Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2013.0095 A number of vulnerabilities have been identified in Mozilla Firefox, Firefox ESR, Thunderbird, Thunderbird ESR and SeaMonkey. 7 August 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Mozilla Firefox Mozilla Firefox ESR Mozilla Thunderbird Mozilla Thunderbird ESR Mozilla SeaMonkey Operating System: UNIX variants (UNIX, Linux, OSX) Windows Android Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Administrator Compromise -- Existing Account Cross-site Scripting -- Remote with User Interaction Denial of Service -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2013-1717 CVE-2013-1715 CVE-2013-1714 CVE-2013-1713 CVE-2013-1712 CVE-2013-1711 CVE-2013-1710 CVE-2013-1709 CVE-2013-1708 CVE-2013-1707 CVE-2013-1706 CVE-2013-1705 CVE-2013-1704 CVE-2013-1702 CVE-2013-1701 Member content until: Friday, September 6 2013 OVERVIEW Multiple vulnerabilities have been fixed in the latest versions of Mozilla Firefox, Firefox ESR, Thunderbird, Thunderbird ESR and SeaMonkey. [1] IMPACT The vendor has provided the following details regarding these vulnerabilities: "Mozilla Foundation Security Advisory 2013-63 Title: Miscellaneous memory safety hazards (rv:23.0 / rv:17.0.8) Impact: Critical Announced: August 6, 2013 Reporter: Mozilla Developers Products: Firefox, Thunderbird, Seamonkey Fixed in: Firefox 23.0 Firefox ESR 17.0.8 Thunderbird 17.0.8 Thunderbird ESR 17.0.8 Seamonkey 2.20 Description Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain c ircumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. In general these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled, but are potentially a risk in browser or browser-like contexts. References Jeff Gilbert and Henrik Skupin reported memory safety problems and crashes that affect Firefox ESR 17, and Firefox 22. Memory safety bugs fixed in Firefox 17.0.8 and Firefox 23.0 (CVE-2013-1701) Ben Turner, Christian Holler, Andrew McCreight, Gary Kwong, Jan Varga, and Jesse Ruderman reported memory safety problems and crashes that affect Firefox 22. Memory safety bugs fixed in Firefox 23.0 (CVE-2013-1702)" [2] "Mozilla Foundation Security Advisory 2013-64 Title: Use after free mutating DOM during SetBody Impact: Critical Announced: August 6, 2013 Reporter: Nils Products: Firefox, Seamonkey Fixed in: Firefox 23.0 Seamonkey 2.20 Description Security researcher Nils used the Address Sanitizer to discover a use-after-free problem when the Document Object Model is modified during a SetBody mutation event. This causes a potentially exploitable crash. In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products. References ASAN heap-use-after-free in nsINode::GetParentNode (CVE-2013-1704)" [3] "Mozilla Foundation Security Advisory 2013-65 Title: Buffer underflow when generating CRMF requests Impact: Critical Announced: August 6, 2013 Reporter: Nils Products: Firefox, Seamonkey Fixed in: Firefox 23.0 Seamonkey 2.20 Description Security researcher Nils used the Address Sanitizer to discover a use-after-free problem when generating a Certificate Request Message Format (CRMF) request with certain parameters. This causes a potentially exploitable crash. In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products. References ASAN heap-buffer-overflow (read 1) in c ryptojs_interpret_key_gen_type (CVE-2013-1705)" [4] "Mozilla Foundation Security Advisory 2013-66 Title: Buffer overflow in Mozilla Maintenance Service and Mozilla Updater Impact: High Announced: August 6, 2013 Reporter: Seb Patane Products: Firefox, Thunderbird Fixed in: Firefox 23.0 Firefox ESR 17.0.8 Thunderbird 17.0.8 Thunderbird ESR 17.0.8 Description Security researcher Seb Patane reported stack