Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2013.0095
A number of vulnerabilities have been identified in Mozilla Firefox,
Firefox ESR, Thunderbird, Thunderbird ESR and SeaMonkey.
7 August 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Mozilla Firefox
Mozilla Firefox ESR
Mozilla Thunderbird
Mozilla Thunderbird ESR
Mozilla SeaMonkey
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Android
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Administrator Compromise -- Existing Account
Cross-site Scripting -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2013-1717 CVE-2013-1715 CVE-2013-1714
CVE-2013-1713 CVE-2013-1712 CVE-2013-1711
CVE-2013-1710 CVE-2013-1709 CVE-2013-1708
CVE-2013-1707 CVE-2013-1706 CVE-2013-1705
CVE-2013-1704 CVE-2013-1702 CVE-2013-1701
Member content until: Friday, September 6 2013
OVERVIEW
Multiple vulnerabilities have been fixed in the latest versions of
Mozilla Firefox, Firefox ESR, Thunderbird, Thunderbird ESR and
SeaMonkey. [1]
IMPACT
The vendor has provided the following details regarding these
vulnerabilities:
"Mozilla Foundation Security Advisory 2013-63
Title: Miscellaneous memory safety hazards (rv:23.0 / rv:17.0.8)
Impact: Critical
Announced: August 6, 2013
Reporter: Mozilla Developers
Products: Firefox, Thunderbird, Seamonkey
Fixed in: Firefox 23.0
Firefox ESR 17.0.8
Thunderbird 17.0.8
Thunderbird ESR 17.0.8
Seamonkey 2.20
Description
Mozilla developers identified and fixed several memory safety bugs in
the browser engine used in Firefox and other Mozilla-based products.
Some of these bugs showed evidence of memory corruption under certain c
ircumstances, and we presume that with enough effort at least some of
these could be exploited to run arbitrary code.
In general these flaws cannot be exploited through email in the
Thunderbird product because scripting is disabled, but are potentially
a risk in browser or browser-like contexts.
References
Jeff Gilbert and Henrik Skupin reported memory safety problems and
crashes that affect Firefox ESR 17, and Firefox 22.
Memory safety bugs fixed in Firefox 17.0.8 and Firefox 23.0
(CVE-2013-1701)
Ben Turner, Christian Holler, Andrew McCreight, Gary Kwong, Jan Varga,
and Jesse Ruderman reported memory safety problems and crashes that
affect Firefox 22.
Memory safety bugs fixed in Firefox 23.0 (CVE-2013-1702)" [2]
"Mozilla Foundation Security Advisory 2013-64
Title: Use after free mutating DOM during SetBody
Impact: Critical
Announced: August 6, 2013
Reporter: Nils
Products: Firefox, Seamonkey
Fixed in: Firefox 23.0
Seamonkey 2.20
Description
Security researcher Nils used the Address Sanitizer to discover a
use-after-free problem when the Document Object Model is modified
during a SetBody mutation event. This causes a potentially exploitable
crash.
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled,
but are potentially a risk in browser or browser-like contexts in
those products.
References
ASAN heap-use-after-free in nsINode::GetParentNode
(CVE-2013-1704)" [3]
"Mozilla Foundation Security Advisory 2013-65
Title: Buffer underflow when generating CRMF requests
Impact: Critical
Announced: August 6, 2013
Reporter: Nils
Products: Firefox, Seamonkey
Fixed in: Firefox 23.0
Seamonkey 2.20
Description
Security researcher Nils used the Address Sanitizer to discover a
use-after-free problem when generating a Certificate Request Message
Format (CRMF) request with certain parameters. This causes a
potentially exploitable crash.
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled,
but are potentially a risk in browser or browser-like contexts in
those products.
References
ASAN heap-buffer-overflow (read 1) in c
ryptojs_interpret_key_gen_type (CVE-2013-1705)" [4]
"Mozilla Foundation Security Advisory 2013-66
Title: Buffer overflow in Mozilla Maintenance Service and Mozilla
Updater
Impact: High
Announced: August 6, 2013
Reporter: Seb Patane
Products: Firefox, Thunderbird
Fixed in: Firefox 23.0
Firefox ESR 17.0.8
Thunderbird 17.0.8
Thunderbird ESR 17.0.8
Description
Security researcher Seb Patane reported stack buffer overflows in
both the Maintenance Service and the Mozilla Updater when
unexpectedly long paths were encountered. A local attacker could pass
these as command-line arguments to the Maintenance Service to crash
either program and potentially lead to arbitrary code being run with
the Administrator privileges used by the Maintenance Service and
inherited by the Updater.
