Mozilla Firefox, Firefox ESR, Thunderbird: Multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2014.0120
         Numerous vulnerabilities have been identified in Mozilla
                   Firefox, Firefox ESR and Thunderbird.
                              15 October 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Mozilla Firefox
                      Mozilla Firefox ESR
                      Mozilla Thunderbird
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
                      Provide Misleading Information  -- Remote with User Interaction
                      Access Confidential Data        -- Remote with User Interaction
                      Unauthorised Access             -- Remote with User Interaction
                      Reduced Security                -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2014-1586 CVE-2014-1585 CVE-2014-1584
                      CVE-2014-1583 CVE-2014-1582 CVE-2014-1581
                      CVE-2014-1580 CVE-2014-1578 CVE-2014-1577
                      CVE-2014-1576 CVE-2014-1575 CVE-2014-1574
Member content until: Friday, November 14 2014

OVERVIEW

        Numerous vulnerabilities have been identified in Mozilla Firefox,
        Firefox ESR and Thunderbird. [1]


IMPACT

        The vendor has provided the following details regarding these 
        vulnerabilities:
        
        (CVE-2014-1574), (CVE-2014-1575): "Mozilla developers and community
        identified and fixed several memory safety bugs in the browser 
        engine used in Firefox and other Mozilla-based products. Some of 
        these bugs showed evidence of memory corruption under certain 
        circumstances, and we presume that with enough effort at least some
        of these could be exploited to run arbitrary code." [1]
        
        (CVE-2014-1576): "Using the Address Sanitizer tool, security 
        researcher Atte Kettunen from OUSPG discovered a buffer overflow 
        when making capitalization style changes during CSS parsing. This 
        can cause a crash that is potentially exploitable." [2]
        
        (CVE-2014-1577): "Security researcher Holger Fuhrmannek used the 
        Address Sanitizer tool to discover an out-of-bounds read issue with
        Web Audio when interacting with custom waveforms with invalid 
        values. This results in a crash and could allow for the reading of 
        random memory which may contain sensitive data, or of memory 
        addresses that could be used in combination with another bug." [3]
        
        (CVE-2014-1578): "Using the Address Sanitizer tool, security 
        researcher Abhishek Arya (Inferno) of the Google Chrome Security 
        Team found an out-of-bounds write when buffering WebM format video 
        containing frames with invalid tile sizes. This can lead to a 
        potentially exploitable crash during WebM video playback." [4]
        
        (CVE-2014-1580): "Google security researcher Michal Zalewski 
        reported that when a malformed GIF image is repeatedly rendered 
        within a <canvas> element, memory may not always be properly 
        initialized. The resulting series of images then uses this 
        uninitialized memory during rendering, allowing data to potentially
        leak to web content." [5]
        
        (CVE-2014-1581): "Security researcher regenrecht reported, via 
        TippingPoint's Zero Day Initiative, a use-after-free during text 
        layout when interacting with text direction. This results in a crash
        which can lead to arbitrary code execution." [6]
        
        (CVE-2014-1582), (CVE-2014-1584): "Mozilla developer Patrick McManus
        reported a method to use SPDY or HTTP/2 connection coalescing to 
        bypass key pinning on different sites that resolve to the same IP 
        address.This could allow the use of a fraudulent certificate when a
        saved pin for that subdomain should have prevented the connection. 
        This leads to possible man-in-the-middle attacks if an attacker has
        control of the DNS connection and the ability to obtain a fraudulent
        certificate that browsers would accept in the absence of the pin.
        
