disabled, but are potentially a risk in browser
or browser-like contexts in those products."[17]
CVE-2013-0754:
"Security researcher regenrecht reported, via TippingPoint's Zero Day
Initiative, a use-after-free within the ListenerManager when garbage
collection is forced after data in listener objects have been
allocated in some circumstances. This results in a use-after-free
which can lead to arbitrary code execution. Note: In general these
flaws cannot be exploited through email in the Thunderbird and
SeaMonkey products because scripting is disabled, but are potentially
a risk in browser or browser-like contexts in those products."[18]
CVE-2013-0755:
"Security researcher regenrecht reported, via TippingPoint's Zero Day
Initiative, a use-after-free using the domDoc pointer within Vibrate
library. This can lead to arbitrary code execution when exploited.
Note: In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but
are potentially a risk in browser or browser-like contexts in those
products."[19]
CVE-2013-0756:
"Security researcher regenrecht reported, via TippingPoint's Zero Day
Initiative, a garbage collection flaw in Javascript Proxy objects.
This can lead to a use-after-free leading to arbitrary code execution.
Note: In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but
are potentially a risk in browser or browser-like contexts in those
products."[20]
CVE-2013-0743:
"Google reported to Mozilla that TURKTRUST, a certificate authority in
Mozilla’s root program, had mis-issued two intermediate certificates
to customers. The issue was not specific to Firefox but there was
evidence that one of the certificates was used for man-in-the-middle
(MITM) traffic management of domain names that the customer did not
legitimately own or control. This issue was resolved by revoking the
trust for these specific mis-issued certificates."[21]
MITIGATION
Users should update to the latest versions of Firefox, Thunderbird and
SeaMonkey.
REFERENCES
[1] Mozilla Foundation Security Advisory 2012-98
http://www.mozilla.org/security/announce/2012/mfsa2012-98.html
[2] Mozilla Foundation Security Advisory 2013-01
http://www.mozilla.org/security/announce/2013/mfsa2013-01.html
[3] Mozilla Foundation Security Advisory 2013-02
http://www.mozilla.org/security/announce/2013/mfsa2013-02.html
[4] Mozilla Foundation Security Advisory 2013-03
http://www.mozilla.org/security/announce/2013/mfsa2013-03.html
[5] Mozilla Foundation Security Advisory 2013-04
http://www.mozilla.org/security/announce/2013/mfsa2013-04.html
[6] Mozilla Foundation Security Advisory 2013-05
http://www.mozilla.org/security/announce/2013/mfsa2013-05.html
[7] Mozilla Foundation Security Advisory 2013-06
http://www.mozilla.org/security/announce/2013/mfsa2013-06.html
[8] Mozilla Foundation Security Advisory 2013-07
http://www.mozilla.org/security/announce/2013/mfsa2013-07.html
[9] Mozilla Foundation Security Advisory 2013-08
http://www.mozilla.org/security/announce/2013/mfsa2013-08.html
[10] Mozilla Foundation Security Advisory 2013-09
http://www.mozilla.org/security/announce/2013/mfsa2013-09.html
[11] Mozilla Foundation Security Advisory 2013-10
http://www.mozilla.org/security/announce/2013/mfsa2013-10.html
[12] Mozilla Foundation Security Advisory 2013-11
http://www.mozilla.org/security/announce/2013/mfsa2013-11.html
[13] Mozilla Foundation Security Advisory 2013-12
http://www.mozilla.org/security/announce/2013/mfsa2013-12.html
[14] Mozilla Foundation Security Advisory 2013-13
http://www.mozilla.org/security/announce/2013/mfsa2013-13.html
[15] Mozilla Foundation Security Advisory 2013-14
http://www.mozilla.org/security/announce/2013/mfsa2013-14.html
[16] Mozilla Foundation Security Advisory 2013-15
http://www.mozilla.org/security/announce/2013/mfsa2013-15.html
[17] Mozilla Foundation Security Advisory 2013-16
http://www.mozilla.org/security/announce/2013/mfsa2013-16.html
[18] Mozilla Foundation Security Advisory 2013-17
http://www.mozilla.org/security/announce/2013/mfsa2013-17.html
[19] Mozilla Foundation Security Advisory 2013-18
http://www.mozilla.org/security/announce/2013/mfsa2013-18.html
[20] Mozilla Foundation Security Advisory 2013-19
http://www.mozilla.org/security/announce/2013/mfsa2013-19.html
[21] Mozilla Foundation Security Advisory 2013-20
http://www.mozilla.org/security/announce/2013/mfsa2013-20.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUO0Owe4yVqjM2NGpAQIPaA//UTIEkUwUbkV48B9VsAGPoI1v2a03oT3t
MSKRN+deBbG3er+IMzMYDchvtLbFjzVY/JqQgeyr5Hzq8LUDfbuQ4euuO+sVSOAi
6kbvOiSKSGV8SdwkQmUkjg3+YFDuLKQ+02J33CoOPwZ0QWOwTE8OGrMtI91dLwkZ
1PdYjrECkCFQCOVbvQTAafhN+eRU6uCEkf+Q7zlkx2iqjFyMm5IS0wtpiYAZdDNQ
W3yEQTN48SwpB5R1LK0yNDZ55+FFPbeHl5TBpfQAA5JvB7bxxGOCXsCLsmv74SoF
g5MnYQ6HN5jRI7/IJqGTVPYin11m7wU9CzSysCT3sRNrpxqb8hHqQY97BUmYxofB
X4muIuiZDczF3jnu8kYv1qXx9/HtcndZ6f55aCFtnrnUuDZIQ4wn+lN/RcyDrqGh
PNi2UZyHql1HBnbbHlTWSdqtUq7Tpon6+0L4zxw9sDOman5mSWkADF5IyNyC+W5p
AHW3atdqR/Dapy2CLwktGyChOIthcVJazcxb7KM11ND1AlIxsyhw/MkYqsLhBq8q
+m14wKLNPdzvZ0OGNg/ZEte9XnZrZMkfdvVY37r+uW17DIdHRwTD9aTmYiouowYS
qZ9KYleSoXEJ7s4xwgNXGQ6G5NGPw1m/D8Y6564JEMatABInpIurQWSrQBgWOsLV
GcGplJJFkQY=
=ehvB
-----END PGP SIGNATURE-----