buffer overflows in both the Maintenance Service and the Mozilla Updater when unexpectedly long paths were encountered. A local attacker could pass these as command-line arguments to the Maintenance Service to crash either program and potentially lead to arbitrary code being run with the Administrator privileges used by the Maintenance Service and inherited by the Updater. References Buffer overflow in maintenanceservice.exe (CVE-2013-1706) Buffer overflow in Updater (CVE-2013-1707)" [5] "Mozilla Foundation Security Advisory 2013-67 Title: Crash during WAV audio file decoding Impact: Low Announced: August 6, 2013 Reporter: Aki Helin Products: Firefox, Thunderbird, Seamonkey Fixed in: Firefox 23.0 Seamonkey 2.20 Description Security researcher Aki Helin from OUSPG used the Address Sanitizer tool to discover a crash during the decoding of WAV format audio files in some instances. This crash is not exploitable but could be used for a denial of service (DOS) attack by malicious parties. In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products. References Non-null crash at nsCString::CharAt (CVE-2013-1708)" [6] "Mozilla Foundation Security Advisory 2013-68 Title: Document URI misrepresentation and masquerading Impact: High Announced: August 6, 2013 Reporter: moz_bug_r_a4 Products: Firefox, Thunderbird, Seamonkey Fixed in: Firefox 23.0 Firefox ESR 17.0.8 Thunderbird 17.0.8 Thunderbird ESR 17.0.8 Seamonkey 2.20 Description Mozilla security researcher moz_bug_r_a4 reported that through an interaction of frames and browser history it was possible to make the browser believe attacker-supplied content came from the location of a previous page in browser history. This allows for cross-site scripting (XSS) attacks by loading scripts from a misrepresented malicious site through relative locations and the potential access of stored credentials of a spoofed site. In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products. References It's possible to set a document's URI to a different document's URI (CVE-2013-1709)" [7] "Mozilla Foundation Security Advisory 2013-69 Title: CRMF requests allow for code execution and XSS attacks Impact: Critical Announced: August 6, 2013 Reporter: moz_bug_r_a4 Products: Firefox, Thunderbird, Seamonkey Fixed in: Firefox 23.0 Firefox ESR 17.0.8 Thunderbird 17.0.8 Thunderbird ESR 17.0.8 Seamonkey 2.20 Description Mozilla security researcher moz_bug_r_a4 reported a mechanism to execute arbitrary code or a cross-site scripting (XSS) attack when Certificate Request Message Format (CRMF) request is generated in certain circumstances. In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products. References Arbitrary code execution using crypto.generateCRMFRequest (CVE-2013-1710)" [8] "Mozilla Foundation Security Advisory 2013-70 Title: Bypass of XrayWrappers using XBL Scopes Impact: Moderate Announced: August 6, 2013 Reporter: Bobby Holley, moz_bug_r_a4 Products: Firefox, Seamonkey Fixed in: Firefox 23.0 Seamonkey 2.20 Description Mozilla Developer Bobby Holley and Mozilla security researcher moz_bug_r_a4 discovered a mechanism where XBL scopes can be be used to circumvent XrayWrappers from within the Chrome on unprivileged objects. This allows web content to potentially confuse privileged code and weaken invariants and can lead to cross-site scripting (XSS) attacks. In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products. References XBL scopes can be fooled by invoking XBL functions with non-native arguments (CVE-2013-1711)" [9] "Mozilla Foundation Security Advisory 2013-71 Title: Further Privilege escalation through Mozilla Updater Impact: High Announced: August 6, 2013 Reporter: Ash Products: Firefox, Thunderbird Fixed in: Firefox 