Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2014.0056 A number of vulnerabilities have been identified in Mozilla Firefox, Mozilla Firefox ESR, Thunderbird and Seamonkey 30 April 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Mozilla Firefox Mozilla Firefox ESR Mozilla Thunderbird Mozilla Seamonkey Operating System: UNIX variants (UNIX, Linux, OSX) Windows Android Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Increased Privileges -- Existing Account Cross-site Scripting -- Remote with User Interaction Denial of Service -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2014-1532 CVE-2014-1531 CVE-2014-1530 CVE-2014-1529 CVE-2014-1528 CVE-2014-1527 CVE-2014-1526 CVE-2014-1525 CVE-2014-1524 CVE-2014-1523 CVE-2014-1522 CVE-2014-1520 CVE-2014-1519 CVE-2014-1518 CVE-2014-1492 Member content until: Friday, May 30 2014 OVERVIEW A number of vulnerabilities have been identified in Mozilla Firefox, Mozilla Firefox ESR, Thunderbird and Seamonkey. IMPACT The vendor has provided the following details regarding these vulnerabilities: CVE-2014-1518, CVE-2014-1519: "Mozilla developers and community identified identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code." [1] CVE-2014-1520: "Security researcher Ash reported an issue affected the Mozilla Maintenance Service on Windows systems. The Mozilla Maintenance Service installer writes to a temporary directory created during the update process which is writable by users. If malicious DLL files are placed within this directory during the update process, these DLL files can run in a privileged context through the Mozilla Maintenance Service's privileges, allowing for local privilege escalation. Note: This issue does not affect Linux or OS X users and is confined to Windows." [2] CVE-2014-1522: "Security researcher Ash reported an out of bounds read issue with Web Audio. This issue could allow for web content to trigger crashes that are potentially exploitable." [3] CVE-2014-1523: "Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team used the Address Sanitizer tool to discover a fixed offset out of bounds read issue while decoding specifically formatted JPG format images. This causes a non-exploitable crash." [4] CVE-2014-1524: "Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team used the Address Sanitizer tool to discover a buffer overflow when a script uses a non-XBL object as an XBL object because the XBL status of the object is not properly validated. The resulting memory corruption is potentially exploitable." [5] CVE-2014-1525: "Using the Address Sanitizer tool, security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team found a use-after-free in the Text Track Manager while processing HTML video. This was caused by inconsistent garbage collection of Text Track Manager variables and results in a potentially exploitable crash." [6] CVE-2014-1527: "Security researcher Juho Nurminen reported that on Firefox for Android, when the addressbar has been scrolled off screen, an attacker can prevent it from rendering again through the use of script interacting DOM events. This allows an attacker to present a fake addressbar to the user, possibly leading to successful phishing attacks." [7] CVE-2014-1528: "Security researcher Jukka Jylnki reported a crash in the the Cairo graphics library. This happens when Cairo paints out-of-bounds to the destination buffer in the compositing function when working with canvas in certain circumstances. This issue allows malicious web content to cause a potentially exploitable crash." [8] CVE-2014-1529: "Security researcher Mariusz Mlynski discovered an issue where sites that have been given notification permissions by a user can bypass security checks on source components for the Web Notification API. This allows for script to be run in a privileged context through notifications, leading to arbitrary code execution on these sites." [9] CVE-2014-1530: "Mozilla security researcher moz_bug_r_a4 reported a method to use browser