CIS CYBER SECURITY ADVISORIES
MS-ISAC CYBER SECURITY ADVISORY NUMBER:
Multiple Vulnerabilities in Mozilla Products Could Allow Remote Code Execution
Multiple vulnerabilities have been discovered in Mozilla Firefox, Thunderbird, and SeaMonkey applications, which could allow remote code execution. Mozilla Firefox is a web browser used to access the Internet. Mozilla Thunderbird is an email client. Mozilla SeaMonkey is a cross platform Internet suite of tools ranging from a web browser to an email client. Successful exploitation of these vulnerabilities could result in either an attacker gaining the same privileges as the logged on user, or gaining session authentication credentials. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.
- Firefox versions prior to 25.0
- Firefox Extended Support Release (ESR) versions prior to 17.0.10
- Thunderbird versions prior to 24.1
- Thunderbird Extended Support Release (ESR) versions prior to 17.0.10
- SeaMonkey versions prior to 2.22
- Large and medium government entities: High
- Small government entities: High
- Large and medium business entities: High
- Small business entities: High
Home users: High
Multiple vulnerabilities have been discovered in Mozilla Firefox, Thunderbird, and SeaMonkey. The details of these vulnerabilities are as follows:
- A use-after-free vulnerability occurs due to an error in the HTML document templates. Specifically, this issue affects the 'nsContentUtils::ContentIsHostIncludingDescendantOf()' function. This leads to a potentially exploitable crash. [CVE-2013-5603] [MFSA 2013-102]
- Multiple use-after-free vulnerabilities occur due to missing strong references in the browsing engine. Specifically, these issues affect the 'nsIPresShell::GetPresContext()', 'nsIOService::NewChannelFromURIWithProxyFlags()' and 'nsEventListenerManager::SetEventHandler()' functions. This leads to a potentially exploitable crash. [CVE-2013-5599, CVE-2013-5600, CVE-2013-5601] [MFSA 2013-100]
- A use-after-free vulnerability occurs due to an error in the state change events when updating the offline cache. Specifically, this issue affects the 'nsDocLoader::doStopDocumentLoad()' function. This leads to a potentially exploitable crash. [CVE-2013-5597] [MFSA 2013-98]
- A denial-of-service vulnerability occurs due to a race-condition error when a cycle collected image object is released on the wrong thread during decoding. An attacker can exploit this issue to crash extremely large pages, causing a denial-of-service condition. This leads to a potentially exploitable crash. [CVE-2013-5596] [MFSA 2013-97]
- A denial-of-service vulnerability occurs due to an access-violation error with an uninitialized data during the Extensible Stylesheet Language Transformation (XSLT) processing. Specifically, this issue affects the 'txXPathNodeUtils::getBaseURI()' function. This leads to a potentially exploitable crash. [CVE-2013-5604] [MFSA 2013-95]
- An URI-spoofing vulnerability occurs because it fails to validate user-supplied input submitted to the SELECT element. This may allow attackers to conduct spoofing attacks by using a specially crafted URI. [CVE-2013-5593] [MFSA 2013-94]
- Several memory safety bugs in the browser engine, some of which showed evidence of memory-corruption vulnerabilities.
[CVE-2013-5592, CVE-2013-5591, CVE-2013-5590] [MFSA 2013-93]
Successful exploitation of these vulnerabilities could result in either an attacker gaining the same privileges as the logged on user, or gaining session authentication credentials. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data, or create new accounts with full user rights.
We recommend the following actions be taken:
- Upgrade vulnerable Mozilla products immediately after appropriate testing.
- Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
- Do not open email attachments or click on URLs from unknown or untrusted sources.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.