Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2013.0136 A number of vulnerabilities have been corrected in the latest versions of Firefox, Thunderbird, Thunderbird ESR and SeaMonkey 11 December 2013 =========================================Y================================== AusCERT Security Bulletin Summary --------------------------------- Product: Mozilla Firefox Mozilla Firefox ESR Mozilla Thunderbird Mozilla Thunderbird ESR Mozilla Seamonkey Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Denial of Service -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Unauthorised Access -- Remote with User Interaction Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2013-6673 CVE-2013-6672 CVE-2013-6671 CVE-2013-6629 CVE-2013-5619 CVE-2013-5618 CVE-2013-5616 CVE-2013-5615 CVE-2013-5614 CVE-2013-5613 CVE-2013-5612 CVE-2013-5611 CVE-2013-5610 CVE-2013-5609 Member content until: Friday, January 10 2014 Reference: ASB-2013.0128 ESB-2013.1760 ESB-2013.1652 OVERVIEW A number of vulnerabilities have been corrected in the latest versions of Firefox, Thunderbird, Thunderbird ESR and SeaMonkey. IMPACT The vendor has provided the following details regarding these vulnerabilities: CVE-2013-5609, CVE-2013-5610: "Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code." [1] CVE-2013-5611: "Mozilla developer Myk Melez reported that with specifically timed page navigation, the doorhanger notification for Web App installation could persist from one site to another without being dismissed by the navigation. This could be used by a malicious site to trick a user into installing an application from one site while making it appear to come from another." [2] CVE-2013-5612: "Security researcher Masato Kinugawa discovered that if a web page is missing character set encoding information it can inherit character encodings across navigations into another domain from an earlier site. Only same-origin inheritance is allowed according to the HTML5 specification. This issue allows an attacker to add content that will be interpreted one way on the victim site, but which may then behave differently, evading cross-site scripting (XSS) filtering, when forced into an unexpected character set. Web site authors should always explicitly declare a character encoding to avoid similar issues." [3] CVE-2013-5614: "Mozilla security developer Daniel Veditz discovered that <iframe sandbox> restrictions are not applied to an <object> element contained within a sandboxed iframe. This could allow content hosted within a sandboxed iframe to use <object> element to bypass the sandbox restrictions that should be applied." [4] CVE-2013-5616: "Security researchers Tyson Smith and Jesse Schwartzentruber of the BlackBerry Security Automated Analysis Team used the Address Sanitizer tool while fuzzing to discover a user-after-free when interacting with event listeners from the mListeners array. This leads to a potentially exploitable crash." [5] CVE-2013-5618: "Security researcher Nils used the Address Sanitizer tool while fuzzing to discover a use-after-free problem in the table editing user interface of the editor during garbage collection. This leads to a potentially exploitable crash." [6] CVE-2013-5619: "Compiler Engineer Dan Gohman of Google reported that binary search algorithms in the SpiderMonkey JavaScript engine were prone to overflow in several places, leading to potential out-of-bounds array access. While none of these are known to be directly exploitable, they are unsafe in theory and have been changed as part of general security improvements." [7] CVE-2013-6671: "Security researchers Tyson Smith and Jesse Schwartzentruber of the BlackBerry Security Automated Analysis Team used the Address Sanitizer tool while fuzzing to discover a mechanism where inserting an ordered list into a document through script could lead to a potentially exploitable crash that can be triggered by web content." [8] CVE-2013-6672: "Mozilla community member Vincent Lefevre reported that on Linux systems, web content can access data saved to the clipboard when a user attempts to paste a selection with a middle-click instead of pasting the selection content. This allows for possibly private data in the clipboard to be inadvertently disclosed to web content. Windows and OS X systems are not affected by this issue." [9] CVE-2013-6673: "Firefox user Sijie Xia reported that if a user explicitly