CERT-MU :Advisories

Home | Search | FAQ | Site Map | Contact Us

|| Hotline : 800 2378 || To contact CERT-MU send e-mail on --> info[at]cert-mu.gov.mu || To report incident e-mail on --> incident[at]cert-mu.gov.mu || To report Vulnerabilities send e-mail on --> Vulnerability[at]cert-mu.gov.mu ||

Charter & Mission

CERT-MU Services

Constituency

Authority

Incident Reporting

Vulnerability Reporting

Incident Statistics Forms

Vol. 2, Feb 2012

Vol. 1, Oct 2011

World CERTs

Security Sites

Security Tools

Antivirus Resources

Email Abuse

Network Abuse

Anti-Spam Initiative

Cyber Security Portal

Safer Internet Day

Computer Security Day

National Computer Board

Authorized to use CERT(TM) - CERT is a mark owned by Carnegie Mellon University

CERT-MU AD-2011-51

Mozilla Firefox / Thunderbird Multiple Vulnerabilities

Original issue date: November 08, 2011

Updated: November 28, 2011

Severity: High

Overview
Multiple vulnerabilities have been identified in Mozilla Firefox / Thunderbird and they can be exploited by remote attackers to cause execution of arbitrary code in the context of the affected application. Unsuccessful attempts can lead to a denial of service condition. Mozilla has released an update to address these vulnerabilities.

Description

Multiple vulnerabilities have been identified in Mozilla Firefox /Thunderbird. These vulnerabilities can be exploited by remote attackers to execute arbitrary code on vulnerable systems, bypass security restrictions, conduct cross-site scripting attacks and gain privileges. Unsuccessful attempts can lead to a denial of service condition. Mozilla has issued an update to address these vulnerabilities. The issues reported are as follows:

A cross-site scripting vulnerability in Mozilla Firefox / Thunderbird and it can allow remote attackers to inject arbitrary web script or HTML via crafted text with Shift JIS encoding.
Mozilla Firefox / Thunderbird do not handle properly JavaScript files that contain many functions and can enable remote attackers to cause a denial of service or have other unspecified impact via a crafted file that is accessed by debugging APIs.
Multiple unspecified errors occur that can be exploited by remote attackers to cause a denial of service or execute arbitrary code via unknown vectors.
There is improper interaction with the GPU memory behavior of a certain driver for Intel integrated GPUs. This can allow remote attackers to bypass the Same Origin Policy and read image data via vectors related to WebGL textures.
Mozilla Firefox / Thunderbird do not handle links correctly from SVG mpath elements to non-SVG elements.
Mozilla Firefox / Thunderbird perform access control without checking for use of the NoWaiverWrapper wrapper and which can allow remote attackers to gain privileges via a crafted web site.

Affected Systems

Ubuntu Ubuntu Linux 11.10 i386
Ubuntu Ubuntu Linux 11.10 amd64
Ubuntu Ubuntu Linux 11.04 powerpc
Ubuntu Ubuntu Linux 11.04 i386
Ubuntu Ubuntu Linux 11.04 ARM
Ubuntu Ubuntu Linux 11.04 amd64
SuSE openSUSE 11.4
Mozilla Thunderbird 7.0
Mozilla Thunderbird 6
Mozilla Thunderbird 5
Mozilla Firefox 7
Mozilla Firefox 6
Mozilla Firefox 5.0
Mozilla Firefox 4.0
Mandriva Linux Mandrake 2011 x86_64
Mandriva Linux Mandrake 2011
Mandriva Linux Mandrake 2010.1 x86_64
Mandriva Linux Mandrake 2010.1
MandrakeSoft Enterprise Server 5 x86_64
MandrakeSoft Enterprise Server 5

Solution

Users are advised to apply updates.

More information about the update is available on:

http://www.securityfocus.com/bid/50602/solution

CVE Information

References

Security Focus

http://www.securityfocus.com/bid/50602/info

Secunia

http://secunia.com/advisories/46978/

Mozilla Foundation Security Advisory

http://www.mozilla.org/security/announce/2011/mfsa2011-48.html

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

E-mail:

Postal address
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street
Port Louis