Hash: SHA1

                         AUSCERT Security Bulletin

   A number of vulnerabilities have been identified in Mozilla Firefox,
               Firefox ESR, Thunderbird and Thunderbird ESR
                               26 June 2013


        AusCERT Security Bulletin Summary

Product:              Mozilla Firefox
                      Mozilla Firefox ESR
                      Mozilla Thunderbird
                      Mozilla Thunderbird ESR
Operating System:     UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Cross-site Request Forgery      -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
                      Provide Misleading Information  -- Remote with User Interaction
                      Access Confidential Data        -- Remote with User Interaction
                      Reduced Security                -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2013-1700 CVE-2013-1699 CVE-2013-1698
                      CVE-2013-1697 CVE-2013-1696 CVE-2013-1695
                      CVE-2013-1694 CVE-2013-1693 CVE-2013-1692
                      CVE-2013-1690 CVE-2013-1688 CVE-2013-1687
                      CVE-2013-1686 CVE-2013-1685 CVE-2013-1684
                      CVE-2013-1683 CVE-2013-1682 
Member content until: Friday, July 26 2013


        Multiple vulnerabilities have been fixed in the latest versions of 
        Mozilla Firefox, Firefox ESR, Thunderbird and Thunderbird ESR. [1]


        The vendor has provided the following details regarding these 
        "Mozilla Foundation Security Advisory 2013-62:
        Security researcher Seb Patane reported an issue with the Mozilla 
        Maintenance Service on Windows. He discovered that when the Mozilla 
        Updater executable was inaccessible, the Maintenance Service will 
        behave incorrectly and can be made to use an updater at an arbitrary 
        location. This updater will run with the system privileges used by 
        the Maintenance Service, allowing for local privilege escalation. 
        Local file system access is necessary in order for this issue to be 
        exploitable and it cannot be triggered through web content.
        Arbitrary code execution using a temporarily inaccessible file 
        (CVE-2013-1700)" [2]
        "Mozilla Foundation Security Advisory 2013-61:
        Security researcher 3ric Johanson reported in discussions with 
        Richard Newman and Holt Sorenson that Verisign's prevention measures
        for homograph attacks using Internationalized Domain Names (IDN) were 
        insufficiently rigorous, and this led to a limited possibility for 
        domain spoofing in Firefox.
        IDN allows non-English speakers to use domains in their local
        language. Many supported characters are similar or identical to others
        in English, allowing for the potential spoofing of domain names and for
        phishing attacks when not blocked. In consultation with Verisign, 
        Mozilla had added .com, .net, and .name top-level domains to its 
        IDN whitelist, allowing for IDN use in those top-level domains without
        restrictions. However, it became clear that a number of historical
        dangerous registrations continued to be valid.
        This issue has been fixed by removing the .com, .net, and .name 
        top-level domains from the IDN whitelist, and supplementing the 
        whitelist implementation with technical restrictions against
        script-mixing in domain labels. These restrictions apply to all 
        non-whitelisted top-level domains. More information on the exact 
        algorithm used can be found here.
        Homograph attack prevention is incomplete (CVE-2013-1699)" [3]
        "Mozilla Foundation Security Advisory 2013-60: 
        Mozilla engineer Matt Wobensmith discovered that when the 
        getUserMedia permission dialog for an iframe appears in one 
        domain, it will display its origin as that of the top-level document
        and not the calling framed page. This could lead to users 
        incorrectly giving camera or microphone permissions when confusing 
        the requesting page's location for a hosting one's. 
        Domain displayed permission dialog matches URL location bar, not
        content (CVE-2013-1698)" [4]
        "Mozilla Foundation Security Advisory 2013-59:
        Mozilla security researcher moz_bug_r_a4 reported that XrayWrappers
        can be bypassed to call content-defined toString and valueOf methods
        through DefaultValue. This can lead to unexpected behavior when 
        privileged code acts on the incorrect values.
        Note: In general these flaws cannot be exploited through email in the
        Thunderbird and SeaMonkey products because scripting is disabled, but
        are potentially a risk in browser or browser-like contexts in those 
        [[DefaultValue]] on XrayWrapper can call content-defined 
        toString/valueOf methods (CVE-2013-1697)" [5]
        "Mozilla Foundation Security Advisory 2013-58:
        Bugzilla developer Frédéric Buclin reported that the X-Frame-Options
        header is ignored when server push is used in multi-part responses. 
        This can lead to potential clickjacking on sites that use 
        X-Frame-Options as a protection.
        Firefox ignores the X-Frame-Options header when using server push 
        (CVE-2013-1696)" [6]
        "Mozilla Foundation Security Advisory 2013-57:
        Mozilla community member Bob Owen reported that <iframe sandbox> 
        restrictions are not applied to a frame element contained within a
        sandboxed iframe. As a result, content hosted within a sandboxed 
        iframe could use a frame element to bypass the restrictions that 
        should be applied.
        Frame DocShells do not inherit sandbox flags from their parents
        (CVE-2013-1695)" [7]
        "Mozilla Foundation Security Advisory 2013-56:
