Hash: SHA1

                         AUSCERT Security Bulletin

  A number of vulnerabilities have been identified in Mozilla Firefox, 
              Mozilla Firefox ESR, Thunderbird and Seamonkey
                               30 April 2014


        AusCERT Security Bulletin Summary

Product:              Mozilla Firefox
                      Mozilla Firefox ESR
                      Mozilla Thunderbird
                      Mozilla Seamonkey
Operating System:     UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Increased Privileges            -- Existing Account            
                      Cross-site Scripting            -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
                      Provide Misleading Information  -- Remote with User Interaction
                      Reduced Security                -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2014-1532 CVE-2014-1531 CVE-2014-1530
                      CVE-2014-1529 CVE-2014-1528 CVE-2014-1527
                      CVE-2014-1526 CVE-2014-1525 CVE-2014-1524
                      CVE-2014-1523 CVE-2014-1522 CVE-2014-1520
                      CVE-2014-1519 CVE-2014-1518 CVE-2014-1492
Member content until: Friday, May 30 2014


        A number of vulnerabilities have been identified in Mozilla Firefox,
        Mozilla Firefox ESR, Thunderbird and Seamonkey.


        The vendor has provided the following details regarding these 
        CVE-2014-1518, CVE-2014-1519: "Mozilla developers and community 
        identified identified and fixed several memory safety bugs in the 
        browser engine used in Firefox and other Mozilla-based products. 
        Some of these bugs showed evidence of memory corruption under 
        certain circumstances, and we presume that with enough effort at 
        least some of these could be exploited to run arbitrary code." [1]
        CVE-2014-1520: "Security researcher Ash reported an issue affected 
        the Mozilla Maintenance Service on Windows systems. The Mozilla 
        Maintenance Service installer writes to a temporary directory 
        created during the update process which is writable by users. If 
        malicious DLL files are placed within this directory during the 
        update process, these DLL files can run in a privileged context 
        through the Mozilla Maintenance Service's privileges, allowing for 
        local privilege escalation.
        Note: This issue does not affect Linux or OS X users and is confined
        to Windows." [2]
        CVE-2014-1522: "Security researcher Ash reported an out of bounds 
        read issue with Web Audio. This issue could allow for web content to
        trigger crashes that are potentially exploitable." [3]
        CVE-2014-1523: "Security researcher Abhishek Arya (Inferno) of the 
        Google Chrome Security Team used the Address Sanitizer tool to 
        discover a fixed offset out of bounds read issue while decoding 
        specifically formatted JPG format images. This causes a 
        non-exploitable crash." [4]
        CVE-2014-1524: "Security researcher Abhishek Arya (Inferno) of the 
        Google Chrome Security Team used the Address Sanitizer tool to 
        discover a buffer overflow when a script uses a non-XBL object as an
        XBL object because the XBL status of the object is not properly 
        validated. The resulting memory corruption is potentially 
        exploitable." [5]
        CVE-2014-1525: "Using the Address Sanitizer tool, security 
        researcher Abhishek Arya (Inferno) of the Google Chrome Security 
        Team found a use-after-free in the Text Track Manager while 
        processing HTML video. This was caused by inconsistent garbage 
        collection of Text Track Manager variables and results in a 
        potentially exploitable crash." [6]
        CVE-2014-1527: "Security researcher Juho Nurminen reported that on 
        Firefox for Android, when the addressbar has been scrolled off 
        screen, an attacker can prevent it from rendering again through the
        use of script interacting DOM events. This allows an attacker to 
        present a fake addressbar to the user, possibly leading to 
        successful phishing attacks." [7]
        CVE-2014-1528: "Security researcher Jukka Jylnki reported a crash in
        the the Cairo graphics library. This happens when Cairo paints 
        out-of-bounds to the destination buffer in the compositing function
        when working with canvas in certain circumstances. This issue allows
        malicious web content to cause a potentially exploitable crash." [8]
        CVE-2014-1529: "Security researcher Mariusz Mlynski discovered an 
        issue where sites that have been given notification permissions by a
        user can bypass security checks on source components for the Web 
        Notification API. This allows for script to be run in a privileged 
        context through notifications, leading to arbitrary code execution 
        on these sites." [9]
        CVE-2014-1530: "Mozilla security researcher moz_bug_r_a4 reported a
        method to use browser navigations through history to load a website
        with that page's baseURI property pointing to that of another site 
        instead of the seemingly loaded one. The user will continue to see 
        the incorrect site in the addressbar of the browser. This allows for
        a cross-site scripting (XSS) attack or the theft of data through a 
        phishing attack." [10]
        CVE-2014-1531: "Security researcher Nils discovered a use-after-free
        error in which the imgLoader object is freed while an image is being
        resized. This results in a potentially exploitable crash." [11]
        CVE-2014-1492: "Security researcher Christian Heimes reported that 
        the Network Security Services (NSS) library does not handle IDNA 
        domain prefixes according to RFC 6125 for wildcard certificates. 
        This leads to improper wildcard matching of domains when they should
        not be matched in compliance with the specification. This issue was
        fixed in NSS version 3.16." [12]
        CVE-2014-1532: "Security researchers Tyson Smith and Jesse 
        Schwartzentruber of the BlackBerry Security Automated Analysis Team
        used the Address Sanitizer tool while fuzzing to discover a 
        use-after-free during host resolution in some circumstances. This 
        leads to a potentially exploitable crash." [13]
        CVE-2014-1526: "Mozilla developer Boris Zbarsky discovered that the
        debugger will work with some objects while bypassing XrayWrappers. 
        This could lead to privilege escalation if the victim used the 
        debugger to interact with a malicious page." [14]


        It is recommended that users update to the latest versions of Mozilla 
        Firefox, Firefox ESR, Thunderbird, and SeaMonkey to correct these 
        issues. [1-14]


        [1] Mozilla Foundation Security Advisory 2014-34

        [2] Mozilla Foundation Security Advisory 2014-35

        [3] Mozilla Foundation Security Advisory 2014-36

        [4] Mozilla Foundation Security Advisory 2014-37

        [5] Mozilla Foundation Security Advisory 2014-38

        [6] Mozilla Foundation Security Advisory 2014-39

        [7] Mozilla Foundation Security Advisory 2014-40

        [8] Mozilla Foundation Security Advisory 2014-41

        [9] Mozilla Foundation Security Advisory 2014-42

        [10] Mozilla Foundation Security Advisory 2014-43

        [11] Mozilla Foundation Security Advisory 2014-44

        [12] Mozilla Foundation Security Advisory 2014-45

        [13] Mozilla Foundation Security Advisory 2014-46

        [14] Mozilla Foundation Security Advisory 2014-47

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967