CIS CYBER SECURITY ADVISORIES

MS-ISAC CYBER SECURITY ADVISORY NUMBER:
2014-026

DATE(S) ISSUED:
03/18/2014

SUBJECT:
Multiple Vulnerabilities in Mozilla Products Could Allow Remote Code Execution

OVERVIEW:

Multiple vulnerabilities have been discovered in Mozilla Firefox, Thunderbird, and SeaMonkey applications, which could allow remote code execution. Mozilla Firefox is a web browser used to access the Internet. Mozilla Thunderbird is an email client. Mozilla SeaMonkey is a cross platform Internet suite of tools ranging from a web browser to an email client. Successful exploitation of these vulnerabilities could result in either an attacker gaining the same privileges as the logged on user, or gaining session authentication credentials. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

THREAT INTELLIGENCE:
Exploitation of some of these issues was demonstrated at the Pwn2Own contest, but the exploits are not publicly available. Some of these issues may not require specific exploit code and may be trivial to exploit.

SYSTEMS AFFECTED:

  • Firefox versions prior to 28
  • Firefox Extended Support Release (ESR) versions prior to 24.4
  • Firefox OS versions prior to 1.2.2 or 1.3
  • Thunderbird versions prior to 24.4
  • SeaMonkey versions prior to 2.25

 

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: High

TECHNICAL SUMMARY:
Twenty vulnerabilities have been reported for various Mozilla products. Details of the vulnerabilities are as follows:

  • Multiple memory-corruption vulnerabilities affect the browser engine. [CVE-2014-1493, CVE-2014-1494]
  • Security-bypass vulnerability exists because when files extracted from 'Mar' file are not locked during update. Attackers can exploit this issues to replace or modify these files during the update process if a malicious application is present on the local system. [CVE-2014-1496]
  • Memory-corruption vulnerability because of out-of-bounds read during the decoding of WAV format audio files for playback. Specifically, this issue occurs in the 'mozilla::WaveReader::DecodeAudioData()' function. [CVE-2014-1497]
  • Denial-of-service vulnerability occurs because 'crypto.generateCRFMRequest' method fails to properly validate the key type of the 'KeyParams' argument when generating ec-dual-use requests. [CVE-2014-1498]
  • URI-spoofing vulnerability occurs on the 'WebRTC' permission prompt. This may allow attackers to conduct spoofing attacks by using a specially crafted URI. [CVE-2014-1499]
  • A denial-of-service vulnerability occurs when using JavaScript 'onbeforeunload' events with page navigation. Attackers can exploit this issue to prevent users from closing a malicious page's tab. [CVE-2014-1500]
  • Unauthorized-access vulnerability exists because local file can be accessed through 'Open Link in new Tab' from the context menu using the 'file:' protocol. [CVE-2014-1501] Note: This issue affects Firefox on Android systems.
  • Security-bypass vulnerability occurs because 'WebGL' content could inject content from its context to that of another site's WebGL context. Specifically, this issue occurs because 'WebGL.compressedTex(Sub)Image2D()' function fails to call MakeCurrent. [CVE-2014-1502]
  • Cross-site-scripting vulnerability occurs in the Content Security Policy(CSP) for 'data:' documents. [CVE-2014-1504]
  • Security vulnerability that occurs in the 'CrashReporter'. [CVE-2014-1506] Note: This issue affects Firefox on Android systems.
  • Directory-traversal vulnerability that occurs because it fails to properly implement 'DeviceStorage API'. Attackers can exploit this issue to escape the media sandbox and potentially read or write any file on the device. [CVE-2014-1507]
  • An information-disclosure vulnerability that occurs due to an out-of-bounds read error in 'libxul.so!gfxContext::Polygon()' function. Attackers can exploit this issue to potentially read protected memory addresses. [CVE-2014-1508]
  • Memory-corruption vulnerability in the 'Cairo' graphics library when rendering font of a PDF file for display. Specifically, this issue occurs in the 'memcpy buffer overrun when _cairo_truetype_index_to_ucs4 calls _cairo_dwrite_load_truetype_table()' function. [CVE-2014-1509]
  • Information-disclosure vulnerability that occurs in the 'feDisplacementMap()' function because it fails to check taintedness of the image with the displacements. [CVE-2014-1505]
  • Remote memory-corruption vulnerability because of out-of-bounds read/write error. Specifically, this issue occurs in the 'TypedArrayObject.cpp' source file because it fails to handle the case where 'ArrayBuffer' objects are neutered. [CVE-2014-1513]
  • Remote code-execution vulnerability due to a use-after-free error in the JavaScript (JS) engine. [CVE-2014-1512]
  • Privilege escalation vulnerability using WebIDL-implemented APIs. [CVE-2014-1510, CVE-2014-1511]
  • An out-of-bounds write through TypedArrayObject after neutering. [CVE-2014-1514]

Successful exploitation could result in an attacker gaining the same privileges as the affected application. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts will likely cause denial-of-service conditions.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Update vulnerable Mozilla products immediately after appropriate testing.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Do not open email attachments or click on URLs from unknown or untrusted sources.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

 

REFERENCES:
MOZILLA:

http://www.mozilla.org/security/announce/2014/mfsa2014-15.html
http://www.mozilla.org/security/announce/2014/mfsa2014-16.html
http://www.mozilla.org/security/announce/2014/mfsa2014-17.html
http://www.mozilla.org/security/announce/2014/mfsa2014-18.html
http://www.mozilla.org/security/announce/2014/mfsa2014-19.html
http://www.mozilla.org/security/announce/2014/mfsa2014-20.html
http://www.mozilla.org/security/announce/2014/mfsa2014-21.html
http://www.mozilla.org/security/announce/2014/mfsa2014-22.html
http://www.mozilla.org/security/announce/2014/mfsa2014-23.html
http://www.mozilla.org/security/announce/2014/mfsa2014-24.html
http://www.mozilla.org/security/announce/2014/mfsa2014-25.html
http://www.mozilla.org/security/announce/2014/mfsa2014-26.html
http://www.mozilla.org/security/announce/2014/mfsa2014-27.html
http://www.mozilla.org/security/announce/2014/mfsa2014-28.html
http://www.mozilla.org/security/announce/2014/mfsa2014-29.html
http://www.mozilla.org/security/announce/2014/mfsa2014-30.html
http://www.mozilla.org/security/announce/2014/mfsa2014-31.html
http://www.mozilla.org/security/announce/2014/mfsa2014-32.html

CVE:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1493
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1494
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1496
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1497
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1498
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1499
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1500
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1501
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1502
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1504
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1505
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1506
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1507
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1508
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1509
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1510
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1511
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1512
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1513
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1514

SecurityFocus:

http://www.securityfocus.com/bid/66203
http://www.securityfocus.com/bid/66206
http://www.securityfocus.com/bid/66240
http://www.securityfocus.com/bid/66278