References
Buffer overflow in maintenanceservice.exe (CVE-2013-1706)
Buffer overflow in Updater (CVE-2013-1707)" [5]
"Mozilla Foundation Security Advisory 2013-67
Title: Crash during WAV audio file decoding
Impact: Low
Announced: August 6, 2013
Reporter: Aki Helin
Products: Firefox, Thunderbird, Seamonkey
Fixed in: Firefox 23.0
Seamonkey 2.20
Description
Security researcher Aki Helin from OUSPG used the Address Sanitizer
tool to discover a crash during the decoding of WAV format audio
files in some instances. This crash is not exploitable but could be
used for a denial of service (DOS) attack by malicious parties.
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but
are potentially a risk in browser or browser-like contexts in those
products.
References
Non-null crash at nsCString::CharAt (CVE-2013-1708)" [6]
"Mozilla Foundation Security Advisory 2013-68
Title: Document URI misrepresentation and masquerading
Impact: High
Announced: August 6, 2013
Reporter: moz_bug_r_a4
Products: Firefox, Thunderbird, Seamonkey
Fixed in: Firefox 23.0
Firefox ESR 17.0.8
Thunderbird 17.0.8
Thunderbird ESR 17.0.8
Seamonkey 2.20
Description
Mozilla security researcher moz_bug_r_a4 reported that through an
interaction of frames and browser history it was possible to make the
browser believe attacker-supplied content came from the location of a
previous page in browser history. This allows for cross-site
scripting (XSS) attacks by loading scripts from a misrepresented
malicious site through relative locations and the potential access of
stored credentials of a spoofed site.
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but
are potentially a risk in browser or browser-like contexts in those
products.
References
It's possible to set a document's URI to a different document's
URI (CVE-2013-1709)" [7]
"Mozilla Foundation Security Advisory 2013-69
Title: CRMF requests allow for code execution and XSS attacks
Impact: Critical
Announced: August 6, 2013
Reporter: moz_bug_r_a4
Products: Firefox, Thunderbird, Seamonkey
Fixed in: Firefox 23.0
Firefox ESR 17.0.8
Thunderbird 17.0.8
Thunderbird ESR 17.0.8
Seamonkey 2.20
Description
Mozilla security researcher moz_bug_r_a4 reported a mechanism to
execute arbitrary code or a cross-site scripting (XSS) attack when
Certificate Request Message Format (CRMF) request is generated in
certain circumstances.
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled,
but are potentially a risk in browser or browser-like contexts in
those products.
References
Arbitrary code execution using crypto.generateCRMFRequest
(CVE-2013-1710)" [8]
"Mozilla Foundation Security Advisory 2013-70
Title: Bypass of XrayWrappers using XBL Scopes
Impact: Moderate
Announced: August 6, 2013
Reporter: Bobby Holley, moz_bug_r_a4
Products: Firefox, Seamonkey
Fixed in: Firefox 23.0
Seamonkey 2.20
Description
Mozilla Developer Bobby Holley and Mozilla security researcher
moz_bug_r_a4 discovered a mechanism where XBL scopes can be be used
to circumvent XrayWrappers from within the Chrome on unprivileged
objects. This allows web content to potentially confuse privileged
code and weaken invariants and can lead to cross-site scripting (XSS)
attacks.
In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but
are potentially a risk in browser or browser-like contexts in those
products.
References
XBL scopes can be fooled by invoking XBL functions with
non-native arguments (CVE-2013-1711)" [9]
"Mozilla Foundation Security Advisory 2013-71
Title: Further Privilege escalation through Mozilla Updater
Impact: High
Announced: August 6, 2013
Reporter: Ash
Products: Firefox, Thunderbird
Fixed in: Firefox 23.0
Firefox ESR 17.0.8
Thunderbird 17.0.8
Thunderbird ESR 17.0.8
Description
Security researcher Ash reported an issue with the Mozilla Updater on
Windows 7 and later versions of Windows. On vulnerable platforms, the
Mozilla Updater can be made to load a specific malicious DLL file from
the local system. This DLL file can run in a privileged context
through the Mozilla Maintenance Service's privileges, allowing for
local privilege escalation. The DLL file can also run in an
unprivileged context if the Mozilla Updater is run directly by a user
in the same directory as the file. Local file system access is
necessary in order for this issue to be exploitable.
