CIS CYBER SECURITY ADVISORIES

MS-ISAC CYBER SECURITY ADVISORY NUMBER:
2011-070

DATE(S) ISSUED:
11/09/2011

SUBJECT:
Multiple Mozilla Firefox and Thunderbird Vulnerabilities Could Allow for Remote Code Execution

OVERVIEW:

Multiple vulnerabilities have been discovered in Mozilla Firefox and Thunderbird applications, which could allow remote code execution. Mozilla Firefox is a web browser used to access the Internet. Mozilla Thunderbird is an email client. These vulnerabilities may be exploited if a user visits, or is redirected to a specially crafted web page.

Successful exploitation of these vulnerabilities will result in either an attacker gaining the same privileges as the logged on user, or gaining session authentication credentials. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

SYSTEMS AFFECTED:

  • Firefox versions prior to 3.6.23
  • Firefox versions prior to 7
  • Thunderbird version prior to 3.1.6
  • Thunderbird version prior to 7

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: High

DESCRIPTION:
Multiple vulnerabilities have been discovered in Mozilla Firefox and Thunderbird. Details of these vulnerabilities are as follows:

Security Bypass Vulnerability
A Security Bypass Vulnerability occurs when add-ons fail to properly use 'XPCNativeWrappers' in the 'loadSubScript()' function. XPCNativeWrapper is a way to wrap an object so that it's safe to access from privileged code.

Information Disclosure Vulnerability
When using Windows D2D hardware acceleration, image data from one domain could be inserted into a canvas and read by a different domain.

Information Disclosure Vulnerability
An information disclosure vulnerability occurs when an image generated with the Intel Integrated GPU driver on recent Mac OS X hardware is displayed in the WebGL (Web-based Graphics Library) component of Mozilla products. Once the image is incorporated into the WebGL, it is possible for a site to programmatically read the image data.

XSS-injection Vulnerability
When using Windows D2D hardware acceleration, image data from one domain could be inserted into a canvas and read by a different domain.

Privilege Escalation Vulnerability
A privilege escalation vulnerability mayr esult if the internal privilege check fails to respect the ‘NoWaiverWrappers’ introduced with Firefox 4.

Remote Memory Corruption Vulnerability
A memory corruption vulnerability exists when using Firebug to profile a JavaScript file with a large amount of functions.

Multiple Memory Corruption Vulnerabilities
Multiple unspecified memory corruption vulnerabilities are fixed in Firefox 8.0 and Thunderbird 8.0.

Remote Memory Corruption Vulnerability
A memory corruption vulnerability are fixed in in Firefox 8.0 and Thunderbird 8.0 when a SVG '<mpath>' links to a non-SVG element.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Upgrade vulnerable Mozilla products immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

 

REFERENCES:

Mozilla:
http://www.mozilla.org/security/announce/2011/mfsa2011-46.html
http://www.mozilla.org/security/announce/2011/mfsa2011-47.html
http://www.mozilla.org/security/announce/2011/mfsa2011-48.html
http://www.mozilla.org/security/announce/2011/mfsa2011-49.html
http://www.mozilla.org/security/announce/2011/mfsa2011-50.html
http://www.mozilla.org/security/announce/2011/mfsa2011-51.html
http://www.mozilla.org/security/announce/2011/mfsa2011-52.html

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2011-3647
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2011-3653
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2011-3648
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2011-3649
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2011-3650
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2011-3651
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2011-3654
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2011-3655