Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2013.0109
A number of vulnerabilities have been identified in Mozilla Firefox,
Firefox ESR, Thunderbird, Thunderbird ESR and SeaMonkey.
18 September 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Mozilla Firefox
Mozilla Firefox ESR
Mozilla Thunderbird
Mozilla Thunderbird ESR
Mozilla Seamonkey
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Android
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Access Privileged Data -- Remote with User Interaction
Modify Arbitrary Files -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2013-1738 CVE-2013-1737 CVE-2013-1736
CVE-2013-1735 CVE-2013-1732 CVE-2013-1731
CVE-2013-1730 CVE-2013-1729 CVE-2013-1728
CVE-2013-1727 CVE-2013-1726 CVE-2013-1725
CVE-2013-1724 CVE-2013-1723 CVE-2013-1722
CVE-2013-1721 CVE-2013-1720 CVE-2013-1718
Member content until: Friday, October 18 2013
OVERVIEW
Multiple vulnerabilities have been fixed in the latest versions of
Mozilla Firefox, Firefox ESR, Thunderbird, Thunderbird ESR and
SeaMonkey. [1]
IMPACT
The vendor has provided the following details regarding these
vulnerabilities:
CVE-2013-1718: "Mozilla developers identified and fixed several
memory safety bugs in the browser engine used in Firefox and other
Mozilla-based products. Some of these bugs showed evidence of memory
corruption under certain circumstances, and we presume that with
enough effort at least some of these could be exploited to run
arbitrary code." [1]
CVE-2013-1720: "Using the Address Sanitizer tool, security
researcher Atte Kettunen from OUSPG found that the HTML5 Tree
Builder does not properly store state when interacting with template
elements. Because some stack information is incorrectly stored, the
template insertion mode stack can be used when it is empty. This
could possibly lead to code execution in some circumstances." [2]
CVE-2013-1721: "Security researcher Alex Chapman reported that the
Almost Native Graphics Layer Engine (ANGLE) library used by Mozilla
is vulnerable to an integer overflow. This vulnerability is present
because of insufficient bounds checking in the drawLineLoop
function, which can be driven by web content to overflow allocated
memory, leading to a potentially exploitable crash." [3]
CVE-2013-1722: "Security researcher Abhishek Arya (Inferno) of the
Google Chrome Security Team used the Address Sanitizer tool to
discover a use-after-free problem in the Animation Manager during
the cloning of stylesheets. This can lead to a potentially
exploitable crash." [4]
CVE-2013-1723: "Mozilla developer Masayuki Nakano discovered that
the NativeKey widget continues handling key messages even when it is
destroyed by dispatched event listeners. This could result in some
key events being applied to other objects or plugins if the widget
memory is reallocated to them, leading to a non-exploitable crash."
[5]
CVE-2013-1724: "Security researcher Scott Bell used the Address
Sanitizer tool to discover a use-after-free when using a <select>
element in a form after it has been destroyed. This could lead to a
potentially exploitable crash." [6]
CVE-2013-1725: "Mozilla community member Ms2ger found a mechanism
where a new Javascript object with a compartment is uninitialized
could be entered through web content. When the scope for this object
is called, it leads to a potentially exploitable crash." [7]
CVE-2013-1726: "Security researcher Seb Patane reported that the
Mozilla Updater does not write-lock the MAR update file when it is
in use by the Updater. This leaves open the possibility of altering
the contents of the MAR file after the signature on the file has
been verified as valid but before it has been used. This could allow
an attacker with access to the local system to silently replace the
contents of the update MAR file and either replace the installed
software with their own or extract and run executables files with
the same privileges as that of the Mozilla Updater." [8]
CVE-2013-1727: "Security researcher Takeshi Terada reported a
mechanism to violate same-origin policy for local files using
file:// through the use of symbolic links. This problem only affects
web pages loaded from the local filesystem. This could allow for
cross-site scripting (XSS) and access to locally stored Firefox
files containing passwords and cookies." [9]
CVE-2013-1728: "Software developer Dan Gohman of Google reported
uninitialized data and variables in the IonMonkey Javascript engine
when running the engine in Valgrind mode. This could be combined
with additional exploits to allow the reading and use of previously
allocated memory in some circumstances." [10]
CVE-2013-1729: "Mozilla developer Victor Porof reported a flaw in
the NVIDIA OS X graphic drivers that would allow portions of a
user's desktop or other visible applications to be incorporated into
WebGL canvases. This could result in personal information becoming
available to web content." [11]
CVE-2013-1731: "Mozilla developer Vladimir Vukicevic reported that
Firefox for Android will optionally load a shared object (.so)
library in order to enable GL tracing. When this is occurs, it can
be from a world writable location, allowing for it to be replaced by
malicious third party applications before it is loaded by Firefox.
This would allow for accessing of all Firefox data or for malicious
code to be run by Firefox. This flaw requires malicious software to
be loaded on the device and is not accessible by web content." [12]
CVE-2013-1730: "Security researcher Sachin Shinde reported that
moving certain XBL-backed nodes from a document into the replacement
document created by document.open() can cause a JavaScript
compartment mismatch which can often lead to exploitable conditions.