navigations through history to load a website with that page's baseURI property pointing to that of another site instead of the seemingly loaded one. The user will continue to see the incorrect site in the addressbar of the browser. This allows for a cross-site scripting (XSS) attack or the theft of data through a phishing attack." [10] CVE-2014-1531: "Security researcher Nils discovered a use-after-free error in which the imgLoader object is freed while an image is being resized. This results in a potentially exploitable crash." [11] CVE-2014-1492: "Security researcher Christian Heimes reported that the Network Security Services (NSS) library does not handle IDNA domain prefixes according to RFC 6125 for wildcard certificates. This leads to improper wildcard matching of domains when they should not be matched in compliance with the specification. This issue was fixed in NSS version 3.16." [12] CVE-2014-1532: "Security researchers Tyson Smith and Jesse Schwartzentruber of the BlackBerry Security Automated Analysis Team used the Address Sanitizer tool while fuzzing to discover a use-after-free during host resolution in some circumstances. This leads to a potentially exploitable crash." [13] CVE-2014-1526: "Mozilla developer Boris Zbarsky discovered that the debugger will work with some objects while bypassing XrayWrappers. This could lead to privilege escalation if the victim used the debugger to interact with a malicious page." [14] MITIGATION It is recommended that users update to the latest versions of Mozilla Firefox, Firefox ESR, Thunderbird, and SeaMonkey to correct these issues. [1-14] REFERENCES [1] Mozilla Foundation Security Advisory 2014-34 http://www.mozilla.org/security/announce/2014/mfsa2014-34.html [2] Mozilla Foundation Security Advisory 2014-35 http://www.mozilla.org/security/announce/2014/mfsa2014-35.html [3] Mozilla Foundation Security Advisory 2014-36 http://www.mozilla.org/security/announce/2014/mfsa2014-36.html [4] Mozilla Foundation Security Advisory 2014-37 http://www.mozilla.org/security/announce/2014/mfsa2014-37.html [5] Mozilla Foundation Security Advisory 2014-38 http://www.mozilla.org/security/announce/2014/mfsa2014-38.html [6] Mozilla Foundation Security Advisory 2014-39 http://www.mozilla.org/security/announce/2014/mfsa2014-39.html [7] Mozilla Foundation Security Advisory 2014-40 http://www.mozilla.org/security/announce/2014/mfsa2014-40.html [8] Mozilla Foundation Security Advisory 2014-41 http://www.mozilla.org/security/announce/2014/mfsa2014-41.html [9] Mozilla Foundation Security Advisory 2014-42 http://www.mozilla.org/security/announce/2014/mfsa2014-42.html [10] Mozilla Foundation Security Advisory 2014-43 http://www.mozilla.org/security/announce/2014/mfsa2014-43.html [11] Mozilla Foundation Security Advisory 2014-44 http://www.mozilla.org/security/announce/2014/mfsa2014-44.html [12] Mozilla Foundation Security Advisory 2014-45 http://www.mozilla.org/security/announce/2014/mfsa2014-45.html [13] Mozilla Foundation Security Advisory 2014-46 http://www.mozilla.org/security/announce/2014/mfsa2014-46.html [14] Mozilla Foundation Security Advisory 2014-47 http://www.mozilla.org/security/announce/2014/mfsa2014-47.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU2BR/xLndAQH1ShLAQIESw/+JK7dMU9qRFP6Qbbp9OOqSdkt2uW4Vhgv zhJUd1FenbDwG89GWXdQB27pWerLW5ilB8VMZwi/oOeE/PpLGOd5HsPndi8dtliu jitx9I2v5YixKBsdxhIE7Au7mIjyJgs7o0i80jU3O08PZQlN66QHxxH63OEdC9oD I9WdvgMd/fRqaavagE4lE+0m4w0+VSeGlfcpxfsOgjwr5p1+rAskcOMYh5+6uDGf v1NYQoy+E4jVq0xId9Avn5xvXVyOWDKgK2EFKn81smC5DzOCHM8DlcJR9bgHy59n kt+L8kB9G/49zGKYngVwswxwECxrOJwSS5zc+uu69NsG3oMKfF+ogPD2fif93YI8 q1/ynQhaO5ZZPqHUf54CNr27f5W5WqvN6r4RUgYYs//Hl87H9c6f2bfU5aW6ICqa Pi3LUqNnapXI8jeiV8KVG5yd20u6metk1E6wIoW/uoxs8YV0MMhO75MNaejFHY04 L0Fgrm4VILjrg9za3MrYw8uSqsJQMSMO2AAFBfq7NkKy7NAFJ6WPG4XStaNLEuW2 OGDwQEz+iJUOY35/sR/LlGysOh7XoOMTJkzXQD0OHGRAMWWsOiDRjjw6IfUxLL4w 47RUxpc27744sm5jWDC1J/5gPUjqZt3MxlANIqXd57H0TxKFWdDl6vtvh7rGrpHi 4VLLn69jVy8= =hqWy -----END PGP SIGNATURE-----