Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2013.0080 A number of vulnerabilities have been identified in Mozilla Firefox, Firefox ESR, Thunderbird and Thunderbird ESR 26 June 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Mozilla Firefox Mozilla Firefox ESR Mozilla Thunderbird Mozilla Thunderbird ESR Operating System: UNIX variants (UNIX, Linux, OSX) Windows Android Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Cross-site Request Forgery -- Remote with User Interaction Denial of Service -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2013-1700 CVE-2013-1699 CVE-2013-1698 CVE-2013-1697 CVE-2013-1696 CVE-2013-1695 CVE-2013-1694 CVE-2013-1693 CVE-2013-1692 CVE-2013-1690 CVE-2013-1688 CVE-2013-1687 CVE-2013-1686 CVE-2013-1685 CVE-2013-1684 CVE-2013-1683 CVE-2013-1682 Member content until: Friday, July 26 2013 OVERVIEW Multiple vulnerabilities have been fixed in the latest versions of Mozilla Firefox, Firefox ESR, Thunderbird and Thunderbird ESR. [1] IMPACT The vendor has provided the following details regarding these vulnerabilities: "Mozilla Foundation Security Advisory 2013-62: Security researcher Seb Patane reported an issue with the Mozilla Maintenance Service on Windows. He discovered that when the Mozilla Updater executable was inaccessible, the Maintenance Service will behave incorrectly and can be made to use an updater at an arbitrary location. This updater will run with the system privileges used by the Maintenance Service, allowing for local privilege escalation. Local file system access is necessary in order for this issue to be exploitable and it cannot be triggered through web content. Arbitrary code execution using a temporarily inaccessible file (CVE-2013-1700)" [2] "Mozilla Foundation Security Advisory 2013-61: Security researcher 3ric Johanson reported in discussions with Richard Newman and Holt Sorenson that Verisign's prevention measures for homograph attacks using Internationalized Domain Names (IDN) were insufficiently rigorous, and this led to a limited possibility for domain spoofing in Firefox. IDN allows non-English speakers to use domains in their local language. Many supported characters are similar or identical to others in English, allowing for the potential spoofing of domain names and for phishing attacks when not blocked. In consultation with Verisign, Mozilla had added .com, .net, and .name top-level domains to its IDN whitelist, allowing for IDN use in those top-level domains without restrictions. However, it became clear that a number of historical dangerous registrations continued to be valid. This issue has been fixed by removing the .com, .net, and .name top-level domains from the IDN whitelist, and supplementing the whitelist implementation with technical restrictions against script-mixing in domain labels. These restrictions apply to all non-whitelisted top-level domains. More information on the exact algorithm used can be found here. Homograph attack prevention is incomplete (CVE-2013-1699)" [3] "Mozilla Foundation Security Advisory 2013-60: Mozilla engineer Matt Wobensmith discovered that when the getUserMedia permission dialog for an iframe appears in one domain, it will display its origin as that of the top-level document and not the calling framed page. This could lead to users incorrectly giving camera or microphone permissions when confusing the requesting page's location for a hosting one's. Domain displayed permission dialog matches URL location bar, not content (CVE-2013-1698)" [4] "Mozilla Foundation Security Advisory 2013-59: Mozilla security researcher moz_bug_r_a4 reported that XrayWrappers can be bypassed to call content-defined toString and valueOf methods through DefaultValue. This can lead to unexpected behavior when privileged code acts on the incorrect