Starting with Firefox 20 this condition was turned into a run-time
assertion that would crash the browser in an unexploitable way, and
in Firefox 24 the underlying cause was fixed." [13]
CVE-2013-1732: "Security researcher Aki Helin reported that
combining lists, floats, and multiple columns could trigger a
potentially exploitable buffer overflow." [14]
CVE-2013-1735 & CVE-2013-1736: "Security researcher Nils reported
two potentially exploitable memory corruption bugs involving
scrolling. The first was a use-after-free condition due to scrolling
an image document. The second was due to nodes in a range request
being added as children of two different parents." [15]
CVE-2013-1737: "Mozilla developer Boris Zbarsky reported that
user-defined getters on DOM proxies would incorrectly get the
expando object as this. It is unlikely that this is directly
exploitable but could lead to JavaScript client or add-on code
making incorrect security sensitive decisions based on hacker
supplied values." [16]
CVE-2013-1738: "Security researcher Nils reported a potentially
exploitable use-after-free in an early test version of Firefox 25.
Mozilla developer Bobby Holley found that the cause was an older
garbage collection bug that a more recent change made easier to
trigger." [17]
MITIGATION
It is recommended that users update to the latest versions of Mozilla
Firefox, Firefox ESR, Thunderbird, Thunderbird ESR and SeaMonkey to
correct these issues.
REFERENCES
[1] Mozilla Foundation Security Advisory 2013-76
http://www.mozilla.org/security/announce/2013/mfsa2013-76.html
[2] Mozilla Foundation Security Advisory 2013-77
http://www.mozilla.org/security/announce/2013/mfsa2013-77.html
[3] Mozilla Foundation Security Advisory 2013-78
http://www.mozilla.org/security/announce/2013/mfsa2013-78.html
[4] Mozilla Foundation Security Advisory 2013-79
http://www.mozilla.org/security/announce/2013/mfsa2013-79.html
[5] Mozilla Foundation Security Advisory 2013-80
http://www.mozilla.org/security/announce/2013/mfsa2013-80.html
[6] Mozilla Foundation Security Advisory 2013-81
http://www.mozilla.org/security/announce/2013/mfsa2013-81.html
[7] Mozilla Foundation Security Advisory 2013-82
http://www.mozilla.org/security/announce/2013/mfsa2013-82.html
[8] Mozilla Foundation Security Advisory 2013-83
http://www.mozilla.org/security/announce/2013/mfsa2013-83.html
[9] Mozilla Foundation Security Advisory 2013-84
http://www.mozilla.org/security/announce/2013/mfsa2013-84.html
[10] Mozilla Foundation Security Advisory 2013-85
http://www.mozilla.org/security/announce/2013/mfsa2013-85.html
[11] Mozilla Foundation Security Advisory 2013-86
http://www.mozilla.org/security/announce/2013/mfsa2013-86.html
[12] Mozilla Foundation Security Advisory 2013-87
http://www.mozilla.org/security/announce/2013/mfsa2013-87.html
[13] Mozilla Foundation Security Advisory 2013-88
http://www.mozilla.org/security/announce/2013/mfsa2013-88.html
[14] Mozilla Foundation Security Advisory 2013-89
http://www.mozilla.org/security/announce/2013/mfsa2013-89.html
[15] Mozilla Foundation Security Advisory 2013-90
http://www.mozilla.org/security/announce/2013/mfsa2013-90.html
[16] Mozilla Foundation Security Advisory 2013-91
http://www.mozilla.org/security/announce/2013/mfsa2013-91.html
[17] Mozilla Foundation Security Advisory 2013-92
http://www.mozilla.org/security/announce/2013/mfsa2013-92.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUjkQKRLndAQH1ShLAQKlqw//YArfeqlgmmX4QJSI/gZB/4qQw7h6Naso
/w3JyVlK++rrgGKk+d3RdbfFPS91mIyh3w455KCBusHxwCaalOqMz6w2sd5K0CHZ
OQiW2U/MJaQJyTWiph5CRDfr+OpHzUWx9uqPM7+gh2hCxdokCsSsqAjONSv8sWj+
jYxM2d2wS4Z/CNhayRJocx957/OFLuVWPGK6/NfueCmgkvyRk4+GKPrDyEDkkXrc
WH+ZSEx76dEhR1S5ZNN+6NP5wvE998GTopEq6yBotXwnNFz3sfoFLYPax9g+LhkN
msYGvlRHj/zts7U37XuD0Poy+IBWlV8FdwgBsHshLaoE7T4XJlQwPVRmsr+shnWc
YXIiMGG/3MF/j4lgsMJJNpG3WAfCmoaXKSEH53zCy2faHulbvzzmli25CFLIaN12
604s8ZE5nZLqwcLZefFYvzFJ1XvFc8IYCoPVbBxiRdphPUDETzysRQY7bhm7bxVA
WZjvXMqAVL0MPPYZUUsv63X0BFu7K1cFlVSuK7OzUH/ikKPMvCfajLBnkDaF0yCD
k2CV7dY9BPTUcU0qqc5OIuulxj6En5oy3BBdfxIoS8xh3J5P0w0tftY5D5z88Jcm
82CKFaACUHxezt3BfK+B1p8BVFJ2sZJJqBki4749DyaCVGj2LCUJQz21hAIgOMFd
dDgHYp4EI9Q=
=LASe
-----END PGP SIGNATURE-----