23.0 Firefox ESR 17.0.8 Thunderbird 17.0.8 Thunderbird ESR 17.0.8 Description Security researcher Ash reported an issue with the Mozilla Updater on Windows 7 and later versions of Windows. On vulnerable platforms, the Mozilla Updater can be made to load a specific malicious DLL file from the local system. This DLL file can run in a privileged context through the Mozilla Maintenance Service's privileges, allowing for local privilege escalation. The DLL file can also run in an unprivileged context if the Mozilla Updater is run directly by a user in the same directory as the file. Local file system access is necessary in order for this issue to be exploitable. References The updater.exe loads a dll from the update directory (CVE-2013-1712)" [10] "Mozilla Foundation Security Advisory 2013-72 Title: Wrong principal used for validating URI for some Javascript components Impact: High Announced: August 6, 2013 Reporter: Cody Crews Products: Firefox, Thunderbird, Seamonkey Fixed in: Firefox 23.0 Firefox ESR 17.0.8 Thunderbird 17.0.8 Thunderbird ESR 17.0.8 Seamonkey 2.20 Description Security researcher Cody Crews reported that some Javascript components will perform checks against the wrong uniform resource identifier (URI) before performing security sensitive actions. This will return an incorrect location for the originator of the call. This could be used to bypass same-origin policy, allowing for cross-site scripting (XSS) or the installation of malicious add-ons from third-party pages. In general these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled, but are potentially a risk in browser or browser-like contexts. References Can use the wrong principal when validating URI loads (CVE-2013-1713)" [11] "Mozilla Foundation Security Advisory 2013-73 Title: Same-origin bypass with web workers and XMLHttpRequest Impact: High Announced: August 6, 2013 Reporter: Federico Lanusse Products: Firefox, Thunderbird, Seamonkey Fixed in: Firefox 23.0 Firefox ESR 17.0.8 Thunderbird 17.0.8 Thunderbird ESR 17.0.8 Seamonkey 2.20 Description Mozilla community member Federico Lanusse reported a mechanism where a web worker can violate same-origin policy and bypass cross-origin checks through XMLHttpRequest. This could allow for cross-site scripting (XSS) attacks by web workers. In general these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled, but are potentially a risk in browser or browser-like contexts. References Cross Domain Policy override using webworkers (CVE-2013-1714)" [12] "Mozilla Foundation Security Advisory 2013-74 Title: Firefox full and stub installer DLL hijacking Impact: High Announced: August 6, 2013 Reporter: Robert Kugler, Brian Bondy, Robert Strong Products: Firefox Fixed in: Firefox 23.0 Description Security researcher Robert Kugler reported in 2012 that when a specifically named DLL file on a Windows computer is placed in the default downloads directory with the Firefox installer, the Firefox installer will load this DLL file when it is launched. Mozilla developers Brian Bondy and Robert Strong then discovered that the stub installer was vulnerable to this same issue with a number of DLL files and there were additionally vulnerable named DLL files with the full installer. In circumstances where an installer is run by an administrator privileged account, this allows for a downloaded DLL file to be run with those administrator privileges. References Medium integrity DLL Hijacking - Firefox Full installer and Stub installer (CVE-2013-1715)) DLL Hijacking - Firefox Stub installer" [13] "Mozilla Foundation Security Advisory 2013-75 Title: Local Java applets may read contents of local file system Impact: High Announced: August 6, 2013 Reporter: Georgi