Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2015.0049 Mozilla has released Firefox version 38, Firefox ESR version 31.7 and Thunderbird 31.7 13 May 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Mozilla Firefox Mozilla Firefox ESR Mozilla Thunderbird ESR Operating System: UNIX variants (UNIX, Linux, OSX) Windows Android Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Increased Privileges -- Remote with User Interaction Denial of Service -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2015-2720 CVE-2015-2718 CVE-2015-2717 CVE-2015-2716 CVE-2015-2715 CVE-2015-2714 CVE-2015-2713 CVE-2015-2712 CVE-2015-2711 CVE-2015-2710 CVE-2015-2709 CVE-2015-2708 CVE-2015-0833 CVE-2015-0797 CVE-2011-3079 Member content until: Friday, June 12 2015 Reference: ASB-2015.0018 ASB-2012.0064 ESB-2015.1004 OVERVIEW Mozilla has released Firefox version 38, Firefox ESR version 31.7 and Thunderbird 31.7 to correct multiple vulnerabilities. [1 - 13] IMPACT The vendor has provided the following details regarding these issues: CVE-2015-2708, CVE-2015-2709: "Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. In general these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled, but are potentially a risk in browser or browser-like contexts." [1] CVE-2015-0797: "Security researcher Aki Helin used the Address Sanitizer tool to find a buffer overflow during video playback on Linux systems. This was due to a problem in older versions of the Gstreamer plugin during the parsing of H.264 formatted video. This issue could be used to induce a possibly exploitable crash. This issue does not affect the current 1.0 version of Gstreamer and does not affect Windows or OS X systems." [2] CVE-2015-2710: "Using the Address Sanitizer tool, security researcher Atte Kettunen found a buffer overflow during the rendering of SVG format graphics when combined with specific CSS properties on a page. This results in a potentially exploitable crash. In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts." [3] CVE-2015-2711: "Security researcher Alex Verstak reported that <meta name="referrer"> is ignored when a link is opened through the context menu or a middle-click by mouse. This means that, in some situations, the referrer policy is ignored when opening links in new tabs and may cause some pages to open without an HTTP Referer header being set according to the author's intended policy." [4] CVE-2015-2712: "Security researcher Dougall Johnson reported an out-of-bounds read and write in asm.js during JavaScript validation due to an error in how heap lengths are defined. This results in a potentially exploitable crash and could allow for the reading of random memory which may contain sensitive data." [5] CVE-2015-2713: "Security researcher Scott Bell used the Address Sanitizer tool to discover a use-after-free error during the processing of text when vertical text is enabled. This leads to a potentially exploitable crash." [6] CVE-2015-2714: "Security researcher Muneaki Nishimura reported that Firefox for Android would write potentially sensitive data to the Android logcat that was encoded as part of logged URL strings. On Android 4.0 or earlier systems, logcat data is available to any application having READ_LOGS permission, leading to potential privacy violations." [7] CVE-2015-2715: "Security researchers Tyson Smith and Jesse Schwartzentruber reported a use-after-free during the shutdown process. This was caused by a race condition when media decoder threads are created during the shutdown process in some circumstances. This leads to a potentially exploitable crash when triggered." [8] CVE-2015-2716: "Security researcher Ucha Gobejishvili used the Address Sanitizer tool to find a buffer overflow while parsing compressed XML content. This was due to an error in how buffer space is created and modified when handling large amounts of XML data. This results in a potentially exploitable crash. In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts." [9] CVE-2015-2717: "Security researcher laf.intel