Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2013.0080
A number of vulnerabilities have been identified in Mozilla Firefox,
Firefox ESR, Thunderbird and Thunderbird ESR
26 June 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Mozilla Firefox
Mozilla Firefox ESR
Mozilla Thunderbird
Mozilla Thunderbird ESR
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Android
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Cross-site Request Forgery -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2013-1700 CVE-2013-1699 CVE-2013-1698
CVE-2013-1697 CVE-2013-1696 CVE-2013-1695
CVE-2013-1694 CVE-2013-1693 CVE-2013-1692
CVE-2013-1690 CVE-2013-1688 CVE-2013-1687
CVE-2013-1686 CVE-2013-1685 CVE-2013-1684
CVE-2013-1683 CVE-2013-1682
Member content until: Friday, July 26 2013
OVERVIEW
Multiple vulnerabilities have been fixed in the latest versions of
Mozilla Firefox, Firefox ESR, Thunderbird and Thunderbird ESR. [1]
IMPACT
The vendor has provided the following details regarding these
vulnerabilities:
"Mozilla Foundation Security Advisory 2013-62:
Security researcher Seb Patane reported an issue with the Mozilla
Maintenance Service on Windows. He discovered that when the Mozilla
Updater executable was inaccessible, the Maintenance Service will
behave incorrectly and can be made to use an updater at an arbitrary
location. This updater will run with the system privileges used by
the Maintenance Service, allowing for local privilege escalation.
Local file system access is necessary in order for this issue to be
exploitable and it cannot be triggered through web content.
Arbitrary code execution using a temporarily inaccessible file
(CVE-2013-1700)" [2]
"Mozilla Foundation Security Advisory 2013-61:
Security researcher 3ric Johanson reported in discussions with
Richard Newman and Holt Sorenson that Verisign's prevention measures
for homograph attacks using Internationalized Domain Names (IDN) were
insufficiently rigorous, and this led to a limited possibility for
domain spoofing in Firefox.
IDN allows non-English speakers to use domains in their local
language. Many supported characters are similar or identical to others
in English, allowing for the potential spoofing of domain names and for
phishing attacks when not blocked. In consultation with Verisign,
Mozilla had added .com, .net, and .name top-level domains to its
IDN whitelist, allowing for IDN use in those top-level domains without
restrictions. However, it became clear that a number of historical
dangerous registrations continued to be valid.
This issue has been fixed by removing the .com, .net, and .name
top-level domains from the IDN whitelist, and supplementing the
whitelist implementation with technical restrictions against
script-mixing in domain labels. These restrictions apply to all
non-whitelisted top-level domains. More information on the exact
algorithm used can be found here.
Homograph attack prevention is incomplete (CVE-2013-1699)" [3]
"Mozilla Foundation Security Advisory 2013-60:
Mozilla engineer Matt Wobensmith discovered that when the
getUserMedia permission dialog for an iframe appears in one
domain, it will display its origin as that of the top-level document
and not the calling framed page. This could lead to users
incorrectly giving camera or microphone permissions when confusing
the requesting page's location for a hosting one's.
Domain displayed permission dialog matches URL location bar, not
content (CVE-2013-1698)" [4]
"Mozilla Foundation Security Advisory 2013-59:
Mozilla security researcher moz_bug_r_a4 reported that XrayWrappers
can be bypassed to call content-defined toString and valueOf methods
through DefaultValue. This can lead to unexpected behavior when
privileged code acts on the incorrect values.
Note: In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but
are potentially a risk in browser or browser-like contexts in those
products.
[[DefaultValue]] on XrayWrapper can call content-defined
toString/valueOf methods (CVE-2013-1697)" [5]
"Mozilla Foundation Security Advisory 2013-58:
Bugzilla developer Frédéric Buclin reported that the X-Frame-Options
header is ignored when server push is used in multi-part responses.
This can lead to potential clickjacking on sites that use
X-Frame-Options as a protection.
Firefox ignores the X-Frame-Options header when using server push
(CVE-2013-1696)" [6]
"Mozilla Foundation Security Advisory 2013-57:
Mozilla community member Bob Owen reported that <iframe sandbox>
restrictions are not applied to a frame element contained within a
sandboxed iframe. As a result, content hosted within a sandboxed
iframe could use a frame element to bypass the restrictions that
should be applied.
