Mozilla Firefox: Multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2014.0139
         Numerous vulnerabilities have been identified in Mozilla
                   Firefox, Firefox ESR and Thunderbird.
                              3 December 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Mozilla Firefox
                      Mozilla Firefox ESR
                      Mozilla Thunderbird
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
                      Access Confidential Data        -- Remote with User Interaction
                      Reduced Security                -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2014-8632 CVE-2014-8631 CVE-2014-1595
                      CVE-2014-1594 CVE-2014-1593 CVE-2014-1592
                      CVE-2014-1591 CVE-2014-1590 CVE-2014-1589
                      CVE-2014-1588 CVE-2014-1587 
Member content until: Friday, January  2 2015

OVERVIEW

        Numerous vulnerabilities have been identified in Mozilla Firefox, 
        Firefox ESR and Thunderbird. [1]


IMPACT

        The vendor has provided the following details regarding these 
        vulnerabilities:
        
        (CVE-2014-1587),(CVE-2014-1588):"Mozilla developers and community 
        identified and fixed several memory safety bugs in the browser 
        engine used in Firefox and other Mozilla-based products. Some of 
        these bugs showed evidence of memory corruption under certain 
        circumstances, and we presume that with enough effort at least some
        of these could be exploited to run arbitrary code." [2]
        
        (CVE-2014-1589): "Security researcher Cody Crews reported a method 
        to trigger chrome level XML Binding Language (XBL) bindings through
        web content. This was possible because some chrome accessible CSS 
        stylesheets had their primary namespace improperly declared. When 
        this occurred, it was possible to use these stylesheets to 
        manipulate XBL bindings, allowing web content to bypass security 
        restrictions. This issue was limited to a specific set of 
        stylesheets." [3]
        
        (CVE-2014-1590): "Security researcher Joe Vennix from Rapid7 
        reported that passing a JavaScript object to XMLHttpRequest that 
        mimics an input stream will a crash. This crash is not exploitable 
        and can only be used for denial of service attacks." [4]
        
        (CVE-2014-1591): "Security researcher Muneaki Nishimura discovered 
        that Content Security Policy (CSP) violation reports triggered by a
        redirect did not remove path information as required by the CSP 
        specification. This potentially reveals information about the 
        redirect that would not otherwise be known to the original site. 
        This could be used by a malicious site to obtain sensitive 
        information such as usernames or single-sign-on tokens encoded 
        within the target URLs." [5]
        
        (CVE-2014-1592): "Security researcher Berend-Jan Wever reported a 
        use-after-free created by triggering the creation of a second root 
        element while parsing HTML written to a document created with 
        document.open(). This leads to a potentially exploitable crash." [6]
        
        (CVE-2014-1593): "Security researcher Abhishek Arya (Inferno) of the
        Google Chrome Security Team used the Address Sanitizer tool to 
        discover a buffer overflow during the parsing of media content. This
        leads to a potentially exploitable crash." [7]
        
        (CVE-2014-1594): "Security researchers Byoungyoung Lee, Chengyu 
        Song, and Taesoo Kim at the Georgia Tech Information Security Center
        (GTISC) reported a bad casting from the BasicThebesLayer to 
        BasicContainerLayer, resulting in undefined behavior. This behavior
        is potentially exploitable with some compilers but no clear 
        mechanism to trigger it through web content was identified." [8]
        
        (CVE-2014-1595): "Security researcher Kent Howard reported an Apple
        issue present in OS X 10.10 (Yosemite) where log files are created 
        by the CoreGraphics framework of OS X in the /tmp local directory. 
        These log files contain a record of all inputs into Mozilla programs
        during their operation. In versions of OS X from versions 10.6 
        through 10.9, the CoreGraphics had this logging ability but it was 
        turned off by default. In OS X 10.10, this logging was turned on by
        default for some applications that use a custom memory allocator, 
        such as jemalloc, because of an initialization bug in the framework.
        This issue has been addressed in Mozilla products by explicitly 
        turning off the framework's logging of input events. On vulnerable 
        systems, this issue can result in private data such as usernames, 
        passwords, and other inputed data being saved to a log file on the 
        local system." [9]
        
        (CVE-2014-8631),(CVE-2014-8632): "Mozilla developer Bobby Holley 
        discovered two issues involving security wrappers.
        