removes the trust for extended validation (EV) capable root certificates in the certificate manager, the change is not properly used when validating EV certificates, causing the setting to be ignored. This removes the ability of users to explicitly untrust root certificates from specific certificate authorities." [10] CVE-2013-5613: "Security researchers Tyson Smith and Jesse Schwartzentruber of the BlackBerry Security Automated Analysis Team used the Address Sanitizer tool while fuzzing to discover a user-after-free in the functions for synthetic mouse movement handling. Security researcher Atte Kettunen from OUSPG also reported a variant of the same flaw. This issue leads to a potentially exploitable crash." [11] CVE-2013-5615: "Mozilla developer Eric Faust reported that during JavaScript compilation GetElementIC typed array stubs can be generated outside observed typesets. This could lead to unpredictable behavior with a potential security impact." [12] CVE-2013-6629: "Google security researcher Michal Zalewski reported issues with JPEG format image processing with Start Of Scan (SOS) and Define Huffman Table (DHT) markers in the libjpeg library. This could allow for the possible reading of arbitrary memory content as well as cross-domain image theft." [13] "Google notified Mozilla that an intermediate certificate, which chains up to a root included in Mozillas root store, was loaded into a man-in-the-middle (MITM) traffic management device. This certificate was issued by Agence nationale de la scurit des systmes d'information (ANSSI), an agency of the French government and a certificate authority in Mozilla's root program. A subordinate certificate authority of ANSSI mis-issued an intermediate certificate that they installed on a network monitoring device, which enabled the device to act as a MITM proxy performing traffic management of domain names or IP addresses that the certificate holder did not own or control. The issue was not specific to Firefox but there was evidence that one of the certificates was used for MITM traffic management of domain names that the customer did not legitimately own or control. This issue was resolved by revoking trust in the intermediate used by the sub-CA to issue the certificate for the MITM device." [14] MITIGATION It is recommended that users update to the latest versions of Mozilla Firefox, Firefox ESR, Thunderbird, Thunderbird ESR and SeaMonkey to correct these issues. REFERENCES [1] MFSA 2013-104 http://www.mozilla.org/security/announce/2013/mfsa2013-104.html [2] MFSA 2013-105 http://www.mozilla.org/security/announce/2013/mfsa2013-105.html [3] MFSA 2013-106 http://www.mozilla.org/security/announce/2013/mfsa2013-106.html [4] MFSA 2013-107 http://www.mozilla.org/security/announce/2013/mfsa2013-107.html [5] MFSA 2013-108 http://www.mozilla.org/security/announce/2013/mfsa2013-108.html [6] MFSA 2013-109 http://www.mozilla.org/security/announce/2013/mfsa2013-109.html [7] MFSA 2013-110 http://www.mozilla.org/security/announce/2013/mfsa2013-110.html [8] MFSA 2013-111 http://www.mozilla.org/security/announce/2013/mfsa2013-111.html [9] MFSA 2013-112 http://www.mozilla.org/security/announce/2013/mfsa2013-112.html [10] MFSA 2013-113 http://www.mozilla.org/security/announce/2013/mfsa2013-113.html [11] MFSA 2013-114 http://www.mozilla.org/security/announce/2013/mfsa2013-114.html [12] MFSA 2013-115 http://www.mozilla.org/security/announce/2013/mfsa2013-115.html [13] MFSA 2013-116 http://www.mozilla.org/security/announce/2013/mfsa2013-116.html [14] MFSA 2013-117 http://www.mozilla.org/security/announce/2013/mfsa2013-117.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUqe/XxLndAQH1ShLAQLp9w//Xp9TCek3T3I870Zm5qrPIeC0vSwKO8gv w7V1ckIMhia5Mjeszk/BKD4H0l6PPixK4uuDhOGtWJgZ/aoHr1QHFs1IE/cNKPzJ och5VIHacA679Qm4kWMjWp4QTKEInKTUDXqESbzAQ+0GfsxYPhuyqnLBblQHGmq1 d5LRausCS3o/xrWPst6B0v/GayIQbL7mJO2bLNcsVdXiNukCYOk1rwmLWMCfDQ31 Wmt2F2A48nAl9GxhXS2/TqAY/IYB7YslX8VaUclm3e5bChs7xSPxSqOOM0bwBjeH MTKYqPAWj/lZX7B41R6h2F1JC/EIfGOxxeOaz4fPgQtiZXrFCFoMHBNuNSYRRSae pCyktPPGrK0m4zvhgm3x7zdmp0zZY+fxm7JZwmtTHi7iTZAWbm8og0d2J2DInXOg s0sVbarGJCxiLIAK40FANWibl3RlMTXNkuPT9Wr1NiD8sFfJic44wxZ15ju0zAsd 1i+cCa7niY6ngOWbdNnJn7rKSDXOGsWPQ13EtF/MU0tye63SEITJeT9BbANS3k3l 07r7o+Xx6Kz3eacbIpLPGMaTL+KVZgeHOTLsMwbdWoaQcjfq8ABGsX9cTXTKmd9N eV9Skues+5wuiVz1Ue/bUs9GcjLhoPJOQkQhexmqE01UsDE2uBaDCD0HCKaD25jc iZr5RQr9Nd4= =UbCs -----END PGP SIGNATURE-----