Frame DocShells do not inherit sandbox flags from their parents
(CVE-2013-1695)" [7]
"Mozilla Foundation Security Advisory 2013-56:
Mozilla developer Boris Zbarsky found that when PreserveWrapper was
used in cases where a wrapper is not set, the preserved-wrapper flag
on the wrapper cache is cleared. This could potentially lead to an
exploitable crash.
Use of PreserveWrapper in cases when we don't have a wrapper seems
broken (CVE-2013-1694)" [8]
"Mozilla Foundation Security Advisory 2013-55:
Security researcher Paul Stone of Context Information Security
discovered that timing differences in the processing of SVG format
images with filters could allow for pixel values to be read. This
could potentially allow for text values to be read across domains,
leading to information disclosure.
SVG Filter Timing Attack (CVE-2013-1693)" [9]
"Mozilla Foundation Security Advisory 2013-54:
Security researcher Johnathan Kuskos reported that Firefox is sending
data in the body of XMLHttpRequest (XHR) HEAD requests, which goes
agains the XHR specification. This can potentially be used for
Cross-Site Request Forgery (CSRF) attacks against sites which do not
distinguish between HEAD and POST requests.
Do not send data XHR HEAD request (CVE-2013-1692)" [10]
"Mozilla Foundation Security Advisory 2013-53:
Security researcher Nils reported that specially crafted web content
using the onreadystatechange event and reloading of pages could
sometimes cause a crash when unmapped memory is executed. This crash
is potentially exploitable.
Crash with onreadystatechange and reload (CVE-2013-1690)" [11]
"Mozilla Foundation Security Advisory 2013-52:
Security researcher Mariusz Mlynski reported that when a user examines
the profiler output on a malicious website containing specially crafted
code, it is possible for arbitrary code execution to occur. This occurs
because the profiler user interface runs in a special iframe that
parses data from the profiler to render the UI, leaving it susceptible
to manipulation.
Arbitrary code execution from Profiler (CVE-2013-1688)" [12]
"Mozilla Foundation Security Advisory 2013-51:
Security researcher Mariusz Mlynski reported that it is possible to
compile a user-defined function in the XBL scope of a specific element
and then trigger an event within this scope to run code. In some
circumstances, when this code is run, it can access content protected
by System Only Wrappers (SOW) and chrome-privileged pages. This could
potentially lead to arbitrary code execution. Additionally, Chrome
Object Wrappers (COW) can be bypassed by web content to access
privileged methods, leading to a cross-site scripting (XSS) attack
from privileged pages.
Arbitrary code execution via XBL (CVE-2013-1687)
Xray Waivers can be used to bypass COWs" [13]
"Mozilla Foundation Security Advisory 2013-50:
Security researcher Abhishek Arya (Inferno) of the Google Chrome
Security Team used the Address Sanitizer tool to discover a series
of use-after-free problems rated critical as security issues in
shipped software. Some of these issues are potentially exploitable,
allowing for remote code execution. We would also like to thank
Abhishek for reporting additional use-after-free and buffer
overflow flaws in code introduced during Firefox development. These
were fixed before general release.
Heap-use-after-free in mozilla::dom::HTMLMediaElement::
LookupMediaElementURITable (CVE-2013-1684)
Heap-use-after-free in nsIDocument::GetRootElement (CVE-2013-1685)
Heap-use-after-free in mozilla::ResetDir (CVE-2013-1686)" [14]
"Mozilla Foundation Security Advisory 2013-49:
Mozilla developers identified and fixed several memory safety bugs in
the browser engine used in Firefox and other Mozilla-based products.
Some of these bugs showed evidence of memory corruption under certain
circumstances, and we presume that with enough effort at least some of
these could be exploited to run arbitrary code.
Gary Kwong, Jesse Ruderman, and Andrew McCreight reported memory safety
problems and crashes that affect Firefox ESR 17, and Firefox 21.
Memory safety bugs fixed in Firefox 17.0.7 and Firefox 22.0
(CVE-2013-1682)
Christian Holler, Bobby Holley, Gary Kwong, Jesse Ruderman, Ben Turner,
Ehsan Akhgari, Mats Palmgren, and John Schoenick reported memory safety
problems and crashes that affect Firefox 21.