values. Note: In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products. [[DefaultValue]] on XrayWrapper can call content-defined toString/valueOf methods (CVE-2013-1697)" [5] "Mozilla Foundation Security Advisory 2013-58: Bugzilla developer Frédéric Buclin reported that the X-Frame-Options header is ignored when server push is used in multi-part responses. This can lead to potential clickjacking on sites that use X-Frame-Options as a protection. Firefox ignores the X-Frame-Options header when using server push (CVE-2013-1696)" [6] "Mozilla Foundation Security Advisory 2013-57: Mozilla community member Bob Owen reported that <iframe sandbox> restrictions are not applied to a frame element contained within a sandboxed iframe. As a result, content hosted within a sandboxed iframe could use a frame element to bypass the restrictions that should be applied. Frame DocShells do not inherit sandbox flags from their parents (CVE-2013-1695)" [7] "Mozilla Foundation Security Advisory 2013-56: Mozilla developer Boris Zbarsky found that when PreserveWrapper was used in cases where a wrapper is not set, the preserved-wrapper flag on the wrapper cache is cleared. This could potentially lead to an exploitable crash. Use of PreserveWrapper in cases when we don't have a wrapper seems broken (CVE-2013-1694)" [8] "Mozilla Foundation Security Advisory 2013-55: Security researcher Paul Stone of Context Information Security discovered that timing differences in the processing of SVG format images with filters could allow for pixel values to be read. This could potentially allow for text values to be read across domains, leading to information disclosure. SVG Filter Timing Attack (CVE-2013-1693)" [9] "Mozilla Foundation Security Advisory 2013-54: Security researcher Johnathan Kuskos reported that Firefox is sending data in the body of XMLHttpRequest (XHR) HEAD requests, which goes agains the XHR specification. This can potentially be used for Cross-Site Request Forgery (CSRF) attacks against sites which do not distinguish between HEAD and POST requests. Do not send data XHR HEAD request (CVE-2013-1692)" [10] "Mozilla Foundation Security Advisory 2013-53: Security researcher Nils reported that specially crafted web content using the onreadystatechange event and reloading of pages could sometimes cause a crash when unmapped memory is executed. This crash is potentially exploitable. Crash with onreadystatechange and reload (CVE-2013-1690)" [11] "Mozilla Foundation Security Advisory 2013-52: Security researcher Mariusz Mlynski reported that when a user examines the profiler output on a malicious website containing specially crafted code, it is possible for arbitrary code execution to occur. This occurs because the profiler user interface runs in a special iframe that parses data from the profiler to render the UI, leaving it susceptible to manipulation. Arbitrary code execution from Profiler (CVE-2013-1688)" [12] "Mozilla Foundation Security Advisory 2013-51: Security researcher Mariusz Mlynski reported that it is possible to compile a user-defined function in the XBL scope of a specific element and then trigger an event within this scope to run code. In some circumstances, when this code is run, it can access content protected by System Only Wrappers (SOW) and chrome-privileged pages. This could potentially lead to arbitrary code execution. Additionally, Chrome Object Wrappers (COW) can be bypassed by web content to access privileged methods, leading to a cross-site scripting (XSS) attack from privileged pages. Arbitrary code execution via XBL (CVE-2013-1687) Xray Waivers can be used to bypass COWs" [13] "Mozilla Foundation Security Advisory 2013-50: Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team used the Address Sanitizer tool to discover a series of