CIS CYBER SECURITY ADVISORIES
MS-ISAC CYBER SECURITY ADVISORY NUMBER:
Multiple Vulnerabilities in Mozilla Products Could Allow Remote Code Execution
Multiple vulnerabilities have been discovered in the Mozilla Firefox, Mozilla Thunderbird and Mozilla SeaMonkey applications which could allow remote code execution. Mozilla Firefox is a web browser used to access the Internet. Mozilla Thunderbird is an email client. Mozilla SeaMonkey is a cross platform Internet suite of tools ranging from a web browser to an email client.
These vulnerabilities may be exploited if a user visits, or is redirected to a web page or opens a malicious file that is specifically designed to take advantage of these vulnerabilities. Successful exploitation of these vulnerabilities will result in either an attacker gaining the same privileges as the logged on user, or gaining session authentication credentials. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts may result in a denial-of-service condition.
- Mozilla Firefox 3.5.0 - 3.5.12
- Mozilla Firefox 3.6 - 3.6.10
- Mozilla Sea Monkey 2.0 - 2.0.7
- Mozilla Thunderbird 3.0 - 3.0.7
- Mozilla Thunderbird 3.1.1 - 3.1.4
- Large and medium government entities: High
- Small government entities: High
- Large and medium business entities: High
- Small business entities: High
Home users: High
Multiple vulnerabilities have been discovered in Mozilla Firefox, Mozilla Thunderbird, and Mozilla SeaMonkey. Details of these vulnerabilities are as follows:
Miscellaneous memory safety hazards (MFSA 2010-64)
Multiple memory-corruption vulnerabilities have been identified in the browser engine.
Buffer overflow and memory corruption using document.write (MFSA 2010-65)
A vulnerability has been identified as a result of an excessively long string that is passed to 'document.write'.
Use-after-free error in nsBarProp (MFSA 2010-66)
A use-after-free error affects the 'locationbar' property of a closed window object.
Dangling pointer vulnerability in LookupGetterOrSetter (MFSA 2010-67)
A dangling pointer issue affects the 'LookupGetterOrSetter()' function of 'js3250.dll' when called with no arguments
XSS in gopher parser when parsing hrefs (MFSA 2010-68)
A cross-site scripting vulnerability has been identified in Mozilla Firefox and SeaMonkey in the Gopher parser when processing 'hrefs'.
Cross-site information disclosure via modal calls (MFSA 2010-69)
A cross-domain information disclosure vulnerability has been reported that affects multiple Mozilla products which affects 'modal' calls.
SSL wildcard certificate matching IP addresses (MFSA 2010-70)
It has been reported that if an SSL certificate is created with a common name containing a wildcard followed by a partial IP address that a valid SSL connection could be established with a server whose IP address matched the wildcard range.
Unsafe library loading vulnerabilities (MFSA 2010-71)
Multiple Mozilla products have been reported as unsafely loading external libraries from the current working directory. An attacker can take advantage of this vulnerability by placing a malicious DLL in the current working directory
Insecure Diffie-Hellman key exchange (MFSA 2010-72)
A vulnerability has been identified in the SSL implementation when using the Diffie-Hellman Ephermal mode (DHE).
Successful exploitation of these vulnerabilities will result in either an attacker gaining the same privileges as the logged on user, or gaining session authentication credentials. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts may result in a denial-of-service condition.
We recommend the following actions be taken:
- Upgrade Mozilla products as needed immediately after appropriate testing.
- Remind users not to open e-mail attachments from unknown users or suspicious e-mails from un-trusted sources.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
- Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.