        Mozilla security engineer David Keeler discovered that when there 
        are specific problems verifying the issuer of an SSL certificate, 
        the checks necessary for key pinning would not be run. As a result,
        the user is then presented with the "Untrusted Connection" error 
        page, which they can use to bypass the key pinning process on a site
        that should be pinned. This error message is always shown to the 
        user and cannot be used to silently bypass key pinning on affected 
        sites." [7]
        
        (CVE-2014-1585), (CVE-2014-1586): "Mozilla developers Eric Shepherd
        and Jan-Ivar Bruaroey reported issues with privacy and video sharing
        using WebRTC. Once video sharing has started within a WebRTC session
        running within an <iframe>, video will continue to be shared even if
        the user selects the "e;Stop Sharing" button in the controls. The 
        camera will also remain on even if the user navigates to another 
        site and will begin streaming again if the user returns to the 
        original site. This is a privacy problem and can lead to inadvertent
        video streaming. This does not affect implementations that are not 
        within an <iframe>." [8]
        
        (CVE-2014-1583): "Mozilla developer Boris Zbarsky reported that a 
        malicious app could use the AlarmAPI to read the values of 
        cross-origin references, such as an iframe's location object, as 
        part of an alarm's JSON data. This allows a malicious app to bypass
        same-origin policy." [9]


MITIGATION

        The vendor recommends updating to the latest version of the affected
        products to correct this issue. [1]


REFERENCES

        [1] Mozilla Foundation Security Advisory 2014-74
            https://www.mozilla.org/security/announce/2014/mfsa2014-74.html

        [2] Mozilla Foundation Security Advisory 2014-75
            https://www.mozilla.org/security/announce/2014/mfsa2014-75.html

        [3] Mozilla Foundation Security Advisory 2014-76
            https://www.mozilla.org/security/announce/2014/mfsa2014-76.html

        [4] Mozilla Foundation Security Advisory 2014-77
            https://www.mozilla.org/security/announce/2014/mfsa2014-77.html

        [5] Mozilla Foundation Security Advisory 2014-78
            https://www.mozilla.org/security/announce/2014/mfsa2014-78.html

        [6] Mozilla Foundation Security Advisory 2014-79
            https://www.mozilla.org/security/announce/2014/mfsa2014-79.html

        [7] Mozilla Foundation Security Advisory 2014-80
            https://www.mozilla.org/security/announce/2014/mfsa2014-80.html

        [8] Mozilla Foundation Security Advisory 2014-81
            https://www.mozilla.org/security/announce/2014/mfsa2014-81.html

        [9] Mozilla Foundation Security Advisory 2014-82
            https://www.mozilla.org/security/announce/2014/mfsa2014-82.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVD3/lhLndAQH1ShLAQKEqg//cbpUDkhyh5B+YjAziPjb4xFKVx3PUWlT
xQ9ji6qTNw9Fbk/UsxK/tq+RXOeGI0Aw9+d0QxKN/PU4oSxGv5GlUAIQZuWvnatA
DdzTcr2shHCWXLYGvYMI4IdlTnhz3zSygP2qMK4xtcjSUVCuM47OGw96wlDSkKiL
Yskdc8E+8qFYSPfezY5ZJp9s7qUIhyT1DHgEdGx7ou2Rj7BCaIPBFxFdz0+MWfP/
7CQY5Cd4pBTr5lirbJmoSYNopAyW4IDs+Fqj4Mk45MK92Nje51uwB0xKNXRv+ipC
IBMTeUSIQt+yFUe+CFskWudHAXMZMLgZPSDdDuuZ9IJZyLaSU46/FK/tVIJ4ZHer
mB5By0HShkYHKG1tQ5CEJLn/Fg5n98nl1LvhsrmA8jpwUhzC6SrqodM58WLfl93P
B8d0Qp3MD3j99Caf5+GHDW2xN6lRgu9LcS6mzM4Hp9HnlMsCwxGMtJAZrB0nw+SX
6Hi9YpMQGics/RPjUhF3E0TetzuC87GgnayS8XaS97RlYWCd1HnzQN/v4FKEs1VZ
/v89Q/dfa5n/rZOKT87BDbu7ojoM/CIhiL+gfneEe7AsNw9Xk27CTXnMc5KWBBAi
bBlbED80wRYUdMRa103uCy7Dci+oiWcNtp7G07KS0qwDWUJ06V0YSbJfUr3Fdrhg
x5mWSx2mVm8=
=PuVy
-----END PGP SIGNATURE-----