Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2014.0120 Numerous vulnerabilities have been identified in Mozilla Firefox, Firefox ESR and Thunderbird. 15 October 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Mozilla Firefox Mozilla Firefox ESR Mozilla Thunderbird Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Unauthorised Access -- Remote with User Interaction Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2014-1586 CVE-2014-1585 CVE-2014-1584 CVE-2014-1583 CVE-2014-1582 CVE-2014-1581 CVE-2014-1580 CVE-2014-1578 CVE-2014-1577 CVE-2014-1576 CVE-2014-1575 CVE-2014-1574 Member content until: Friday, November 14 2014 OVERVIEW Numerous vulnerabilities have been identified in Mozilla Firefox, Firefox ESR and Thunderbird. [1] IMPACT The vendor has provided the following details regarding these vulnerabilities: (CVE-2014-1574), (CVE-2014-1575): "Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code." [1] (CVE-2014-1576): "Using the Address Sanitizer tool, security researcher Atte Kettunen from OUSPG discovered a buffer overflow when making capitalization style changes during CSS parsing. This can cause a crash that is potentially exploitable." [2] (CVE-2014-1577): "Security researcher Holger Fuhrmannek used the Address Sanitizer tool to discover an out-of-bounds read issue with Web Audio when interacting with custom waveforms with invalid values. This results in a crash and could allow for the reading of random memory which may contain sensitive data, or of memory addresses that could be used in combination with another bug." [3] (CVE-2014-1578): "Using the Address Sanitizer tool, security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team found an out-of-bounds write when buffering WebM format video containing frames with invalid tile sizes. This can lead to a potentially exploitable crash during WebM video playback." [4] (CVE-2014-1580): "Google security researcher Michal Zalewski reported that when a malformed GIF image is repeatedly rendered within a <canvas> element, memory may not always be properly initialized. The resulting series of images then uses this uninitialized memory during rendering, allowing data to potentially leak to web content." [5] (CVE-2014-1581): "Security researcher regenrecht reported, via TippingPoint's Zero Day Initiative, a use-after-free during text layout when interacting with text direction. This results in a crash which can lead to arbitrary code execution." [6] (CVE-2014-1582), (CVE-2014-1584): "Mozilla developer Patrick McManus reported a method to use SPDY or HTTP/2 connection coalescing to bypass key pinning on different sites that resolve to the same IP address.This could allow the use of a fraudulent certificate when a saved pin for that subdomain should have prevented the connection. This leads to possible man-in-the-middle attacks if an attacker has control of the DNS connection and the ability to obtain a fraudulent certificate that browsers would accept in the absence of the pin. Mozilla security engineer David Keeler discovered that when there are specific problems verifying the issuer of an SSL certificate, the checks necessary for key pinning would not be run. As a result, the user is then presented with the "Untrusted Connection" error page, which they can use to bypass the key pinning process on a site that should be pinned. This error message is always shown to the user and cannot be used to silently bypass key pinning on affected sites." [7] (CVE-2014-1585), (CVE-2014-1586): "Mozilla developers Eric Shepherd and Jan-Ivar Bruaroey reported issues with privacy and video sharing using WebRTC. Once video sharing has started within a WebRTC session running within an <iframe>, video will continue to be shared even if the user selects the "e;Stop Sharing" button in the controls. The camera will also remain on even if the user navigates to another site and will begin streaming again if the user returns to the original site. This is a privacy problem and can lead to inadvertent video streaming. This does not affect implementations that are not within an <iframe>." [8] (CVE-2014-1583): "Mozilla developer Boris Zbarsky reported that a malicious app could use the AlarmAPI to read the values of cross-origin references, such as an iframe's location object, as part of an alarm's JSON data. This allows a malicious app to bypass same-origin policy." [9] MITIGATION The vendor recommends updating to the latest version of the affected products to correct this issue. [1] REFERENCES [1] Mozilla Foundation Security Advisory 2014-74 https://www.mozilla.org/security/announce/2014/mfsa2014-74.html [2] Mozilla Foundation Security Advisory 2014-75 https://www.mozilla.org/security/announce/2014/mfsa2014-75.html [3] Mozilla Foundation Security Advisory 2014-76 https://www.mozilla.org/security/announce/2014/mfsa2014-76.html [4] Mozilla Foundation Security Advisory 2014-77 https://www.mozilla.org/security/announce/2014/mfsa2014-77.html [5] Mozilla Foundation Security Advisory 2014-78 https://www.mozilla.org/security/announce/2014/mfsa2014-78.html [6] Mozilla Foundation Security Advisory 2014-79 https://www.mozilla.org/security/announce/2014/mfsa2014-79.html [7] Mozilla Foundation Security Advisory 2014-80 https://www.mozilla.org/security/announce/2014/mfsa2014-80.html [8] Mozilla Foundation Security Advisory 2014-81 https://www.mozilla.org/security/announce/2014/mfsa2014-81.html [9] Mozilla Foundation Security Advisory 2014-82 https://www.mozilla.org/security/announce/2014/mfsa2014-82.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVD3/lhLndAQH1ShLAQKEqg//cbpUDkhyh5B+YjAziPjb4xFKVx3PUWlT xQ9ji6qTNw9Fbk/UsxK/tq+RXOeGI0Aw9+d0QxKN/PU4oSxGv5GlUAIQZuWvnatA DdzTcr2shHCWXLYGvYMI4IdlTnhz3zSygP2qMK4xtcjSUVCuM47OGw96wlDSkKiL Yskdc8E+8qFYSPfezY5ZJp9s7qUIhyT1DHgEdGx7ou2Rj7BCaIPBFxFdz0+MWfP/ 7CQY5Cd4pBTr5lirbJmoSYNopAyW4IDs+Fqj4Mk45MK92Nje51uwB0xKNXRv+ipC IBMTeUSIQt+yFUe+CFskWudHAXMZMLgZPSDdDuuZ9IJZyLaSU46/FK/tVIJ4ZHer mB5By0HShkYHKG1tQ5CEJLn/Fg5n98nl1LvhsrmA8jpwUhzC6SrqodM58WLfl93P B8d0Qp3MD3j99Caf5+GHDW2xN6lRgu9LcS6mzM4Hp9HnlMsCwxGMtJAZrB0nw+SX 6Hi9YpMQGics/RPjUhF3E0TetzuC87GgnayS8XaS97RlYWCd1HnzQN/v4FKEs1VZ /v89Q/dfa5n/rZOKT87BDbu7ojoM/CIhiL+gfneEe7AsNw9Xk27CTXnMc5KWBBAi bBlbED80wRYUdMRa103uCy7Dci+oiWcNtp7G07KS0qwDWUJ06V0YSbJfUr3Fdrhg x5mWSx2mVm8= =PuVy -----END PGP SIGNATURE-----