        Mozilla developer Boris Zbarsky found that when PreserveWrapper was
        used in cases where a wrapper is not set, the preserved-wrapper flag
        on the wrapper cache is cleared. This could potentially lead to an 
        exploitable crash.
        Use of PreserveWrapper in cases when we don't have a wrapper seems 
        broken (CVE-2013-1694)" [8]
        "Mozilla Foundation Security Advisory 2013-55:
        Security researcher Paul Stone of Context Information Security 
        discovered that timing differences in the processing of SVG format
        images with filters could allow for pixel values to be read. This 
        could potentially allow for text values to be read across domains, 
        leading to information disclosure.
        SVG Filter Timing Attack (CVE-2013-1693)" [9]
        "Mozilla Foundation Security Advisory 2013-54:
        Security researcher Johnathan Kuskos reported that Firefox is sending
        data in the body of XMLHttpRequest (XHR) HEAD requests, which goes 
        agains the XHR specification. This can potentially be used for 
        Cross-Site Request Forgery (CSRF) attacks against sites which do not
        distinguish between HEAD and POST requests.
        Do not send data XHR HEAD request (CVE-2013-1692)" [10]
        "Mozilla Foundation Security Advisory 2013-53:
        Security researcher Nils reported that specially crafted web content 
        using the onreadystatechange event and reloading of pages could 
        sometimes cause a crash when unmapped memory is executed. This crash 
        is potentially exploitable.
        Crash with onreadystatechange and reload (CVE-2013-1690)" [11]
        "Mozilla Foundation Security Advisory 2013-52:
        Security researcher Mariusz Mlynski reported that when a user examines
        the profiler output on a malicious website containing specially crafted
        code, it is possible for arbitrary code execution to occur. This occurs
        because the profiler user interface runs in a special iframe that 
        parses data from the profiler to render the UI, leaving it susceptible
        to manipulation.
        Arbitrary code execution from Profiler (CVE-2013-1688)" [12]
        "Mozilla Foundation Security Advisory 2013-51:
        Security researcher Mariusz Mlynski reported that it is possible to 
        compile a user-defined function in the XBL scope of a specific element
        and then trigger an event within this scope to run code. In some 
        circumstances, when this code is run, it can access content protected 
        by System Only Wrappers (SOW) and chrome-privileged pages. This could 
        potentially lead to arbitrary code execution. Additionally, Chrome
        Object Wrappers (COW) can be bypassed by web content to access 
        privileged methods, leading to a cross-site scripting (XSS) attack
        from privileged pages.
        Arbitrary code execution via XBL (CVE-2013-1687)
        Xray Waivers can be used to bypass COWs" [13]
        "Mozilla Foundation Security Advisory 2013-50:
        Security researcher Abhishek Arya (Inferno) of the Google Chrome 
        Security Team used the Address Sanitizer tool to discover a series 
        of use-after-free problems rated critical as security issues in 
        shipped software. Some of these issues are potentially exploitable,
        allowing for remote code execution. We would also like to thank 
        Abhishek for reporting additional use-after-free and buffer 
        overflow flaws in code introduced during Firefox development. These 
        were fixed before general release.
        Heap-use-after-free in mozilla::dom::HTMLMediaElement::
        LookupMediaElementURITable (CVE-2013-1684)
        Heap-use-after-free in nsIDocument::GetRootElement (CVE-2013-1685)
        Heap-use-after-free in mozilla::ResetDir (CVE-2013-1686)" [14]
        "Mozilla Foundation Security Advisory 2013-49:
        Mozilla developers identified and fixed several memory safety bugs in 
        the browser engine used in Firefox and other Mozilla-based products. 
        Some of these bugs showed evidence of memory corruption under certain 
        circumstances, and we presume that with enough effort at least some of
        these could be exploited to run arbitrary code.
        Gary Kwong, Jesse Ruderman, and Andrew McCreight reported memory safety 
        problems and crashes that affect Firefox ESR 17, and Firefox 21.
        Memory safety bugs fixed in Firefox 17.0.7 and Firefox 22.0 
        Christian Holler, Bobby Holley, Gary Kwong, Jesse Ruderman, Ben Turner,
        Ehsan Akhgari, Mats Palmgren, and John Schoenick reported memory safety
        problems and crashes that affect Firefox 21.
        Memory safety bugs fixed in Firefox 22.0 (CVE-2013-1683)" [15]


        It is recommended that users update to the latest versions of Mozilla
        Firefox, Firefox ESR, Thunderbird and Thunderbird ESR to correct these 


        [1] Security Advisories for Firefox

        [2] Mozilla Foundation Security Advisory 2013-62

        [3] Mozilla Foundation Security Advisory 2013-61

        [4] Mozilla Foundation Security Advisory 2013-60

        [5] Mozilla Foundation Security Advisory 2013-59

        [6] Mozilla Foundation Security Advisory 2013-58

        [7] Mozilla Foundation Security Advisory 2013-57

        [8] Mozilla Foundation Security Advisory 2013-56

        [9] Mozilla Foundation Security Advisory 2013-55

        [10] Mozilla Foundation Security Advisory 2013-54

        [11] Mozilla Foundation Security Advisory 2013-53

        [12] Mozilla Foundation Security Advisory 2013-52

        [13] Mozilla Foundation Security Advisory 2013-51

        [14] Mozilla Foundation Security Advisory 2013-50

        [15] Mozilla Foundation Security Advisory 2013-49

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967