MS-ISAC ADVISORY NUMBER:
Multiple Vulnerabilities in Mozilla Products Could Allow Remote Code Execution
Multiple vulnerabilities have been discovered in Mozilla Firefox, Thunderbird, and SeaMonkey applications, which could allow remote code execution. Mozilla Firefox is a web browser used to access the Internet. Mozilla Thunderbird is an email client. Mozilla SeaMonkey is a cross platform Internet suite of tools ranging from a web browser to an email client. These vulnerabilities may be exploited if a user visits, or is redirected to a web page or opens a malicious file that is specifically designed to take advantage of these vulnerabilities. Successful exploitation of these vulnerabilities will result in either an attacker gaining the same privileges as the logged on user, or gaining session authentication credentials. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.
- Mozilla Firefox prior to 3.6.18
- Mozilla Firefox prior to 5.0
- Mozilla Sea Monkey prior to 2.1
- Mozilla Thunderbird prior to 3.1.11
- Large and medium government entities: High
- Small government entities: High
- Large and medium business entities: High
- Small business entities: High
Home users: High
Multiple vulnerabilities have been discovered in Mozilla Firefox, Thunderbird, and Sea Monkey. Details of these vulnerabilities are as follows:
Miscellaneous memory safety hazards (MFSA 2011-19)
Multiple memory corruption vulnerabilities found in the browser engine used in Firefox and other Mozilla-based products that could allow an attacker to execute remotecode in the context of the affected application. This issue affects Firefox and Thunderbird
Use-after-free vulnerability when viewing XUL document with script disabled (MFSA 2011-20)
Memory corruption due to multipart/x-mixed-replace images (MFSA 2011-21)
A memory corruption vulnerability found in the browser engine used in Firefox and other Mozilla-based products that could allow an attacker to execute remote code in the context of the affected application when parsing specially crafted 'multipart/x-mixed-replace' images. This issue affects Firefox, SeaMonkey and Thunderbird.
Integer overflow and arbitrary code execution in Array.reduceRight() (MFSA 2011-22)
Multiple dangling pointer vulnerabilities (MFSA 2011-23)
Three vulnerabilities (two affecting SVG files and one XUL documents) were found involving multiple dangling pointers. When parsing SVG path segment objects, if a user-supplied callback deletes such an object, the element-modifying code could access deleted memory and potentially execute attacker supplied code. Additionally, a specially crafted XUL document could result in the execution of deleted memory that an attacker could use to run arbitrary code on a victim's computer. This issueaffects Firefox, SeaMonkey and Thunderbird. This issue did not affect Firefox 4 or newer products.
Cookie isolation error (MFSA 2011-24)
Cookies set for example.com. (Note the trailing dot) and example.com were treated as interchangeable. This is a violation of same-origin conventions and could potentially lead to leakage of cookie data to the wrong party. This issue affects Firefox, SeaMonkey and Thunderbird. This issue does not affect Firefox 4 or newer products.
Multiple WebGL crashes (MFSA 2011-26)
Two vulnerabilities exist in the WebGL code. The first vulnerability is the result of an out-of-bounds read error that could be used to read data from other processes storing data in the GPU. The second vulnerability is the result of an invalid write that could be used to execute arbitrary code. Exploitation may occur if a user visits or is redirected to a web page, or receives a specially crafted email, which is specifically crafted to take advantage of these vulnerabilities. When an unsuspecting user visits the malicious site or views the email, the exploitwill be triggered, resulting in various unwanted actions being taken in thecontext of the targeted application. This issue affects Firefox. This issue does not affect versions of Firefox prior to the introduction of WebGL in Firefox 4
XSS encoding hazard with inline SVG (MFSA 2011-27)
This vulnerability is due to HTML-encoded entities being improperly decoded when displayed inside SVG elements that could lead to XSS attacks on sites relying on HTML encoding of user-supplied content. Exploitation may occur if a user visits or is redirected to a web page, or receives a specially crafted email, which is specificallycrafted to take advantage of these vulnerabilities. This issue affects Firefox. This issue does not affect versions of Firefox prior to the introduction of inline SVG in Firefox 4
Non-whitelisted site can trigger xpinstall (MFSA 2011-28)
It is possible for non-whitelisted sites to trigger an install dialog for add-ons and themes. Exploitation mayoccur if a user visits or is redirected to a web page, or receives a specially crafted email, which is designed to take advantage of these vulnerabilities. This issue affects Firefox.
We recommend the following actions be taken:
- Upgrade vulnerable Mozilla products immediately after appropriate testing.
- Remind users not to download or open files from untrusted websites.
- Remind users not to open e-mail attachments from unknown users or suspicious e-mails.
- Run all software as a non-privileged user (one without administrative privileges) to diminish theeffects of a successful attack.