-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2013.0109
   A number of vulnerabilities have been identified in Mozilla Firefox,
         Firefox ESR, Thunderbird, Thunderbird ESR and SeaMonkey.
                             18 September 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Mozilla Firefox
                      Mozilla Firefox ESR
                      Mozilla Thunderbird
                      Mozilla Thunderbird ESR
                      Mozilla Seamonkey
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
                      Android
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Access Privileged Data          -- Remote with User Interaction
                      Modify Arbitrary Files          -- Remote with User Interaction
                      Cross-site Scripting            -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
                      Access Confidential Data        -- Remote with User Interaction
                      Reduced Security                -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2013-1738 CVE-2013-1737 CVE-2013-1736
                      CVE-2013-1735 CVE-2013-1732 CVE-2013-1731
                      CVE-2013-1730 CVE-2013-1729 CVE-2013-1728
                      CVE-2013-1727 CVE-2013-1726 CVE-2013-1725
                      CVE-2013-1724 CVE-2013-1723 CVE-2013-1722
                      CVE-2013-1721 CVE-2013-1720 CVE-2013-1718
Member content until: Friday, October 18 2013

OVERVIEW

        Multiple vulnerabilities have been fixed in the latest versions of 
        Mozilla Firefox, Firefox ESR, Thunderbird, Thunderbird ESR and 
        SeaMonkey. [1]


IMPACT

        The vendor has provided the following details regarding these 
        vulnerabilities:
        
        CVE-2013-1718: "Mozilla developers identified and fixed several 
        memory safety bugs in the browser engine used in Firefox and other 
        Mozilla-based products. Some of these bugs showed evidence of memory
        corruption under certain circumstances, and we presume that with 
        enough effort at least some of these could be exploited to run 
        arbitrary code." [1]
        
        CVE-2013-1720: "Using the Address Sanitizer tool, security 
        researcher Atte Kettunen from OUSPG found that the HTML5 Tree 
        Builder does not properly store state when interacting with template
        elements. Because some stack information is incorrectly stored, the
        template insertion mode stack can be used when it is empty. This 
        could possibly lead to code execution in some circumstances." [2]
        
        CVE-2013-1721: "Security researcher Alex Chapman reported that the 
        Almost Native Graphics Layer Engine (ANGLE) library used by Mozilla
        is vulnerable to an integer overflow. This vulnerability is present
        because of insufficient bounds checking in the drawLineLoop 
        function, which can be driven by web content to overflow allocated 
        memory, leading to a potentially exploitable crash." [3]
        
        CVE-2013-1722: "Security researcher Abhishek Arya (Inferno) of the 
        Google Chrome Security Team used the Address Sanitizer tool to 
        discover a use-after-free problem in the Animation Manager during 
        the cloning of stylesheets. This can lead to a potentially 
        exploitable crash." [4]
        
        CVE-2013-1723: "Mozilla developer Masayuki Nakano discovered that 
        the NativeKey widget continues handling key messages even when it is
        destroyed by dispatched event listeners. This could result in some 
        key events being applied to other objects or plugins if the widget 
        memory is reallocated to them, leading to a non-exploitable crash."
        [5]
        
        CVE-2013-1724: "Security researcher Scott Bell used the Address 
        Sanitizer tool to discover a use-after-free when using a <select> 
        element in a form after it has been destroyed. This could lead to a
        potentially exploitable crash." [6]
        
        CVE-2013-1725: "Mozilla community member Ms2ger found a mechanism 
        where a new Javascript object with a compartment is uninitialized 
        could be entered through web content. When the scope for this object
        is called, it leads to a potentially exploitable crash." [7]
        
        CVE-2013-1726: "Security researcher Seb Patane reported that the 
        Mozilla Updater does not write-lock the MAR update file when it is 
        in use by the Updater. This leaves open the possibility of altering
        the contents of the MAR file after the signature on the file has 
        been verified as valid but before it has been used. This could allow
        an attacker with access to the local system to silently replace the
        contents of the update MAR file and either replace the installed 
        software with their own or extract and run executables files with 
        the same privileges as that of the Mozilla Updater." [8]
        
        CVE-2013-1727: "Security researcher Takeshi Terada reported a 
        mechanism to violate same-origin policy for local files using 
        file:// through the use of symbolic links. This problem only affects
        web pages loaded from the local filesystem. This could allow for 
        cross-site scripting (XSS) and access to locally stored Firefox 
        files containing passwords and cookies." [9]
        
        CVE-2013-1728: "Software developer Dan Gohman of Google reported 
        uninitialized data and variables in the IonMonkey Javascript engine
        when running the engine in Valgrind mode. This could be combined 
        with additional exploits to allow the reading and use of previously
        allocated memory in some circumstances." [10]
        
        CVE-2013-1729: "Mozilla developer Victor Porof reported a flaw in 
        the NVIDIA OS X graphic drivers that would allow portions of a 
        user's desktop or other visible applications to be incorporated into
        WebGL canvases. This could result in personal information becoming 
        available to web content." [11]
        
        CVE-2013-1731: "Mozilla developer Vladimir Vukicevic reported that 
        Firefox for Android will optionally load a shared object (.so) 
        library in order to enable GL tracing. When this is occurs, it can 
        be from a world writable location, allowing for it to be replaced by
        malicious third party applications before it is loaded by Firefox. 
        This would allow for accessing of all Firefox data or for malicious
        code to be run by Firefox. This flaw requires malicious software to
        be loaded on the device and is not accessible by web content." [12]
        
