Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2015.0049
Mozilla has released Firefox version 38, Firefox ESR version
31.7 and Thunderbird 31.7
13 May 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Mozilla Firefox
Mozilla Firefox ESR
Mozilla Thunderbird ESR
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Android
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Increased Privileges -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2015-2720 CVE-2015-2718 CVE-2015-2717
CVE-2015-2716 CVE-2015-2715 CVE-2015-2714
CVE-2015-2713 CVE-2015-2712 CVE-2015-2711
CVE-2015-2710 CVE-2015-2709 CVE-2015-2708
CVE-2015-0833 CVE-2015-0797 CVE-2011-3079
Member content until: Friday, June 12 2015
Reference: ASB-2015.0018
ASB-2012.0064
ESB-2015.1004
OVERVIEW
Mozilla has released Firefox version 38, Firefox ESR version 31.7
and Thunderbird 31.7 to correct multiple vulnerabilities. [1 - 13]
IMPACT
The vendor has provided the following details regarding these
issues:
CVE-2015-2708, CVE-2015-2709: "Mozilla developers and community
identified and fixed several memory safety bugs in the browser
engine used in Firefox and other Mozilla-based products. Some of
these bugs showed evidence of memory corruption under certain
circumstances, and we presume that with enough effort at least some
of these could be exploited to run arbitrary code.
In general these flaws cannot be exploited through email in the
Thunderbird product because scripting is disabled, but are
potentially a risk in browser or browser-like contexts." [1]
CVE-2015-0797: "Security researcher Aki Helin used the Address
Sanitizer tool to find a buffer overflow during video playback on
Linux systems. This was due to a problem in older versions of the
Gstreamer plugin during the parsing of H.264 formatted video. This
issue could be used to induce a possibly exploitable crash.
This issue does not affect the current 1.0 version of Gstreamer and
does not affect Windows or OS X systems." [2]
CVE-2015-2710: "Using the Address Sanitizer tool, security
researcher Atte Kettunen found a buffer overflow during the
rendering of SVG format graphics when combined with specific CSS
properties on a page. This results in a potentially exploitable
crash.
In general this flaw cannot be exploited through email in the
Thunderbird product because scripting is disabled, but is
potentially a risk in browser or browser-like contexts." [3]
CVE-2015-2711: "Security researcher Alex Verstak reported that <meta
name="referrer"> is ignored when a link is opened through the
context menu or a middle-click by mouse. This means that, in some
situations, the referrer policy is ignored when opening links in new
tabs and may cause some pages to open without an HTTP Referer header
being set according to the author's intended policy." [4]
CVE-2015-2712: "Security researcher Dougall Johnson reported an
out-of-bounds read and write in asm.js during JavaScript validation
due to an error in how heap lengths are defined. This results in a
potentially exploitable crash and could allow for the reading of
random memory which may contain sensitive data." [5]
CVE-2015-2713: "Security researcher Scott Bell used the Address
Sanitizer tool to discover a use-after-free error during the
processing of text when vertical text is enabled. This leads to a
potentially exploitable crash." [6]
CVE-2015-2714: "Security researcher Muneaki Nishimura reported that
Firefox for Android would write potentially sensitive data to the
Android logcat that was encoded as part of logged URL strings. On
Android 4.0 or earlier systems, logcat data is available to any
application having READ_LOGS permission, leading to potential
privacy violations." [7]
CVE-2015-2715: "Security researchers Tyson Smith and Jesse
Schwartzentruber reported a use-after-free during the shutdown
process. This was caused by a race condition when media decoder
threads are created during the shutdown process in some
circumstances. This leads to a potentially exploitable crash when
triggered." [8]
CVE-2015-2716: "Security researcher Ucha Gobejishvili used the
Address Sanitizer tool to find a buffer overflow while parsing
compressed XML content. This was due to an error in how buffer space
is created and modified when handling large amounts of XML data.
This results in a potentially exploitable crash.
In general this flaw cannot be exploited through email in the
Thunderbird product because scripting is disabled, but is
potentially a risk in browser or browser-like contexts." [9]
CVE-2015-2717: "Security researcher laf.intel reported a buffer
overflow and out-of-bounds read in the libstagefright library while
parsing invalid metadata in MP4 video files. This can lead to a
potentially exploitable crash." [10]
CVE-2015-2718: "Mozilla developer Mark Hammond reported a flaw in
how WebChannel.jsm handles message traffic. He found that when a
trusted page is hosted within an <iframe> on an untrusted
third-party untrusted framing page, the untrusted page could
intercept webchannel responses meant for the trusted page, bypassing
origin restrictions." [11]
CVE-2011-3079: "Mozilla Developer Jed Davis and Mozilla security
engineer Christoph Diehl reported that Mozilla had inherited a
Inter-process Communication (IPC) vulnerability when IPC was
introduced into Mozilla products through third-party code. This
could allow for privilege escalation through IPC channels due to
lack of message validation in the listener process.
