-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2014.0084
        A number of vulnerabilities have been identified in Mozilla
               Firefox, Mozilla Firefox ESR and Thunderbird.
                               23 July 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Mozilla Firefox
                      Mozilla Firefox ESR
                      Mozilla Thunderbird
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
                      Android
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
                      Provide Misleading Information  -- Remote with User Interaction
                      Access Confidential Data        -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2014-1561 CVE-2014-1560 CVE-2014-1559
                      CVE-2014-1558 CVE-2014-1557 CVE-2014-1556
                      CVE-2014-1555 CVE-2014-1552 CVE-2014-1551
                      CVE-2014-1550 CVE-2014-1549 CVE-2014-1548
                      CVE-2014-1547 CVE-2014-1544 
Member content until: Friday, August 22 2014

OVERVIEW

        A number of vulnerabilities have been identified in Mozilla
        Firefox, Mozilla Firefox ESR and Thunderbird. [1]


IMPACT

        The vendor has provided the following details regarding these 
        vulnerabilities:
        
        "CVE-2014-1547,CVE-2014-1548: Mozilla developers and community 
        identified identified and fixed several memory safety bugs in the 
        browser engine used in Firefox and other Mozilla-based products. 
        Some of these bugs showed evidence of memory corruption under 
        certain circumstances, and we presume that with enough effort at 
        least some of these could be exploited to run arbitrary code." [2]
        
        "CVE-2014-1549: Using the Address Sanitizer tool, security 
        researcher Atte Kettunen from OUSPG discovered a buffer overflow 
        during interaction with the Web Audio buffer for playback because of
        an error in the the amount of allocated memory for buffers. This 
        leads to a potentially exploitable crash with some audio 
        content."[3]
        
        "CVE-2014-1550: Using the Address Sanitizer tool, security 
        researcher Atte Kettunen from OUSPG discovered a use-after-free in 
        Web Audio due to an issue with how control messages for Web Audio 
        are ordered and processed. This leads to a potentially exploitable 
        crash." [4]
        
        "CVE-2014-1551: Mozilla community member James Kitchener reported a
        crash in DirectWrite when rendering MathML content with specific 
        fonts due to an error in how font resources and tables are handled.
        This leads to use-after-free of a DirectWrite font-face object, 
        resulting in a potentially exploitable crash." [5]
        
        "CVE-2014-1561: Mozilla developers David Chan and Gijs Kruitbosch 
        reported that it is possible to create a drag and drop event in web
        content which mimics the behavior of a chrome customization event. 
        This can occur when a user is customizing a page or panel. This 
        results in a limited ability to move UI icons within the visible 
        window but does not otherwise affect customization or window 
        content." [6]
        
        "CVE-2014-1555: Security researcher Jethro Beekman of the University
        of California, Berkeley reported a crash when the FireOnStateChange
        event is triggered in some circumstances. This leads to a 
        use-after-free and a potentially exploitable crash when it occurs."
        [7]
        
        "CVE-2014-1556: Developer Patrick Cozzi reported a crash in some 
        circumstances when using the Cesium JavaScript library to generate 
        WebGL content. Mozilla developers determined that this crash is 
        potentially exploitable." [8]
        
        "CVE-2014-1544: Security researchers Tyson Smith and Jesse 
        Schwartzentruber used the Address Sanitizer tool while fuzzing to 
        discover a use-after-free error resulting in a crash. This is a 
        result of a pair of NSSCertificate structures being added to a trust
        domain and then one of them is removed while they are still in use 
        by the trusted cache. This crash is potentially exploitable." [9]
        
        "CVE-2014-1557: Mozilla community member John reported a crash in 
        the Skia library when scaling high quality images if the scaling 
        operation takes too long. This is caused by the image data being 
        discarded while still in use by the scaling operation. This crash is
        potentially exploitable on some systems." [10]
        
        "CVE-2014-1558, CVE-2014-1559, CVE-2014-1560: Mozilla security 
        researcher Christian Holler discovered several issues while fuzzing
        the parsing of SSL certificates. Two of these issues were a result 
        of using characters that are not UTF-8 in certificates when various
        functions expected all strings to be UTF-8 format. The third issue 
        was a result of using characters that were not ASCII in certificates
        while a function expected only ASCII formatted text. All of these 
        issues causes the certificates to be incorrectly parsed, leading to
        a potential inability to use valid SSL certificates." [11]
        