        CVE-2013-1730: "Security researcher Sachin Shinde reported that 
        moving certain XBL-backed nodes from a document into the replacement
        document created by document.open() can cause a JavaScript 
        compartment mismatch which can often lead to exploitable conditions.
        Starting with Firefox 20 this condition was turned into a run-time 
        assertion that would crash the browser in an unexploitable way, and
        in Firefox 24 the underlying cause was fixed." [13]
        
        CVE-2013-1732: "Security researcher Aki Helin reported that 
        combining lists, floats, and multiple columns could trigger a 
        potentially exploitable buffer overflow." [14]
        
        CVE-2013-1735 & CVE-2013-1736: "Security researcher Nils reported 
        two potentially exploitable memory corruption bugs involving 
        scrolling. The first was a use-after-free condition due to scrolling
        an image document. The second was due to nodes in a range request 
        being added as children of two different parents." [15]
        
        CVE-2013-1737: "Mozilla developer Boris Zbarsky reported that 
        user-defined getters on DOM proxies would incorrectly get the 
        expando object as this. It is unlikely that this is directly 
        exploitable but could lead to JavaScript client or add-on code 
        making incorrect security sensitive decisions based on hacker 
        supplied values." [16]
        
        CVE-2013-1738: "Security researcher Nils reported a potentially 
        exploitable use-after-free in an early test version of Firefox 25. 
        Mozilla developer Bobby Holley found that the cause was an older 
        garbage collection bug that a more recent change made easier to 
        trigger." [17]


MITIGATION

        It is recommended that users update to the latest versions of Mozilla
        Firefox, Firefox ESR, Thunderbird, Thunderbird ESR and SeaMonkey to 
        correct these issues.


REFERENCES

        [1] Mozilla Foundation Security Advisory 2013-76
            http://www.mozilla.org/security/announce/2013/mfsa2013-76.html

        [2] Mozilla Foundation Security Advisory 2013-77
            http://www.mozilla.org/security/announce/2013/mfsa2013-77.html

        [3] Mozilla Foundation Security Advisory 2013-78
            http://www.mozilla.org/security/announce/2013/mfsa2013-78.html

        [4] Mozilla Foundation Security Advisory 2013-79
            http://www.mozilla.org/security/announce/2013/mfsa2013-79.html

        [5] Mozilla Foundation Security Advisory 2013-80
            http://www.mozilla.org/security/announce/2013/mfsa2013-80.html

        [6] Mozilla Foundation Security Advisory 2013-81
            http://www.mozilla.org/security/announce/2013/mfsa2013-81.html

        [7] Mozilla Foundation Security Advisory 2013-82
            http://www.mozilla.org/security/announce/2013/mfsa2013-82.html

        [8] Mozilla Foundation Security Advisory 2013-83
            http://www.mozilla.org/security/announce/2013/mfsa2013-83.html

        [9] Mozilla Foundation Security Advisory 2013-84
            http://www.mozilla.org/security/announce/2013/mfsa2013-84.html

        [10] Mozilla Foundation Security Advisory 2013-85
             http://www.mozilla.org/security/announce/2013/mfsa2013-85.html

        [11] Mozilla Foundation Security Advisory 2013-86
             http://www.mozilla.org/security/announce/2013/mfsa2013-86.html

        [12] Mozilla Foundation Security Advisory 2013-87
             http://www.mozilla.org/security/announce/2013/mfsa2013-87.html

        [13] Mozilla Foundation Security Advisory 2013-88
             http://www.mozilla.org/security/announce/2013/mfsa2013-88.html

        [14] Mozilla Foundation Security Advisory 2013-89
             http://www.mozilla.org/security/announce/2013/mfsa2013-89.html

        [15] Mozilla Foundation Security Advisory 2013-90
             http://www.mozilla.org/security/announce/2013/mfsa2013-90.html

        [16] Mozilla Foundation Security Advisory 2013-91
             http://www.mozilla.org/security/announce/2013/mfsa2013-91.html

        [17] Mozilla Foundation Security Advisory 2013-92
             http://www.mozilla.org/security/announce/2013/mfsa2013-92.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUjkQKRLndAQH1ShLAQKlqw//YArfeqlgmmX4QJSI/gZB/4qQw7h6Naso
/w3JyVlK++rrgGKk+d3RdbfFPS91mIyh3w455KCBusHxwCaalOqMz6w2sd5K0CHZ
OQiW2U/MJaQJyTWiph5CRDfr+OpHzUWx9uqPM7+gh2hCxdokCsSsqAjONSv8sWj+
jYxM2d2wS4Z/CNhayRJocx957/OFLuVWPGK6/NfueCmgkvyRk4+GKPrDyEDkkXrc
WH+ZSEx76dEhR1S5ZNN+6NP5wvE998GTopEq6yBotXwnNFz3sfoFLYPax9g+LhkN
msYGvlRHj/zts7U37XuD0Poy+IBWlV8FdwgBsHshLaoE7T4XJlQwPVRmsr+shnWc
YXIiMGG/3MF/j4lgsMJJNpG3WAfCmoaXKSEH53zCy2faHulbvzzmli25CFLIaN12
604s8ZE5nZLqwcLZefFYvzFJ1XvFc8IYCoPVbBxiRdphPUDETzysRQY7bhm7bxVA
WZjvXMqAVL0MPPYZUUsv63X0BFu7K1cFlVSuK7OzUH/ikKPMvCfajLBnkDaF0yCD
k2CV7dY9BPTUcU0qqc5OIuulxj6En5oy3BBdfxIoS8xh3J5P0w0tftY5D5z88Jcm
82CKFaACUHxezt3BfK+B1p8BVFJ2sZJJqBki4749DyaCVGj2LCUJQz21hAIgOMFd
dDgHYp4EI9Q=
=LASe
-----END PGP SIGNATURE-----