Guninski, John Schoenick Products: Firefox, Thunderbird, Seamonkey Fixed in: Firefox 23.0 Firefox ESR 17.0.8 Thunderbird 17.0.8 Thunderbird ESR 17.0.8 Seamonkey 2.20 Description Security researcher Georgi Guninski reported an issue with Java applets where in some circumstances the applet could access files on the local system when loaded using the a file:/// URI and violate file origin policy due to interaction with the codebase parameter. This affects applets running on the local file system. Mozilla developer John Schoenick later discovered that fixes for this issue were inadequate and allowed the invocation of Java applets to bypass security checks in additional circumstances. This could lead to untrusted Java applets having read-only access on the local files system if used in conjunction with a method to download a file to a known or guessable path. In general these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled, but are potentially a risk in browser or browser-like contexts. References local java applet may read arbitrary files under certain circumstances (CVE-2013-1717) Java applets may read arbitrary files on a user's system" [14] MITIGATION It is recommended that users update to the latest versions of Mozilla Firefox, Firefox ESR, Thunderbird, Thunderbird ESR and SeaMonkey to correct these issues. REFERENCES [1] Security Advisories for Firefox https://www.mozilla.org/security/known-vulnerabilities/firefox.html [2] Mozilla Foundation Security Advisory 2013-63 https://www.mozilla.org/security/announce/2013/mfsa2013-63.html [3] Mozilla Foundation Security Advisory 2013-64 https://www.mozilla.org/security/announce/2013/mfsa2013-64.html [4] Mozilla Foundation Security Advisory 2013-65 https://www.mozilla.org/security/announce/2013/mfsa2013-65.html [5] Mozilla Foundation Security Advisory 2013-66 https://www.mozilla.org/security/announce/2013/mfsa2013-66.html [6] Mozilla Foundation Security Advisory 2013-67 https://www.mozilla.org/security/announce/2013/mfsa2013-67.html [7] Mozilla Foundation Security Advisory 2013-68 https://www.mozilla.org/security/announce/2013/mfsa2013-68.html [8] Mozilla Foundation Security Advisory 2013-69 https://www.mozilla.org/security/announce/2013/mfsa2013-69.html [9] Mozilla Foundation Security Advisory 2013-70 https://www.mozilla.org/security/announce/2013/mfsa2013-70.html [10] Mozilla Foundation Security Advisory 2013-71 https://www.mozilla.org/security/announce/2013/mfsa2013-71.html [11] Mozilla Foundation Security Advisory 2013-72 https://www.mozilla.org/security/announce/2013/mfsa2013-72.html [12] Mozilla Foundation Security Advisory 2013-73 https://www.mozilla.org/security/announce/2013/mfsa2013-73.html [13] Mozilla Foundation Security Advisory 2013-74 https://www.mozilla.org/security/announce/2013/mfsa2013-74.html [14] Mozilla Foundation Security Advisory 2013-75 https://www.mozilla.org/security/announce/2013/mfsa2013-75.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUgGTZhLndAQH1ShLAQKBuxAAl9ZJdoscRvxjcJ1BeFXOvEQs6KiujtsO TypRkNYoIkhKv/LrYIQOSd92WlZW49BYJUuItXNH5iGWJiNlxDWH6H+VC5+YqO29 PM3uB98TJxGyT7YgustFgUm5HyNdJpRxmi9VGi/cCnvzkUHbhyYyG4Cac7tFFV6G iDggIRGAz77ulAyJoK9Yf7HmJhvCG5cakDrorl8aXKmgDOwgOCKGeeCt9oIXNM7G XjCr0ZT9KreJyf2N/cFJDteOF715UxwzvfqrFcERu2zu18S1nKh6eHxfUc4MSoO+ MSqjW5qZY6KDAGbbUoyHCA70TFiU79NE36oi7vmkHxc+GQcqKridS8hGrsV3pXYl +tj2Z/cCrH4kDLdDFGsC3/2BmWxorMA4bUzPS6IdlUntFfxUwPYAbp5Apm6lAMxk NBk71anesJnCKMnfduNc+K6S6mCG+AUc0FxRKWfNzIuk2xiy+Xgk0OTvUTa5MnOj 41bHLKB+6dATDyQsWtGzMP5VN8yK/MuI8gqE0nuaUa8rZXQbH32gbL7YmGdzV2DJ ZADb2b4g4nyGRBAoKHieMMdbQQ3mD+02S34ne03iX+41Lx5SKNuGgrkRqN9KInIt p96rminEynqgZaQ+aE7DUL9mQBf6WuG8lzpe2unD7v7NRwmwwkWctD8NEzgQi/iM 0UsSUlnh8bI= =470q -----END PGP SIGNATURE-----