Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2013.0024.2 Multiple vulnerabilities have been fixed in the latest versions of Mozilla Firefox, Thunderbird, & SeaMonkey 21 February 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Mozilla Firefox Mozilla Thunderbird Mozilla SeaMonkey Operating System: Windows UNIX variants (UNIX, Linux, OSX) Android Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2013-0784 CVE-2013-0783 CVE-2013-0782 CVE-2013-0781 CVE-2013-0780 CVE-2013-0779 CVE-2013-0778 CVE-2013-0777 CVE-2013-0776 CVE-2013-0775 CVE-2013-0774 CVE-2013-0773 CVE-2013-0772 CVE-2013-0765 Member content until: Friday, March 22 2013 Revision History: February 21 2013: Modified Product Tag February 20 2013: Initial Release OVERVIEW Multiple vulnerabilities have been fixed in the latest versions of Mozilla Firefox, Thunderbird and SeaMonkey. IMPACT The vendor has provided the following details about the vulnerabilities: CVE-2013-0783 and CVE-2013-0784: "Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. Note: In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products." [1] CVE-2013-0772: "Using the Address Sanitizer tool, security researcher Atte Kettunen from OUSPG found an out-of-bounds read while rendering GIF format images. This could cause a non-exploitable crash and could also attempt to render normally inaccesible data as part of the image." [2] CVE-2013-0765: "Mozilla developer Boris Zbarsky reported that in some circumstances a wrapped WebIDL object can be wrapped multiple times, overwriting the existing wrapped state. This could lead to an exploitable condition in rare cases." [3] CVE-2013-0773: "Mozilla developer Bobby Holley discovered that it was possible to bypass some protections in Chrome Object Wrappers (COW) and System Only Wrappers (SOW), making their prototypes mutable by web content. This could be used leak information from chrome objects and possibly allow for arbitrary code execution. Note: In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products." [4] CVE-2013-0774: "Mozilla security researcher Frederik Braun discovered that since Firefox 15 the file system location of the active browser profile was available to JavaScript workers. While not dangerous by itself, this could potentially be combined with other vulnerabilities to target the profile in an attack. Note: In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products." [5] CVE-2013-0775: "Security researcher Nils reported a use-after-free in nsImageLoadingContent when content script is executed. This could allow for arbitrary code execution. Note: In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products." [6] CVE-2013-0776: "Google security researcher Michal Zalewski reported an issue where the browser displayed the content of a proxy's 407 response if a user canceled the proxy's authentication prompt. In this circumstance, the addressbar will continue to show the requested site's address, including HTTPS addresses that appear to be secure. This spoofing of addresses can be used for phishing attacks by fooling users into entering credentials, for example. Note: In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products." [7] CVE-2013-0777, CVE-2013-0778, CVE-2013-0779, CVE-2013-0781, CVE-2013-0782 and CVE-2013-0780: "Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team used the Address Sanitizer tool to discover a series of use-after-free, out of bounds read, and buffer overflow problems rated as low to critical security issues in shipped software. Some of these issues are potentially exploitable, allowing for remote code execution. We would also like to thank Abhishek for reporting four additional use-after-free and out of bounds write flaws introduced during Firefox development that were fixed before general release. Note: In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products." [8] MITIGATION Users should update to the latest versions of Firefox, Thunderbird and SeaMonkey. REFERENCES [1] Mozilla Foundation Security Advisory 2013-21 http://www.mozilla.org/security/announce/2013/mfsa2013-21.html [2] Mozilla Foundation Security Advisory 2013-22 http://www.mozilla.org/security/announce/2013/mfsa2013-22.html [3] Mozilla Foundation Security Advisory 2013-23 http://www.mozilla.org/security/announce/2013/mfsa2013-23.html [4] Mozilla Foundation Security Advisory 2013-24 http://www.mozilla.org/security/announce/2013/mfsa2013-24.html [5] Mozilla Foundation Security Advisory 2013-25 http://www.mozilla.org/security/announce/2013/mfsa2013-25.html [6] Mozilla Foundation Security Advisory 2013-26 http://www.mozilla.org/security/announce/2013/mfsa2013-26.html [7] Mozilla Foundation Security Advisory 2013-27 http://www.mozilla.org/security/announce/2013/mfsa2013-27.html [8] Mozilla Foundation Security Advisory 2013-28 http://www.mozilla.org/security/announce/2013/mfsa2013-28.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUSXIB+4yVqjM2NGpAQLuiw/+NrSb3ouOTvHBzktutmy1mJhZtf7hnv4W pdoDxk3nUBNjQW+M6re3QYD6rUfarklHImHSzySXfzWt7g1kZO5ZjQ0wH5dTl2lu ToVftNXlxSNzutCKgmXuv7CKAoCxJFze2cb19Ey0B/9VPNUXa2ueK7esGXk0gkvS raI+yCI0uNN+dI1cAiL8m5V8bZyyCK9qBs4Mxh5D98MF1VXJgjzvIx9e36TVnGIV sFDvtFn80zx4QdxEtBs/NNFVjTT6QURtEclEYAbszYuV1vdv8+CYyInXdivRS4U1 omHSlGn8JY8kg/2uSr4L87dNVFYoJxiNRMTDs8Gh7Mmoz6kHIEDZISRbqAHqiW+m hhFIjHK7KyA+upaX1kD4SHJlkZovGYcWMnmBnF3Da0D2HYSmMSeQi5aOBzIUpGvL mwiH1qvUIU4Dtd4hI8j/lgQJ/3uqclDvLB+mvL66fZ0AT6I9XjkcbkHYyB0H59Da 8e9tp5zQAeh6aRmBOlIErl7dnMH4RfjrgfGSFC2ks6nDfjd2GdCYbNLncUcqDVUE TE1DLWybyyhH5Ieu8icPwZw3pC5kNEV+Xmi0u098Y5Ka9GtAb2UbITWL0a7jtF08 0TiAZKsx63Ia6stlfuJdXmPNiYccnCm0KOuI2HJb4oRThtDKPyFY6XH5eyMSo0mI LHyX2u2Gkzw= =Ms9w -----END PGP SIGNATURE-----