References
The updater.exe loads a dll from the update directory
(CVE-2013-1712)" [10]
"Mozilla Foundation Security Advisory 2013-72
Title: Wrong principal used for validating URI for some Javascript
components
Impact: High
Announced: August 6, 2013
Reporter: Cody Crews
Products: Firefox, Thunderbird, Seamonkey
Fixed in: Firefox 23.0
Firefox ESR 17.0.8
Thunderbird 17.0.8
Thunderbird ESR 17.0.8
Seamonkey 2.20
Description
Security researcher Cody Crews reported that some Javascript
components will perform checks against the wrong uniform resource
identifier (URI) before performing security sensitive actions. This
will return an incorrect location for the originator of the call.
This could be used to bypass same-origin policy, allowing for
cross-site scripting (XSS) or the installation of malicious add-ons
from third-party pages.
In general these flaws cannot be exploited through email in the
Thunderbird product because scripting is disabled, but are
potentially a risk in browser or browser-like contexts.
References
Can use the wrong principal when validating URI loads
(CVE-2013-1713)" [11]
"Mozilla Foundation Security Advisory 2013-73
Title: Same-origin bypass with web workers and XMLHttpRequest
Impact: High
Announced: August 6, 2013
Reporter: Federico Lanusse
Products: Firefox, Thunderbird, Seamonkey
Fixed in: Firefox 23.0
Firefox ESR 17.0.8
Thunderbird 17.0.8
Thunderbird ESR 17.0.8
Seamonkey 2.20
Description
Mozilla community member Federico Lanusse reported a mechanism where
a web worker can violate same-origin policy and bypass cross-origin
checks through XMLHttpRequest. This could allow for cross-site
scripting (XSS) attacks by web workers.
In general these flaws cannot be exploited through email in the
Thunderbird product because scripting is disabled, but are
potentially a risk in browser or browser-like contexts.
References
Cross Domain Policy override using webworkers
(CVE-2013-1714)" [12]
"Mozilla Foundation Security Advisory 2013-74
Title: Firefox full and stub installer DLL hijacking
Impact: High
Announced: August 6, 2013
Reporter: Robert Kugler, Brian Bondy, Robert Strong
Products: Firefox
Fixed in: Firefox 23.0
Description
Security researcher Robert Kugler reported in 2012 that when a
specifically named DLL file on a Windows computer is placed in the
default downloads directory with the Firefox installer, the Firefox
installer will load this DLL file when it is launched. Mozilla
developers Brian Bondy and Robert Strong then discovered that the
stub installer was vulnerable to this same issue with a number of
DLL files and there were additionally vulnerable named DLL files with
the full installer. In circumstances where an installer is run by an
administrator privileged account, this allows for a downloaded DLL
file to be run with those administrator privileges.
References
Medium integrity DLL Hijacking - Firefox Full installer and Stub
installer (CVE-2013-1715))
DLL Hijacking - Firefox Stub installer" [13]
"Mozilla Foundation Security Advisory 2013-75
Title: Local Java applets may read contents of local file system
Impact: High
Announced: August 6, 2013
Reporter: Georgi Guninski, John Schoenick
Products: Firefox, Thunderbird, Seamonkey
Fixed in: Firefox 23.0
Firefox ESR 17.0.8
Thunderbird 17.0.8
Thunderbird ESR 17.0.8
Seamonkey 2.20
Description
Security researcher Georgi Guninski reported an issue with Java
applets where in some circumstances the applet could access files on
the local system when loaded using the a file:/// URI and violate
file origin policy due to interaction with the codebase parameter.
This affects applets running on the local file system. Mozilla
developer John Schoenick later discovered that fixes for this issue
were inadequate and allowed the invocation of Java applets to bypass
security checks in additional circumstances. This could lead to
untrusted Java applets having read-only access on the local files
system if used in conjunction with a method to download a file to a
known or guessable path.