        The first of these issues occurs when XrayWrappers filter object 
        properties. When validation of the object initially occurs, one set
        of object properties will appear to be available. Later, when the 
        XrayWrappers are removed, a more expansive set of properties is 
        available. These are then stored without further validation, making
        these properties available and bypassing security protections that 
        would normally protect them from access.
        
        The second issue occurs when chrome objects are protected by Chrome
        Object Wrappers (COW) and are passed as native interfaces. If this 
        is done with some methods, normally protected objects may be 
        accessible to native methods exposed to web content.
        
        Both of these issues could allow web content to access DOM objects 
        that are intended to be chrome-only." [10]


MITIGATION

        The vendor recommends updating to the latest version of the affected
        products to correct this issue. [1 - 10]


REFERENCES

        [1] Mozilla Foundation Security Advisories
            https://www.mozilla.org/en-US/security/advisories/

        [2] Mozilla Foundation Security Advisory 2014-83
            https://www.mozilla.org/en-US/security/advisories/mfsa2014-83/

        [3] Mozilla Foundation Security Advisory 2014-84
            https://www.mozilla.org/en-US/security/advisories/mfsa2014-84/

        [4] Mozilla Foundation Security Advisory 2014-85
            https://www.mozilla.org/en-US/security/advisories/mfsa2014-85/

        [5] Mozilla Foundation Security Advisory 2014-86
            https://www.mozilla.org/en-US/security/advisories/mfsa2014-86/

        [6] Mozilla Foundation Security Advisory 2014-87
            https://www.mozilla.org/en-US/security/advisories/mfsa2014-87/

        [7] Mozilla Foundation Security Advisory 2014-88
            https://www.mozilla.org/en-US/security/advisories/mfsa2014-88/

        [8] Mozilla Foundation Security Advisory 2014-89
            https://www.mozilla.org/en-US/security/advisories/mfsa2014-89/

        [9] Mozilla Foundation Security Advisory 2014-90
            https://www.mozilla.org/en-US/security/advisories/mfsa2014-90/

        [10] Mozilla Foundation Security Advisory 2014-91
             https://www.mozilla.org/en-US/security/advisories/mfsa2014-91/

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVH5lBBLndAQH1ShLAQL0UxAAmrAywzkVoFaisXzkbl4NjQRZUerBwMtd
cJB+hCndM0MCf9H/3JpEXzNe0i0mWRrToIctVcvSneA8KgkpQreXOMHq2/SGYSkn
TxzTpfYSHfCOPEyEp9pPvmANDZ6sPQd6oQwW19TOlo+wuOaE87UfH86pXvKcC1JF
nRbmB0XzUTMQE7swI8GfyyqXVzmJ4mhey17qfE5+584DJ/lqqvLuyTczraiqs2hV
a0sD3exheloFHiTwVzQLFQ9/9fJo2nU5w/BUcHy40a4boTusz4ZTJu6i3tjufJKV
snyexyAW7LhxJauMSHTP05pnRlzHnsDZC6zqpbkeiKe7ALyZIgqwFW1rvNIw3mBQ
XHenpuUsJqpEH85ND4gXzqKaUNWrhbQt/iiN3KfHSCP8UL91Ax427h08rtliQA/a
3aNjq+fAiE9RjPpkLgZm6PS+IMnhTDNWryiVNpODhdr+GFFhCsasJ00M+n4+YGhd
bTW//1YWEJJmMxsPDxMdKfd6UyQQ19dvEuJVkyakiQd9LsOhNFWXqxXR0RKrgIbp
Ali8ukGGMKK9DB5Y3yf3c6R1Kx2zCRpcUBpzRf0nF7krF2zi6IBJ1W4V6DEke99S
YEDIevb4m8nbbzfd1Fd6GMdxnr4OqqD3pTrD8sNMOkfjj1lUFW4utLLSUm4cCvAy
8nchvZsOmDk=
=1kvp
-----END PGP SIGNATURE-----