CIS CYBER SECURITY ADVISORIES
MS-ISAC CYBER SECURITY ADVISORY NUMBER:
Multiple Vulnerabilities in Mozilla Products Could Allow Remote Code Execution
Multiple vulnerabilities have been discovered in Mozilla Firefox, Thunderbird, and SeaMonkey applications, which could allow remote code execution. Mozilla Firefox is a web browser used to access the Internet. Mozilla Thunderbird is an email client. Mozilla SeaMonkey is a cross platform Internet suite of tools ranging from a web browser to an email client. Successful exploitation of these vulnerabilities could result in either an attacker gaining the same privileges as the logged on user, or gaining session authentication credentials. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.
- Firefox versions prior to 26.0
- Firefox Extended Support Release (ESR) versions prior to 24.2
- Thunderbird versions prior to 24.2
- SeaMonkey versions prior to 2.23
- Large and medium government entities: High
- Small government entities: High
- Large and medium business entities: High
- Small business entities: High
Home users: High
Multiple vulnerabilities have been discovered in Mozilla Firefox, Thunderbird, and SeaMonkey. The details of these vulnerabilities are as follows:
- Mozilla Firefox, Thunderbird and SeaMonkey are prone to a security-bypass vulnerability because trust settings for built-in roots are ignored during Extended Validation(EV) certificate validation. Specifically, this issue occurs because EV root certificates are trusted even if the user has explicitly removed their trust. [CVE-2013-6673] [MFSA 2013-113]
- Mozilla Firefox, Thunderbird, and SeaMonkey are prone to multiple unspecified memory-corruption vulnerabilities that exist in the browser engine. [CVE-2013-5610] [CVE-2013-5609] [MFSA 2013-104]
- Mozilla Firefox and SeaMonkey are prone to an information-disclosure vulnerability because it fails to properly restrict the web content from accessing the data saved to the clipboard. Specifically, the issue exists when a user attempts to paste a selection with a middle-click instead of pasting the selection content. [CVE-2013-6672] [MFSA 2013-112]
- Mozilla Firefox, Thunderbird and SeaMonkey are prone to a memory-corruption vulnerabiliy due to a heap-use-after-free error when interacting with event listeners from the 'mListeners' array. Specifically, this issue affects the 'libxul.so!nsEventListenerManager::HandleEventSubType()' function. [CVE-2013-5616] [MFSA 2013-108]
- Mozilla Firefox and Seamonkey are prone to a security-bypass vulnerability that occurs because the '<iframe sandbox>' restrictions are not applied to an '<object>' element contained within a sandboxed iframe. [CVE-2013-5614] [MFSA 2013-107}
- Mozilla Firefox, Thunderbird and SeaMonkey are prone to multiple memory-corruption vulnerabilities due to a heap-use-after-free error. Specifically, this issue affects the 'libxul.so!PresShell::DispatchSynthMouseMove()' function. [CVE-2013-5613] [MFSA 2013-114]
- Mozilla Firefox is prone to a security-bypass vulnerability because the doorhanger notification for Web App installation may persist from one site to another without being dismissed by the navigation. Attackers can exploit this issue to trick an unsuspecting user into installing an application from one site while seemingly to come from trusted site. [CVE-2013-5611] [MFSA 2013-105]
- Mozilla Firefox, SeaMonkey, and Thunderbird are prone to a remote code-execution vulnerability due to a segmentation fault in the libxul.so!nsGfxScrollFrameInner::IsLTR()' function when inserting an ordered list into a document through script. [CVE-2013-6671] [MFSA 2013-111]
- Mozilla Firefox, Thunderbird and SeaMonkey are prone to multiple memory-corruption vulnerabilities due to a heap-use-after-free error. Specifically, this issue affects the 'nsNodeUtils::LastRelease()' on anonymous node from 'ShowInlineTableEditingUI()' function. [CVE-2013-5618] [MFSA 2013-109]
- Mozilla Firefox, Thunderbird and SeaMonkey are prone to a cross site scripting vulnerability due to an issue related to inherited character set encoding information. [CVE-2013-5612] [MSFA 2013-106]
Successful exploitation of these vulnerabilities could result in either an attacker gaining the same privileges as the logged on user, or gaining session authentication credentials. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data, or create new accounts with full user rights.
We recommend the following actions be taken:
- Upgrade vulnerable Mozilla products immediately after appropriate testing.
- Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
- Do not open email attachments or click on URLs from unknown or untrusted sources.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.