This issue only affects systems running Windows, leaving Linux and
OS X unaffected." [12]
CVE-2015-2720, CVE-2015-0833: "Security researcher Holger Fuhrmannek
previously reported CVE-2015-0833, which was fixed in MFSA2015- 12.
That flaw allowed for the updater to load binary DLL format files
from the local working directory or from the Windows temporary
directories. During the fixing of CVE-2015-0833, the need to ensure
that updates use the updater.exe from the application directory was
identified to mitigate the potential for further similar
vulnerabilities. This change to updater.exe for Windows systems has
been made in this release.
This issue is specific to Windows and does not affect Linux or OS X
systems." [13]
MITIGATION
Mozilla recommends updating to the latest versions of Firefox,
Firefox ESR and Thunderbird ESR to correct these issues. [1 - 13]
REFERENCES
[1] Mozilla Foundation Security Advisory 2015-46
https://www.mozilla.org/en-US/security/advisories/mfsa2015-46/
[2] Mozilla Foundation Security Advisory 2015-47
https://www.mozilla.org/en-US/security/advisories/mfsa2015-47/
[3] Mozilla Foundation Security Advisory 2015-48
https://www.mozilla.org/en-US/security/advisories/mfsa2015-48/
[4] Mozilla Foundation Security Advisory 2015-49
https://www.mozilla.org/en-US/security/advisories/mfsa2015-49/
[5] Mozilla Foundation Security Advisory 2015-50
https://www.mozilla.org/en-US/security/advisories/mfsa2015-50/
[6] Mozilla Foundation Security Advisory 2015-51
https://www.mozilla.org/en-US/security/advisories/mfsa2015-51/
[7] Mozilla Foundation Security Advisory 2015-52
https://www.mozilla.org/en-US/security/advisories/mfsa2015-52/
[8] Mozilla Foundation Security Advisory 2015-53
https://www.mozilla.org/en-US/security/advisories/mfsa2015-53/
[9] Mozilla Foundation Security Advisory 2015-54
https://www.mozilla.org/en-US/security/advisories/mfsa2015-54/
[10] Mozilla Foundation Security Advisory 2015-55
https://www.mozilla.org/en-US/security/advisories/mfsa2015-55/
[11] Mozilla Foundation Security Advisory 2015-56
https://www.mozilla.org/en-US/security/advisories/mfsa2015-56/
[12] Mozilla Foundation Security Advisory 2015-57
https://www.mozilla.org/en-US/security/advisories/mfsa2015-57/
[13] Mozilla Foundation Security Advisory 2015-58
https://www.mozilla.org/en-US/security/advisories/mfsa2015-58/
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVVKtIhLndAQH1ShLAQJZ/w//Sptg0CYDszTlphr/qcR1FTtsXbNIWsTe
bBg9kYN0yiOlo36w5gYhIuf3VxzYeftHKeOtlvJwFROBdeg27Pj7w7tv1Jsby2Br
avANEkRa6HWMFeqOS67cW9YHgTFmhl9iCNuupMBUgHKmpcXPFxNl66FXFfLvp17h
WXUMmz0LwGK99bkWqOq0ijSXpoCKI3mVFRdV9nC81FrJ0/+bBFETvdXoPA5npoV/
XoJMEVLcGYXacKH3aKz+GQTbZSsSwTgrV0MRN1thUaywiY8AhhGLBUi8vDaNU3g2
q3DJ5FupGxIl+pcbxeL1jggcogG3aVg7m00L7UWqKLqmOxNTpyG2ES2WwfrKnN4j
Y6VCsbc/26EI/l61TrP7lOl+ETAGboBgZgFZWG8s7bx0CqfIlfCv9uCHyeN7FHeu
Ff3iPAE1WCQ4fNeiiTULT2L8+TAoUbNJJtmCTO+I3uwPiVireyjbX4jutVYlvXpw
kx7qMTJ8f77LvrFXBbYR/+D63BWQF6l6CSfv7P3c331lCzmSaPeMc04xRqTig7Fd
LyOSdMbJlsurc0YYqNLyQogNq4MMHWPnPO0GBU6mFuJTyRmW76WQ753KFcDNRbTc
Vabm5VOYzK5xiyBsdAVHh6p+MW7LBK4u011/DfW0eo+e5xkZuR+rYnihcnJyK+6p
ZPdxGJSReig=
=Dt8j
-----END PGP SIGNATURE-----