Memory safety bugs fixed in Firefox 22.0 (CVE-2013-1683)" [15]
MITIGATION
It is recommended that users update to the latest versions of Mozilla
Firefox, Firefox ESR, Thunderbird and Thunderbird ESR to correct these
issues.
REFERENCES
[1] Security Advisories for Firefox
https://www.mozilla.org/security/known-vulnerabilities/firefox.html
[2] Mozilla Foundation Security Advisory 2013-62
https://www.mozilla.org/security/announce/2013/mfsa2013-62.html
[3] Mozilla Foundation Security Advisory 2013-61
https://www.mozilla.org/security/announce/2013/mfsa2013-61.html
[4] Mozilla Foundation Security Advisory 2013-60
https://www.mozilla.org/security/announce/2013/mfsa2013-60.html
[5] Mozilla Foundation Security Advisory 2013-59
https://www.mozilla.org/security/announce/2013/mfsa2013-59.html
[6] Mozilla Foundation Security Advisory 2013-58
https://www.mozilla.org/security/announce/2013/mfsa2013-58.html
[7] Mozilla Foundation Security Advisory 2013-57
https://www.mozilla.org/security/announce/2013/mfsa2013-57.html
[8] Mozilla Foundation Security Advisory 2013-56
https://www.mozilla.org/security/announce/2013/mfsa2013-56.html
[9] Mozilla Foundation Security Advisory 2013-55
https://www.mozilla.org/security/announce/2013/mfsa2013-55.html
[10] Mozilla Foundation Security Advisory 2013-54
https://www.mozilla.org/security/announce/2013/mfsa2013-54.html
[11] Mozilla Foundation Security Advisory 2013-53
https://www.mozilla.org/security/announce/2013/mfsa2013-53.html
[12] Mozilla Foundation Security Advisory 2013-52
https://www.mozilla.org/security/announce/2013/mfsa2013-52.html
[13] Mozilla Foundation Security Advisory 2013-51
https://www.mozilla.org/security/announce/2013/mfsa2013-51.html
[14] Mozilla Foundation Security Advisory 2013-50
https://www.mozilla.org/security/announce/2013/mfsa2013-50.html
[15] Mozilla Foundation Security Advisory 2013-49
https://www.mozilla.org/security/announce/2013/mfsa2013-49.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUcpAhBLndAQH1ShLAQLutg/+PV8OqfN9BoNGwORComtadqs/4x23AyzV
rAog0WWbk6tmICS6iMJM/SdxHu+K74RivhE4zYJpLCIpNgxFYt5bd2dEGmFDyzi4
MEhiI0bhy4PsqXQH1zbdDakioncJBZVS26z8oHkueUk2aKfNlfJXMLOb3F5YrrPH
QMWsvkcLORngU/xux2UtlJ2pCTPlYVgqRL0qjVN8Hp98TRBeJWQ/vu0S+3Z8INnc
ybYMiG7IBCCSHjaqDHBI2vb08sQCVBL6wo7GwtVnqEQUL62354XKaXodM8WfMheX
N5c4YCkNirjmoB/yPmOmsgz5gLyikFp2eSAFBjVwivjE/t5GhIU72gSM7rrNlQoz
o1CjCJjr00eVaSBXLzXnt70eTX2y0JUNPcIWuOK+cHgbY6Kry4hYoJ836I44nUWg
v9qtdVrxdwRSFrb2Jqs9n1WzpT2JNn43SjSoTs4vwHGg3UVLKWqMHsbXiBCcSGur
F+aqNHIvrQ11xqJgsn533XU+3K3iTfjxAF/Q+XOvgM9lpc4f35PqOtxo6TvIyWvF
XCDNgbZS+jP/M4aHnYaEPxp2V3wCk34GhJ+u23/c/s8/9WdKYxFqoQpf/XDUzBvy
avrAwPNt4VUkxsSvOweCab9858kEffWbcGwulHZ/azLB2w7cP2g1rmDf8O4w0ZwN
UTLfGIYM1K8=
=kYZ5
-----END PGP SIGNATURE-----