Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2014.0139 Numerous vulnerabilities have been identified in Mozilla Firefox, Firefox ESR and Thunderbird. 3 December 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Mozilla Firefox Mozilla Firefox ESR Mozilla Thunderbird Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2014-8632 CVE-2014-8631 CVE-2014-1595 CVE-2014-1594 CVE-2014-1593 CVE-2014-1592 CVE-2014-1591 CVE-2014-1590 CVE-2014-1589 CVE-2014-1588 CVE-2014-1587 Member content until: Friday, January 2 2015 OVERVIEW Numerous vulnerabilities have been identified in Mozilla Firefox, Firefox ESR and Thunderbird. [1] IMPACT The vendor has provided the following details regarding these vulnerabilities: (CVE-2014-1587),(CVE-2014-1588):"Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code." [2] (CVE-2014-1589): "Security researcher Cody Crews reported a method to trigger chrome level XML Binding Language (XBL) bindings through web content. This was possible because some chrome accessible CSS stylesheets had their primary namespace improperly declared. When this occurred, it was possible to use these stylesheets to manipulate XBL bindings, allowing web content to bypass security restrictions. This issue was limited to a specific set of stylesheets." [3] (CVE-2014-1590): "Security researcher Joe Vennix from Rapid7 reported that passing a JavaScript object to XMLHttpRequest that mimics an input stream will a crash. This crash is not exploitable and can only be used for denial of service attacks." [4] (CVE-2014-1591): "Security researcher Muneaki Nishimura discovered that Content Security Policy (CSP) violation reports triggered by a redirect did not remove path information as required by the CSP specification. This potentially reveals information about the redirect that would not otherwise be known to the original site. This could be used by a malicious site to obtain sensitive information such as usernames or single-sign-on tokens encoded within the target URLs." [5] (CVE-2014-1592): "Security researcher Berend-Jan Wever reported a use-after-free created by triggering the creation of a second root element while parsing HTML written to a document created with document.open(). This leads to a potentially exploitable crash." [6] (CVE-2014-1593): "Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team used the Address Sanitizer tool to discover a buffer overflow during the parsing of media content. This leads to a potentially exploitable crash." [7] (CVE-2014-1594): "Security researchers Byoungyoung Lee, Chengyu Song, and Taesoo Kim at the Georgia Tech Information Security Center (GTISC) reported a bad casting from the BasicThebesLayer to BasicContainerLayer, resulting in undefined behavior. This behavior is potentially exploitable with some compilers but no clear mechanism to trigger it through web content was identified." [8] (CVE-2014-1595): "Security researcher Kent Howard reported an Apple issue present in OS X 10.10 (Yosemite) where log files are created by the CoreGraphics framework of OS X in the /tmp local directory. These log files contain a record of all inputs into Mozilla programs during their operation. In versions of OS X from versions 10.6 through 10.9, the CoreGraphics had this logging ability but it was turned off by default. In OS X 10.10, this logging was turned on by default for some applications that use a custom memory allocator, such as jemalloc, because of an initialization bug in the framework. This issue has been addressed in Mozilla products by explicitly turning off the framework's logging of input events. On vulnerable systems, this issue can result in private data such as usernames, passwords, and other inputed data being saved to a log file on the local system." [9] (CVE-2014-8631),(CVE-2014-8632): "Mozilla developer Bobby Holley discovered two issues involving security wrappers. The first of these issues occurs when XrayWrappers filter object properties. When validation of the object initially occurs, one set of object properties will appear to be available. Later, when the XrayWrappers are removed, a more expansive set of properties is available. These are then stored without further validation, making these properties available and bypassing security protections that would normally protect them from access. The second issue occurs when chrome objects are protected by Chrome Object Wrappers (COW) and are passed as native interfaces. If this is done with some methods, normally protected objects may be accessible to native methods exposed to web content. Both of these issues could allow web content to access DOM objects that are intended to be chrome-only." [10] MITIGATION The vendor recommends updating to the latest version of the affected products to correct this issue. [1 - 10] REFERENCES [1] Mozilla Foundation Security Advisories https://www.mozilla.org/en-US/security/advisories/ [2] Mozilla Foundation Security Advisory 2014-83 https://www.mozilla.org/en-US/security/advisories/mfsa2014-83/ [3] Mozilla Foundation Security Advisory 2014-84 https://www.mozilla.org/en-US/security/advisories/mfsa2014-84/ [4] Mozilla Foundation Security Advisory 2014-85 https://www.mozilla.org/en-US/security/advisories/mfsa2014-85/ [5] Mozilla Foundation Security Advisory 2014-86 https://www.mozilla.org/en-US/security/advisories/mfsa2014-86/ [6] Mozilla Foundation Security Advisory 2014-87 https://www.mozilla.org/en-US/security/advisories/mfsa2014-87/ [7] Mozilla Foundation Security Advisory 2014-88 https://www.mozilla.org/en-US/security/advisories/mfsa2014-88/ [8] Mozilla Foundation Security Advisory 2014-89 https://www.mozilla.org/en-US/security/advisories/mfsa2014-89/ [9] Mozilla Foundation Security Advisory 2014-90 https://www.mozilla.org/en-US/security/advisories/mfsa2014-90/ [10] Mozilla Foundation Security Advisory 2014-91 https://www.mozilla.org/en-US/security/advisories/mfsa2014-91/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVH5lBBLndAQH1ShLAQL0UxAAmrAywzkVoFaisXzkbl4NjQRZUerBwMtd cJB+hCndM0MCf9H/3JpEXzNe0i0mWRrToIctVcvSneA8KgkpQreXOMHq2/SGYSkn TxzTpfYSHfCOPEyEp9pPvmANDZ6sPQd6oQwW19TOlo+wuOaE87UfH86pXvKcC1JF nRbmB0XzUTMQE7swI8GfyyqXVzmJ4mhey17qfE5+584DJ/lqqvLuyTczraiqs2hV a0sD3exheloFHiTwVzQLFQ9/9fJo2nU5w/BUcHy40a4boTusz4ZTJu6i3tjufJKV snyexyAW7LhxJauMSHTP05pnRlzHnsDZC6zqpbkeiKe7ALyZIgqwFW1rvNIw3mBQ XHenpuUsJqpEH85ND4gXzqKaUNWrhbQt/iiN3KfHSCP8UL91Ax427h08rtliQA/a 3aNjq+fAiE9RjPpkLgZm6PS+IMnhTDNWryiVNpODhdr+GFFhCsasJ00M+n4+YGhd bTW//1YWEJJmMxsPDxMdKfd6UyQQ19dvEuJVkyakiQd9LsOhNFWXqxXR0RKrgIbp Ali8ukGGMKK9DB5Y3yf3c6R1Kx2zCRpcUBpzRf0nF7krF2zi6IBJ1W4V6DEke99S YEDIevb4m8nbbzfd1Fd6GMdxnr4OqqD3pTrD8sNMOkfjj1lUFW4utLLSUm4cCvAy 8nchvZsOmDk= =1kvp -----END PGP SIGNATURE-----