        "CVE-2014-1552: Mozilla developer Boris Zbarsky discovered an issue
        where network-level redirects cause an <iframe> sandbox to forget 
        its unique origin and behave as if the allow-same-origin keyword 
        were applied. This allows the sandboxed content to access other 
        content from the same origin without explicit approval. " [12]


MITIGATION

        It is recommended that users update to the latest versions of 
        Mozilla Firefox, Firefox ESR and Thunderbird to correct these 
        issues. [1 - 12]


REFERENCES

        [1] Security Advisories for Firefox
            https://www.mozilla.org/security/known-vulnerabilities/firefox.html

        [2] Mozilla Foundation Security Advisory 2014-56
            https://www.mozilla.org/security/announce/2014/mfsa2014-56.html

        [3] Mozilla Foundation Security Advisory 2014-57
            https://www.mozilla.org/security/announce/2014/mfsa2014-57.html

        [4] Mozilla Foundation Security Advisory 2014-58
            https://www.mozilla.org/security/announce/2014/mfsa2014-58.html

        [5] Mozilla Foundation Security Advisory 2014-59
            https://www.mozilla.org/security/announce/2014/mfsa2014-59.html

        [6] Mozilla Foundation Security Advisory 2014-60
            https://www.mozilla.org/security/announce/2014/mfsa2014-60.html

        [7] Mozilla Foundation Security Advisory 2014-61
            https://www.mozilla.org/security/announce/2014/mfsa2014-61.html

        [8] Mozilla Foundation Security Advisory 2014-62
            https://www.mozilla.org/security/announce/2014/mfsa2014-62.html

        [9] Mozilla Foundation Security Advisory 2014-63
            https://www.mozilla.org/security/announce/2014/mfsa2014-63.html

        [10] Mozilla Foundation Security Advisory 2014-64
             https://www.mozilla.org/security/announce/2014/mfsa2014-64.html

        [11] Mozilla Foundation Security Advisory 2014-65
             https://www.mozilla.org/security/announce/2014/mfsa2014-65.html

        [12] Mozilla Foundation Security Advisory 2014-66
             https://www.mozilla.org/security/announce/2014/mfsa2014-66.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU88ALBLndAQH1ShLAQJyrg//aC6+VgCg337DUKUQfkDSvtMJS/vcwqdF
DZIpAWVXKVfgjFt+ZnY3dQ7OBRe+d4tY4TmZ76SECobK1thDUD8yLY9Z6t8Gq6pO
llnjsv7TkmNDsD8lPhSDvTKeTAB8gKuTuaZ0TyU4YVOzFHvxBVCpuJHjlKaUtjzw
PlYN2b8sET7T/0x3jrNmuDH5EpyVYou6i9K6g+Bhon3Cf4WQhNxCR2LBDgX40iR7
ZCs3C785l+s+kgKwHkuFSbnALNCZT/QssZ/ESa6XB4Ww7yjTS/d1MnEWd/IFqliq
M0AJftVMIOHH/U7EpOcBKLiWKK27k5BbAhn6CZZWOeMRzReGJy70Q6fsBHh3D9Iv
cs6Q32ItLW3N7FQY6gmS56Y+JqdF3hHmYtfcYq9+SRwIr79XIS+1vnB2JsaqnmFR
MwfHnBa/QDJPjg9yeNRVQcC5B8HbNJxqauBnq1KSOje8idwG8A1amJhjQTPvfaAd
O1VzJ9LZpnpyiWIsJhXkm2n/6eHWYkfZx3eiHBMTnAS+bv0AGuDQa7BYQQcpIvkO
XJ8FXm4zKgEaFPcdravFUTUoEWfLVQWhfQ3otyE8Gm6F3DfXu/xxxS3NwF64Gxx4
0qvJGjXq7UEabZM86FZXIXMOQOcfSgEmVv6J2P6YDIiunyBCMrc3ldxUCTlHYDY0
/CUlxD1Qfds=
=XdJO
-----END PGP SIGNATURE-----