Hash: SHA1

                         AUSCERT Security Bulletin

 A number of vulnerabilities have been corrected in the latest versions of
            Firefox, Thunderbird, Thunderbird ESR and SeaMonkey
                             11 December 2013


        AusCERT Security Bulletin Summary

Product:              Mozilla Firefox
                      Mozilla Firefox ESR
                      Mozilla Thunderbird
                      Mozilla Thunderbird ESR
                      Mozilla Seamonkey
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Cross-site Scripting            -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
                      Provide Misleading Information  -- Remote with User Interaction
                      Access Confidential Data        -- Remote with User Interaction
                      Unauthorised Access             -- Remote with User Interaction
                      Reduced Security                -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2013-6673 CVE-2013-6672 CVE-2013-6671
                      CVE-2013-6629 CVE-2013-5619 CVE-2013-5618
                      CVE-2013-5616 CVE-2013-5615 CVE-2013-5614
                      CVE-2013-5613 CVE-2013-5612 CVE-2013-5611
                      CVE-2013-5610 CVE-2013-5609 
Member content until: Friday, January 10 2014
Reference:            ASB-2013.0128


        A number of vulnerabilities have been corrected in the latest 
        versions of Firefox, Thunderbird, Thunderbird ESR and SeaMonkey.


        The vendor has provided the following details regarding these 
        CVE-2013-5609, CVE-2013-5610: "Mozilla developers identified and 
        fixed several memory safety bugs in the browser engine used in 
        Firefox and other Mozilla-based products. Some of these bugs showed
        evidence of memory corruption under certain circumstances, and we 
        presume that with enough effort at least some of these could be 
        exploited to run arbitrary code." [1]
        CVE-2013-5611: "Mozilla developer Myk Melez reported that with 
        specifically timed page navigation, the doorhanger notification for
        Web App installation could persist from one site to another without
        being dismissed by the navigation. This could be used by a malicious
        site to trick a user into installing an application from one site 
        while making it appear to come from another." [2]
        CVE-2013-5612: "Security researcher Masato Kinugawa discovered that
        if a web page is missing character set encoding information it can 
        inherit character encodings across navigations into another domain 
        from an earlier site. Only same-origin inheritance is allowed 
        according to the HTML5 specification. This issue allows an attacker
        to add content that will be interpreted one way on the victim site,
        but which may then behave differently, evading cross-site scripting
        (XSS) filtering, when forced into an unexpected character set. Web 
        site authors should always explicitly declare a character encoding 
        to avoid similar issues." [3]
        CVE-2013-5614: "Mozilla security developer Daniel Veditz discovered
        that <iframe sandbox> restrictions are not applied to an <object> 
        element contained within a sandboxed iframe. This could allow 
        content hosted within a sandboxed iframe to use <object> element to
        bypass the sandbox restrictions that should be applied." [4]
        CVE-2013-5616: "Security researchers Tyson Smith and Jesse 
        Schwartzentruber of the BlackBerry Security Automated Analysis Team
        used the Address Sanitizer tool while fuzzing to discover a 
        user-after-free when interacting with event listeners from the 
        mListeners array. This leads to a potentially exploitable crash." [5]
        CVE-2013-5618: "Security researcher Nils used the Address Sanitizer
        tool while fuzzing to discover a use-after-free problem in the table
        editing user interface of the editor during garbage collection. This
        leads to a potentially exploitable crash." [6]
        CVE-2013-5619: "Compiler Engineer Dan Gohman of Google reported that
        binary search algorithms in the SpiderMonkey JavaScript engine were
        prone to overflow in several places, leading to potential 
        out-of-bounds array access. While none of these are known to be 
        directly exploitable, they are unsafe in theory and have been 
        changed as part of general security improvements." [7]
        CVE-2013-6671: "Security researchers Tyson Smith and Jesse 
        Schwartzentruber of the BlackBerry Security Automated Analysis Team
        used the Address Sanitizer tool while fuzzing to discover a 
        mechanism where inserting an ordered list into a document through 
        script could lead to a potentially exploitable crash that can be 
        triggered by web content." [8]
        CVE-2013-6672: "Mozilla community member Vincent Lefevre reported 
        that on Linux systems, web content can access data saved to the 
        clipboard when a user attempts to paste a selection with a 
        middle-click instead of pasting the selection content. This allows 
        for possibly private data in the clipboard to be inadvertently 
        disclosed to web content. Windows and OS X systems are not affected
        by this issue." [9]
        CVE-2013-6673: "Firefox user Sijie Xia reported that if a user 
        explicitly removes the trust for extended validation (EV) capable 
        root certificates in the certificate manager, the change is not 
        properly used when validating EV certificates, causing the setting 
        to be ignored. This removes the ability of users to explicitly 
        untrust root certificates from specific certificate authorities." [10]
        CVE-2013-5613: "Security researchers Tyson Smith and Jesse 
        Schwartzentruber of the BlackBerry Security Automated Analysis Team
        used the Address Sanitizer tool while fuzzing to discover a 
        user-after-free in the functions for synthetic mouse movement 
        handling. Security researcher Atte Kettunen from OUSPG also reported
        a variant of the same flaw. This issue leads to a potentially 
        exploitable crash." [11]
        CVE-2013-5615: "Mozilla developer Eric Faust reported that during 
        JavaScript compilation GetElementIC typed array stubs can be 
        generated outside observed typesets. This could lead to 
        unpredictable behavior with a potential security impact." [12]
        CVE-2013-6629: "Google security researcher Michal Zalewski reported
        issues with JPEG format image processing with Start Of Scan (SOS) 
        and Define Huffman Table (DHT) markers in the libjpeg library. This
        could allow for the possible reading of arbitrary memory content as
        well as cross-domain image theft." [13]
        "Google notified Mozilla that an intermediate certificate, which 
        chains up to a root included in Mozillas root store, was loaded into
        a man-in-the-middle (MITM) traffic management device. This 
        certificate was issued by Agence nationale de la scurit des systmes
        d'information (ANSSI), an agency of the French government and a 
        certificate authority in Mozilla's root program. A subordinate 
        certificate authority of ANSSI mis-issued an intermediate 
        certificate that they installed on a network monitoring device, 
        which enabled the device to act as a MITM proxy performing traffic 
        management of domain names or IP addresses that the certificate 
        holder did not own or control.
        The issue was not specific to Firefox but there was evidence that 
        one of the certificates was used for MITM traffic management of 
        domain names that the customer did not legitimately own or control.
        This issue was resolved by revoking trust in the intermediate used 
        by the sub-CA to issue the certificate for the MITM device." [14]


        It is recommended that users update to the latest versions 
        of Mozilla Firefox, Firefox ESR, Thunderbird, Thunderbird ESR and 
        SeaMonkey to correct these issues.


        [1] MFSA 2013-104

        [2] MFSA 2013-105

        [3] MFSA 2013-106

        [4] MFSA 2013-107

        [5] MFSA 2013-108

        [6] MFSA 2013-109

        [7] MFSA 2013-110

        [8] MFSA 2013-111

        [9] MFSA 2013-112

        [10] MFSA 2013-113

        [11] MFSA 2013-114

        [12] MFSA 2013-115

        [13] MFSA 2013-116

        [14] MFSA 2013-117

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967