CIS CYBER SECURITY ADVISORIES
MS-ISAC CYBER SECURITY ADVISORY NUMBER:
Multiple Vulnerabilities in Mozilla Products Could Allow Remote Code Execution
Multiple vulnerabilities have been discovered in Mozilla Firefox, Thunderbird, and SeaMonkey applications, which could allow remote code execution. Mozilla Firefox is a web browser used to access the Internet. Mozilla Thunderbird is an email client. Mozilla SeaMonkey is a cross platform Internet suite of tools ranging from a web browser to an email client.Successful exploitation of these vulnerabilities could result in either an attacker gaining the same privileges as the logged on user, or gaining session authentication credentials. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.
- Firefox versions prior to 12.0
- Firefox Mobile versions prior to 10.0.4
- Thunderbird versions prior to 12.0
- SeaMonkey versions prior to 2.9
- Large and medium government entities: High
- Small government entities: High
- Large and medium business entities: High
- Small business entities: High
Home users: High
Multiple vulnerabilities have been discovered in Mozilla Firefox, Thunderbird, and SeaMonkey. The details of these vulnerabilities are as follows:
Miscellaneous Memory Safety Hazards (MFSA2012-20)
Several unspecified memory safety vulnerabilities have been discovered in Firefox, Thunderbird, and SeaMonkey. Some of these vulnerabilities show evidence of memory corruption under certain circumstances, and could be exploited to run arbitrary code. (CVE-2012-0467)
Multiple Security Flaws in FreeType v2.4.9 (MFSA2012-21)
A series of unspecified memory safety bugs in the FreeType library for Firefox Mobile versions prior to 10.0.4 have been discovered. Successful exploitation could result in remote code execution. (CVE-2012-1126 â€“ CVE-2012-1144)
IDBKeyRange Use After Free (MFSA2012-22)
A vulnerability exists in Mozilla products due to the improper handling of 'IDBKeyRange'. Successful exploitation could result in remote code execution. (CVE-2012-0469)
Invalid Frees Causes Heap Corruption in "gfxImageSurface" (MFSA2012-23)
A heap corruption vulnerability exists in 'gfxImageSurface' which allows for invalid frees and possible remote code execution. This occurs due to a float error resulting from graphics values being passed through different number systems. Successful exploitation could result in remote code execution. (CVE-2012-0470)
Cross-Site Scripting via Multi-Byte Content Processing Errors (MFSA2012-24)
A multi-octet encoding issue exists in Mozilla products where certain octets will destroy the following octets in the processing of some multi-byte character sets. This could leave users vulnerable to cross-site scripting attacks on specially crafted web pages. (CVE-2012-0471)
Memory Corruption During Font Rendering (MFSA2012-25)
A memory corruption vulnerability exists on Mozilla products installed on Windows Vista and Windows 7 systems with hardware acceleration disabled or using incompatible video drivers. This vulnerability exists due to 'cairo-dwrite' attempting to render fonts on an unsupported code path. Successful exploitation could result in remote code execution. (CVE-2012-0472)
WebGL.drawElements May Read Illegal Video Memory (MFSA2012-26)
A vulnerability exists in the 'FindMaxElementInSubArray' due to the reception of improper arguments from 'FindMaxUshortElement'. This issue causes maximum index to be computed incorrectly within 'WebGL.drawElements', allowing the reading of illegal video memory. Successful exploitation could allow information disclosure or code injection. (CVE-2012-0473)
Page Load Short-Circuit can Lead to Cross-Site Scripting (MFSA2012-27)
A vulnerability exists in Mozilla products that could cause web page loads to show the address of a different site than what is loaded in the window in the address bar. Successful exploitation could result in cross-site scripting attacks. (CVE-2012-0474)
Ambiguous IPv6 in Origin Headers May Bypass Web Server Access Restrictions (MFSA2012-28)
A security bypass vulnerability exists in Mozilla products when a web server opens a socket on a non-standard port for web traffic while using an IPv6 address. The browser will send ambiguous origin headers if the IPv6 address contains at least two consecutive 16-bit fields of zeroes. If there is an origin access control list that uses IPv6 literals, this issue could be used to bypass these access controls on the server. (CVE-2012-0475)
Potential Cross-Site Scripting Through Decoding Issues (MFSA2012-29)
A vulnerability exists in Mozilla products during the decoding of ISO-2022-KR and ISO-2022-CN character sets. Characters near 1024 bytes are treated incorrectly. On certain web pages it might be possible for an attacker to pad the output of the page such that these errors fall in the right place to affect the structure of the page, allowing for cross-site scripting. (CVE-2012-0477)
Crash with WebGL Content Using 'textImage2D' (MFSA2012-30)
An image rendering issue exists in Mozilla products 'WebGL' when 'texImage2D' uses 'JSVAL_TO_OBJECT' on arbitrary objects. This can lead to a crash on a specially crafted web page potentially resulting in remote code execution. (CVE-2012-0478)
Off-by-one Error in OpenType Sanitizer (MFSA2012-31)
An off-by-one error exists in the OpenType Sanitizer using the Address Sanitizer tool. This can lead to an out-of-bounds read and execution of an uninitialized function pointer during parsing resulting in possible remote code execution. (CVE-2011-3062)
Potential Site Identity Spoofing When Loading RSS and Atom feeds (MFSA2012-33)
A vulnerability exists in Mozilla products if specially crafted RSS or Atom XML content is loaded over HTTPS. The address bar updates to display the new location of the loaded resource, including SSL indicators, while the main window still displays the previously loaded content. This allows for phishing attacks where a malicious page can spoof the identify of another seemingly secure site. (CVE-2012-0479)
These vulnerabilities may be exploited if a user visits a maliciously crafted web page. Successful exploitation could result in an attacker gaining user level privileges. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
We recommend the following actions be taken:
- Upgrade vulnerable Mozilla products immediately after appropriate testing.
- Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
- Do not open email attachments or click on URLs from unknown or untrusted sources.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.