reported a buffer overflow and out-of-bounds read in the libstagefright library while parsing invalid metadata in MP4 video files. This can lead to a potentially exploitable crash." [10] CVE-2015-2718: "Mozilla developer Mark Hammond reported a flaw in how WebChannel.jsm handles message traffic. He found that when a trusted page is hosted within an <iframe> on an untrusted third-party untrusted framing page, the untrusted page could intercept webchannel responses meant for the trusted page, bypassing origin restrictions." [11] CVE-2011-3079: "Mozilla Developer Jed Davis and Mozilla security engineer Christoph Diehl reported that Mozilla had inherited a Inter-process Communication (IPC) vulnerability when IPC was introduced into Mozilla products through third-party code. This could allow for privilege escalation through IPC channels due to lack of message validation in the listener process. This issue only affects systems running Windows, leaving Linux and OS X unaffected." [12] CVE-2015-2720, CVE-2015-0833: "Security researcher Holger Fuhrmannek previously reported CVE-2015-0833, which was fixed in MFSA2015- 12. That flaw allowed for the updater to load binary DLL format files from the local working directory or from the Windows temporary directories. During the fixing of CVE-2015-0833, the need to ensure that updates use the updater.exe from the application directory was identified to mitigate the potential for further similar vulnerabilities. This change to updater.exe for Windows systems has been made in this release. This issue is specific to Windows and does not affect Linux or OS X systems." [13] MITIGATION Mozilla recommends updating to the latest versions of Firefox, Firefox ESR and Thunderbird ESR to correct these issues. [1 - 13] REFERENCES [1] Mozilla Foundation Security Advisory 2015-46 https://www.mozilla.org/en-US/security/advisories/mfsa2015-46/ [2] Mozilla Foundation Security Advisory 2015-47 https://www.mozilla.org/en-US/security/advisories/mfsa2015-47/ [3] Mozilla Foundation Security Advisory 2015-48 https://www.mozilla.org/en-US/security/advisories/mfsa2015-48/ [4] Mozilla Foundation Security Advisory 2015-49 https://www.mozilla.org/en-US/security/advisories/mfsa2015-49/ [5] Mozilla Foundation Security Advisory 2015-50 https://www.mozilla.org/en-US/security/advisories/mfsa2015-50/ [6] Mozilla Foundation Security Advisory 2015-51 https://www.mozilla.org/en-US/security/advisories/mfsa2015-51/ [7] Mozilla Foundation Security Advisory 2015-52 https://www.mozilla.org/en-US/security/advisories/mfsa2015-52/ [8] Mozilla Foundation Security Advisory 2015-53 https://www.mozilla.org/en-US/security/advisories/mfsa2015-53/ [9] Mozilla Foundation Security Advisory 2015-54 https://www.mozilla.org/en-US/security/advisories/mfsa2015-54/ [10] Mozilla Foundation Security Advisory 2015-55 https://www.mozilla.org/en-US/security/advisories/mfsa2015-55/ [11] Mozilla Foundation Security Advisory 2015-56 https://www.mozilla.org/en-US/security/advisories/mfsa2015-56/ [12] Mozilla Foundation Security Advisory 2015-57 https://www.mozilla.org/en-US/security/advisories/mfsa2015-57/ [13] Mozilla Foundation Security Advisory 2015-58 https://www.mozilla.org/en-US/security/advisories/mfsa2015-58/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVVKtIhLndAQH1ShLAQJZ/w//Sptg0CYDszTlphr/qcR1FTtsXbNIWsTe bBg9kYN0yiOlo36w5gYhIuf3VxzYeftHKeOtlvJwFROBdeg27Pj7w7tv1Jsby2Br avANEkRa6HWMFeqOS67cW9YHgTFmhl9iCNuupMBUgHKmpcXPFxNl66FXFfLvp17h WXUMmz0LwGK99bkWqOq0ijSXpoCKI3mVFRdV9nC81FrJ0/+bBFETvdXoPA5npoV/ XoJMEVLcGYXacKH3aKz+GQTbZSsSwTgrV0MRN1thUaywiY8AhhGLBUi8vDaNU3g2 q3DJ5FupGxIl+pcbxeL1jggcogG3aVg7m00L7UWqKLqmOxNTpyG2ES2WwfrKnN4j Y6VCsbc/26EI/l61TrP7lOl+ETAGboBgZgFZWG8s7bx0CqfIlfCv9uCHyeN7FHeu Ff3iPAE1WCQ4fNeiiTULT2L8+TAoUbNJJtmCTO+I3uwPiVireyjbX4jutVYlvXpw kx7qMTJ8f77LvrFXBbYR/+D63BWQF6l6CSfv7P3c331lCzmSaPeMc04xRqTig7Fd LyOSdMbJlsurc0YYqNLyQogNq4MMHWPnPO0GBU6mFuJTyRmW76WQ753KFcDNRbTc Vabm5VOYzK5xiyBsdAVHh6p+MW7LBK4u011/DfW0eo+e5xkZuR+rYnihcnJyK+6p ZPdxGJSReig= =Dt8j -----END PGP SIGNATURE-----