use-after-free problems rated critical as security issues in shipped software. Some of these issues are potentially exploitable, allowing for remote code execution. We would also like to thank Abhishek for reporting additional use-after-free and buffer overflow flaws in code introduced during Firefox development. These were fixed before general release. Heap-use-after-free in mozilla::dom::HTMLMediaElement:: LookupMediaElementURITable (CVE-2013-1684) Heap-use-after-free in nsIDocument::GetRootElement (CVE-2013-1685) Heap-use-after-free in mozilla::ResetDir (CVE-2013-1686)" [14] "Mozilla Foundation Security Advisory 2013-49: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. Gary Kwong, Jesse Ruderman, and Andrew McCreight reported memory safety problems and crashes that affect Firefox ESR 17, and Firefox 21. Memory safety bugs fixed in Firefox 17.0.7 and Firefox 22.0 (CVE-2013-1682) Christian Holler, Bobby Holley, Gary Kwong, Jesse Ruderman, Ben Turner, Ehsan Akhgari, Mats Palmgren, and John Schoenick reported memory safety problems and crashes that affect Firefox 21. Memory safety bugs fixed in Firefox 22.0 (CVE-2013-1683)" [15] MITIGATION It is recommended that users update to the latest versions of Mozilla Firefox, Firefox ESR, Thunderbird and Thunderbird ESR to correct these issues. REFERENCES [1] Security Advisories for Firefox https://www.mozilla.org/security/known-vulnerabilities/firefox.html [2] Mozilla Foundation Security Advisory 2013-62 https://www.mozilla.org/security/announce/2013/mfsa2013-62.html [3] Mozilla Foundation Security Advisory 2013-61 https://www.mozilla.org/security/announce/2013/mfsa2013-61.html [4] Mozilla Foundation Security Advisory 2013-60 https://www.mozilla.org/security/announce/2013/mfsa2013-60.html [5] Mozilla Foundation Security Advisory 2013-59 https://www.mozilla.org/security/announce/2013/mfsa2013-59.html [6] Mozilla Foundation Security Advisory 2013-58 https://www.mozilla.org/security/announce/2013/mfsa2013-58.html [7] Mozilla Foundation Security Advisory 2013-57 https://www.mozilla.org/security/announce/2013/mfsa2013-57.html [8] Mozilla Foundation Security Advisory 2013-56 https://www.mozilla.org/security/announce/2013/mfsa2013-56.html [9] Mozilla Foundation Security Advisory 2013-55 https://www.mozilla.org/security/announce/2013/mfsa2013-55.html [10] Mozilla Foundation Security Advisory 2013-54 https://www.mozilla.org/security/announce/2013/mfsa2013-54.html [11] Mozilla Foundation Security Advisory 2013-53 https://www.mozilla.org/security/announce/2013/mfsa2013-53.html [12] Mozilla Foundation Security Advisory 2013-52 https://www.mozilla.org/security/announce/2013/mfsa2013-52.html [13] Mozilla Foundation Security Advisory 2013-51 https://www.mozilla.org/security/announce/2013/mfsa2013-51.html [14] Mozilla Foundation Security Advisory 2013-50 https://www.mozilla.org/security/announce/2013/mfsa2013-50.html [15] Mozilla Foundation Security Advisory 2013-49 https://www.mozilla.org/security/announce/2013/mfsa2013-49.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUcpAhBLndAQH1ShLAQLutg/+PV8OqfN9BoNGwORComtadqs/4x23AyzV rAog0WWbk6tmICS6iMJM/SdxHu+K74RivhE4zYJpLCIpNgxFYt5bd2dEGmFDyzi4 MEhiI0bhy4PsqXQH1zbdDakioncJBZVS26z8oHkueUk2aKfNlfJXMLOb3F5YrrPH QMWsvkcLORngU/xux2UtlJ2pCTPlYVgqRL0qjVN8Hp98TRBeJWQ/vu0S+3Z8INnc ybYMiG7IBCCSHjaqDHBI2vb08sQCVBL6wo7GwtVnqEQUL62354XKaXodM8WfMheX N5c4YCkNirjmoB/yPmOmsgz5gLyikFp2eSAFBjVwivjE/t5GhIU72gSM7rrNlQoz o1CjCJjr00eVaSBXLzXnt70eTX2y0JUNPcIWuOK+cHgbY6Kry4hYoJ836I44nUWg v9qtdVrxdwRSFrb2Jqs9n1WzpT2JNn43SjSoTs4vwHGg3UVLKWqMHsbXiBCcSGur F+aqNHIvrQ11xqJgsn533XU+3K3iTfjxAF/Q+XOvgM9lpc4f35PqOtxo6TvIyWvF XCDNgbZS+jP/M4aHnYaEPxp2V3wCk34GhJ+u23/c/s8/9WdKYxFqoQpf/XDUzBvy avrAwPNt4VUkxsSvOweCab9858kEffWbcGwulHZ/azLB2w7cP2g1rmDf8O4w0ZwN UTLfGIYM1K8= =kYZ5 -----END PGP SIGNATURE-----