CERT-MU AD-2009-08

Multiple Vulnerabilities in Mozilla Products

Original issue date: 17 June, 2009

Overview

Multiple vulnerabilities have been reported in Mozilla Firefox, Thunderbird and SeaMonkey which could allow a remote attacker to bypass certain security restrictions, obtain potentially sensitive information, cause a denial of service, execute arbitrary code or potentially compromise an affected system.

Description

• Multiple Memory corruption vulnerabilities in the JavaScript and browser engines
  
  Multiple memory corruption vulnerabilities have been reported in Mozilla Firefox, Thunderbird and SeaMonkey due to improper handling of malformed data in JavaScript and Browser engines. A remote attacker could exploit these vulnerabilities via a specially crafted HTML file to trigger memory corruption error. Successful exploitation of these vulnerabilities could allow a remote attacker to cause a denial of service condition or execute an arbitrary code.
  
  
  • Workaround
    
    Disable JavaScript until a version containing these fixes can be installed.
    
    
• Unicode Character Processing URL spoofing Vulnerability
  
  This vulnerability is caused due to an error in the handling of certain invalid unicode characters, when used as part of an IDN(Internationalized Domain Name) in netwerk/dns/src/nsIDNService.cpp file in Mozilla Firefox and SeaMonkey. A remote attacker could exploit this vulnerability via an IDN with invalid Unicode characters that are displayed as whitespace. Successful exploitation of this vulnerability could allow a remote attacker to spoof the location bar.
  
  
• Arbitrary domain cookie access by local file: resources Vulnerability
  
  This vulnerability is caused due to an error when interpreting the "file:" protocol in Mozilla Firefox and SeaMonkey. A remote attacker could exploit this vulnerability by tricking a user into downloading and opening a malicious file via the browser. Successful exploitation of this vulnerability could allow a remote attacker to access any domain's cookies saved on a vulnerable system.
  
  
• Proxy CONNECT requests SSL tampering Vulnerability
  
  This vulnerability is caused due to an error in the handling of non-200 responses returned by a proxy in reply to a CONNECT request in Mozilla Firefox, Thunderbird and SeaMonkey. A remote attacker could exploit this vulnerability by intercepting a CONNECT request and reply with a specially crafted non HTTP 200 response message containing malicious code. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary HTML and script code on the affected system within the context of requested SSL-protected domain.
  
  Successful exploitation requires Man-in-the-Middle attack and that the target user uses a proxy.
  
  
• Proxy CONNECT requests SSL tampering Vulnerability
  
  This vulnerability is caused due to a race condition in "NPObjWrapper_NewResolve" function in modules/plugin/base/src/nsJSNPRuntime.cpp file when accessing the properties of a NPObject, a wrapped JSObject if navigating away from a web page while loading a Java applet in Mozilla Firefox. A remote attacker could exploit this vulnerability by tricking a user to load a specially crafted web page to use already freed memory. Successful exploitation of this vulnerability could allow a remote attacker to execute an arbitrary code.
  
  
  • Workaround
    
    Disable Java until a version containing these fixes can be installed.
    
    
  Note: This vulnerability does not affect Firefox 2.
  
  
• Event Listener Null Document Owner chrome privilege escalation Vulnerability
  
  This vulnerability is caused due to an error when handling event listeners attached to an element whose owner document is null in Mozilla Firefox, Thunderbird and SeaMonkey. The owner document of an element can become null after garbage collection. A remote attacker could exploit this vulnerability via a specially crafted event handler, related to an incorrect context for this event handler. Successful exploitation of this vulnerability could allow a remote attacker to execute an arbitrary JavaScript code with chrome privileges.
  
  
• file: resources Incorrect principal association Vulnerability
  
  This vulnerability is caused due to an incorrect association of a principal when loading a "file:" resource via the location bar in Mozilla Firefox. A remote attacker could exploit this vulnerability by tricking a user to open a specially crafted HTML document in the local file system. Successful exploitation of this vulnerability could allow a remote attacker to bypass intended access restrictions and read the contents of other local files, which would normally be protected.
  
  
• XUL scripts content-policy checks bypass Vulnerability
  
  This vulnerability is caused due to an error in checking content-loading policies before loading external script files into XUL documents in Mozilla Firefox, Thunderbird and SeaMonkey. A remote attacker could exploit this vulnerability via a specially crafted HTML document to bypass intended access restrictions.
  