In general these flaws cannot be exploited through email in the
Thunderbird product because scripting is disabled, but are potentially
a risk in browser or browser-like contexts.
References
local java applet may read arbitrary files under certain
circumstances (CVE-2013-1717)
Java applets may read arbitrary files on a user's system" [14]
MITIGATION
It is recommended that users update to the latest versions of Mozilla
Firefox, Firefox ESR, Thunderbird, Thunderbird ESR and SeaMonkey to
correct these issues.
REFERENCES
[1] Security Advisories for Firefox
https://www.mozilla.org/security/known-vulnerabilities/firefox.html
[2] Mozilla Foundation Security Advisory 2013-63
https://www.mozilla.org/security/announce/2013/mfsa2013-63.html
[3] Mozilla Foundation Security Advisory 2013-64
https://www.mozilla.org/security/announce/2013/mfsa2013-64.html
[4] Mozilla Foundation Security Advisory 2013-65
https://www.mozilla.org/security/announce/2013/mfsa2013-65.html
[5] Mozilla Foundation Security Advisory 2013-66
https://www.mozilla.org/security/announce/2013/mfsa2013-66.html
[6] Mozilla Foundation Security Advisory 2013-67
https://www.mozilla.org/security/announce/2013/mfsa2013-67.html
[7] Mozilla Foundation Security Advisory 2013-68
https://www.mozilla.org/security/announce/2013/mfsa2013-68.html
[8] Mozilla Foundation Security Advisory 2013-69
https://www.mozilla.org/security/announce/2013/mfsa2013-69.html
[9] Mozilla Foundation Security Advisory 2013-70
https://www.mozilla.org/security/announce/2013/mfsa2013-70.html
[10] Mozilla Foundation Security Advisory 2013-71
https://www.mozilla.org/security/announce/2013/mfsa2013-71.html
[11] Mozilla Foundation Security Advisory 2013-72
https://www.mozilla.org/security/announce/2013/mfsa2013-72.html
[12] Mozilla Foundation Security Advisory 2013-73
https://www.mozilla.org/security/announce/2013/mfsa2013-73.html
[13] Mozilla Foundation Security Advisory 2013-74
https://www.mozilla.org/security/announce/2013/mfsa2013-74.html
[14] Mozilla Foundation Security Advisory 2013-75
https://www.mozilla.org/security/announce/2013/mfsa2013-75.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUgGTZhLndAQH1ShLAQKBuxAAl9ZJdoscRvxjcJ1BeFXOvEQs6KiujtsO
TypRkNYoIkhKv/LrYIQOSd92WlZW49BYJUuItXNH5iGWJiNlxDWH6H+VC5+YqO29
PM3uB98TJxGyT7YgustFgUm5HyNdJpRxmi9VGi/cCnvzkUHbhyYyG4Cac7tFFV6G
iDggIRGAz77ulAyJoK9Yf7HmJhvCG5cakDrorl8aXKmgDOwgOCKGeeCt9oIXNM7G
XjCr0ZT9KreJyf2N/cFJDteOF715UxwzvfqrFcERu2zu18S1nKh6eHxfUc4MSoO+
MSqjW5qZY6KDAGbbUoyHCA70TFiU79NE36oi7vmkHxc+GQcqKridS8hGrsV3pXYl
+tj2Z/cCrH4kDLdDFGsC3/2BmWxorMA4bUzPS6IdlUntFfxUwPYAbp5Apm6lAMxk
NBk71anesJnCKMnfduNc+K6S6mCG+AUc0FxRKWfNzIuk2xiy+Xgk0OTvUTa5MnOj
41bHLKB+6dATDyQsWtGzMP5VN8yK/MuI8gqE0nuaUa8rZXQbH32gbL7YmGdzV2DJ
ZADb2b4g4nyGRBAoKHieMMdbQQ3mD+02S34ne03iX+41Lx5SKNuGgrkRqN9KInIt
p96rminEynqgZaQ+aE7DUL9mQBf6WuG8lzpe2unD7v7NRwmwwkWctD8NEzgQi/iM
0UsSUlnh8bI=
=470q
-----END PGP SIGNATURE-----