CIS CYBER SECURITY ADVISORIES

MS-ISAC CYBER SECURITY ADVISORY NUMBER:
2011-045

DATE(S) ISSUED:
06/22/2011

SUBJECT:
Multiple Vulnerabilities in Mozilla Products Could Allow Remote Code Execution

OVERVIEW:

Multiple vulnerabilities have been discovered in Mozilla Firefox, Thunderbird, and SeaMonkey applications, which could allow remote code execution. Mozilla Firefox is a web browser used to access the Internet. Mozilla Thunderbird is an email client. Mozilla SeaMonkey is a cross platform Internet suite of tools ranging from a web browser to an email client. These vulnerabilities may be exploited if a user visits, or is redirected to a web page or opens a malicious file that is specifically designed to take advantage of these vulnerabilities. Successful exploitation of these vulnerabilities will result in either an attacker gaining the same privileges as the logged on user, or gaining session authentication credentials. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

SYSTEMS AFFECTED:

  • Mozilla Firefox prior to 3.6.18
  • Mozilla Firefox prior to 5.0
  • Mozilla Sea Monkey prior to 2.1
  • Mozilla Thunderbird prior to 3.1.11

RISK:

Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: High

DESCRIPTION:

Multiple vulnerabilities have been discovered in Mozilla Firefox, Thunderbird, and Sea Monkey. Details of these vulnerabilities are as follows:

Miscellaneous memory safety hazards (MFSA 2011-19)
Multiple memory corruption vulnerabilities found in the browser engine used in Firefox and other Mozilla-based products that could allow an attacker to execute remotecode in the context of the affected application. This issue affects Firefox and Thunderbird

Use-after-free vulnerability when viewing XUL document with script disabled (MFSA 2011-20)
Viewing a specially crafted XUL document while JavaScript is disabled could allow for deleted memory to be accessed. An attacker could take advantage of this vulnerability by causing a victim's browser to crash and run arbitrary code in the context of the affected application. This issue affects Firefox, SeaMonkey and Thunderbird.

Memory corruption due to multipart/x-mixed-replace images (MFSA 2011-21)
A memory corruption vulnerability found in the browser engine used in Firefox and other Mozilla-based products that could allow an attacker to execute remote code in the context of the affected application when parsing specially crafted 'multipart/x-mixed-replace' images. This issue affects Firefox, SeaMonkey and Thunderbird.

Integer overflow and arbitrary code execution in Array.reduceRight() (MFSA 2011-22)
When a JavaScript Array object's length is set to an extremely large value, the iteration of array elements that occurs when reduceRight method is subsequently called could result in the execution of attacker controlled memory due to an invalid index value being used to access element properties. This issue affects Firefox, SeaMonkey and Thunderbird.

Multiple dangling pointer vulnerabilities (MFSA 2011-23)
Three vulnerabilities (two affecting SVG files and one XUL documents) were found involving multiple dangling pointers. When parsing SVG path segment objects, if a user-supplied callback deletes such an object, the element-modifying code could access deleted memory and potentially execute attacker supplied code. Additionally, a specially crafted XUL document could result in the execution of deleted memory that an attacker could use to run arbitrary code on a victim's computer. This issueaffects Firefox, SeaMonkey and Thunderbird. This issue did not affect Firefox 4 or newer products.

Cookie isolation error (MFSA 2011-24)
Cookies set for example.com. (Note the trailing dot) and example.com were treated as interchangeable. This is a violation of same-origin conventions and could potentially lead to leakage of cookie data to the wrong party. This issue affects Firefox, SeaMonkey and Thunderbird. This issue does not affect Firefox 4 or newer products.

Multiple WebGL crashes (MFSA 2011-26)
Two vulnerabilities exist in the WebGL code. The first vulnerability is the result of an out-of-bounds read error that could be used to read data from other processes storing data in the GPU. The second vulnerability is the result of an invalid write that could be used to execute arbitrary code. Exploitation may occur if a user visits or is redirected to a web page, or receives a specially crafted email, which is specifically crafted to take advantage of these vulnerabilities. When an unsuspecting user visits the malicious site or views the email, the exploitwill be triggered, resulting in various unwanted actions being taken in thecontext of the targeted application. This issue affects Firefox. This issue does not affect versions of Firefox prior to the introduction of WebGL in Firefox 4

XSS encoding hazard with inline SVG (MFSA 2011-27)
This vulnerability is due to HTML-encoded entities being improperly decoded when displayed inside SVG elements that could lead to XSS attacks on sites relying on HTML encoding of user-supplied content. Exploitation may occur if a user visits or is redirected to a web page, or receives a specially crafted email, which is specificallycrafted to take advantage of these vulnerabilities. This issue affects Firefox. This issue does not affect versions of Firefox prior to the introduction of inline SVG in Firefox 4

Non-whitelisted site can trigger xpinstall (MFSA 2011-28)
It is possible for non-whitelisted sites to trigger an install dialog for add-ons and themes. Exploitation mayoccur if a user visits or is redirected to a web page, or receives a specially crafted email, which is designed to take advantage of these vulnerabilities. This issue affects Firefox.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Upgrade vulnerable Mozilla products immediately after appropriate testing.
  • Remind users not to download or open files from untrusted websites.
  • Remind users not to open e-mail attachments from unknown users or suspicious e-mails.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish theeffects of a successful attack.

REFERENCES:

Mozilla:
http://www.mozilla.org/security/announce/2011/mfsa2011-19.html
http://www.mozilla.org/security/announce/2011/mfsa2011-20.html
http://www.mozilla.org/security/announce/2011/mfsa2011-21.html
http://www.mozilla.org/security/announce/2011/mfsa2011-22.html
http://www.mozilla.org/security/announce/2011/mfsa2011-23.html
http://www.mozilla.org/security/announce/2011/mfsa2011-24.html
http://www.mozilla.org/security/announce/2011/mfsa2011-26.html
http://www.mozilla.org/security/announce/2011/mfsa2011-27.html
http://www.mozilla.org/security/announce/2011/mfsa2011-28.html

Security Focus:
http://www.securityfocus.com/bid/48354
http://www.securityfocus.com/bid/48357
http://www.securityfocus.com/bid/48358
http://www.securityfocus.com/bid/48360
http://www.securityfocus.com/bid/48361
http://www.securityfocus.com/bid/48365
http://www.securityfocus.com/bid/48366
http://www.securityfocus.com/bid/48369
http://www.securityfocus.com/bid/48380

Zero Day Initiative:
http://www.zerodayinitiative.com/advisories/ZDI-11-223/
http://www.zerodayinitiative.com/advisories/ZDI-11-224/
http://www.zerodayinitiative.com/advisories/ZDI-11-225/

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0083
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0085
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2362
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2363
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2364
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2365
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2367
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2368
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2369
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2370
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2371
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2373
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2374
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2375
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2376
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2377