  
• JavaScript chrome privilege escalation Vulnerability
  
  This vulnerability is caused due to an error in js/src/xpconnect/src/xpcwrappedjsclass.cpp file when a chrome privileged object such as the browser sidebar or the FeedWriter, interacts with web content in Mozilla Firefox, Thunderbird and SeaMonkey. A remote attacker could exploit this vulnerability to execute arbitrary code with the privileges of a chrome object.
  
  
  • Workaround
    
    Disable JavaScript until a version containing this fix can be installed.
    
    

Software Affected 

• Mozilla Firefox Versions prior to 3.0.11
• Mozilla Thunderbird Versions prior to 2.0.0.22
• Mozilla SeaMonkey Versions prior to 1.1.17

Impact

Severity Rating: High

Solution

Upgrade to Mozilla Firefox version 3.0.11
http://www.mozilla.com/firefox/

Upgrade to Mozilla SeaMonkey version 2.0.0.22
http://www.mozilla.org/projects/seamonkey/

Upgrade to Mozilla Thunderbird version 1.1.17
http://www.mozilla.com/thunderbird/

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Vendor Information

Mozilla
http://www.mozilla.org/security/announce/

CVE Name

CVE-2009-1392
CVE-2009-1832
CVE-2009-1833
CVE-2009-1834
CVE-2009-1835
CVE-2009-1836
CVE-2009-1837
CVE-2009-1838
CVE-2009-1839
CVE-2009-1840
CVE-2009-1841

References

Mozilla
http://www.mozilla.org/security/announce/2009/mfsa2009-32.html
http://www.mozilla.org/security/announce/2009/mfsa2009-31.html
http://www.mozilla.org/security/announce/2009/mfsa2009-30.html
http://www.mozilla.org/security/announce/2009/mfsa2009-29.html
http://www.mozilla.org/security/announce/2009/mfsa2009-28.html
http://www.mozilla.org/security/announce/2009/mfsa2009-27.html
http://www.mozilla.org/security/announce/2009/mfsa2009-26.html
http://www.mozilla.org/security/announce/2009/mfsa2009-25.html
http://www.mozilla.org/security/announce/2009/mfsa2009-24.html
http://www.mozilla.org/security/announce/2009/mfsa2009-23.html

Bugzilla
https://bugzilla.mozilla.org/buglist.cgi?bug_id=380359,472776,490410,
429969,490513,432068,486398,489041,431086,490425,451341
https://bugzilla.mozilla.org/show_bug.cgi?id=484031
https://bugzilla.mozilla.org/buglist.cgi?bug_id=369696,426520,427196,
487204
https://bugzilla.mozilla.org/show_bug.cgi?id=479413
https://bugzilla.mozilla.org/show_bug.cgi?id=491801
https://bugzilla.mozilla.org/show_bug.cgi?id=479880
https://bugzilla.mozilla.org/show_bug.cgi?id=486269
https://bugzilla.mozilla.org/show_bug.cgi?id=489131
https://bugzilla.mozilla.org/show_bug.cgi?id=479943
https://bugzilla.mozilla.org/show_bug.cgi?id=477979
https://bugzilla.mozilla.org/show_bug.cgi?id=479560

Secunia
http://secunia.com/advisories/35331/1/

SecurityFocus
http://www.securityfocus.com/bid/35326

SecurityTracker
http://www.securitytracker.com/alerts/2009/Jun/1022376.html http://www.securitytracker.com/alerts/2009/Jun/1022377.html http://www.securitytracker.com/alerts/2009/Jun/1022380.html http://www.securitytracker.com/alerts/2009/Jun/1022382.html http://www.securitytracker.com/alerts/2009/Jun/1022383.html http://www.securitytracker.com/alerts/2009/Jun/1022386.html http://www.securitytracker.com/alerts/2009/Jun/1022385.html http://www.securitytracker.com/alerts/2009/Jun/1022381.html http://www.securitytracker.com/alerts/2009/Jun/1022379.html http://www.securitytracker.com/alerts/2009/Jun/1022384.html

VUPEN
http://www.vupen.com/english/advisories/2009/1572