CIS CYBER SECURITY ADVISORIES
MS-ISAC CYBER SECURITY ADVISORY NUMBER:
Multiple Vulnerabilities in Mozilla Products Could Allow Remote Code Execution
Multiple vulnerabilities have been discovered in Mozilla Firefox, Thunderbird, and SeaMonkey applications, which could allow remote code execution. Mozilla Firefox is a web browser used to access the Internet. Mozilla Thunderbird is an email client. Mozilla SeaMonkey is a cross platform Internet suite of tools ranging from a web browser to an email client. Successful exploitation of these vulnerabilities could result in either an attacker gaining the same privileges as the logged on user, or gaining session authentication credentials. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.
Exploitation of some of these issues was demonstrated at the Pwn2Own contest, but the exploits are not publicly available. Some of these issues may not require specific exploit code and may be trivial to exploit.
- Firefox versions prior to 28
- Firefox Extended Support Release (ESR) versions prior to 24.4
- Firefox OS versions prior to 1.2.2 or 1.3
- Thunderbird versions prior to 24.4
- SeaMonkey versions prior to 2.25
- Large and medium government entities: High
- Small government entities: High
- Large and medium business entities: High
- Small business entities: High
Home users: High
Twenty vulnerabilities have been reported for various Mozilla products. Details of the vulnerabilities are as follows:
- Multiple memory-corruption vulnerabilities affect the browser engine. [CVE-2014-1493, CVE-2014-1494]
- Security-bypass vulnerability exists because when files extracted from 'Mar' file are not locked during update. Attackers can exploit this issues to replace or modify these files during the update process if a malicious application is present on the local system. [CVE-2014-1496]
- Memory-corruption vulnerability because of out-of-bounds read during the decoding of WAV format audio files for playback. Specifically, this issue occurs in the 'mozilla::WaveReader::DecodeAudioData()' function. [CVE-2014-1497]
- Denial-of-service vulnerability occurs because 'crypto.generateCRFMRequest' method fails to properly validate the key type of the 'KeyParams' argument when generating ec-dual-use requests. [CVE-2014-1498]
- URI-spoofing vulnerability occurs on the 'WebRTC' permission prompt. This may allow attackers to conduct spoofing attacks by using a specially crafted URI. [CVE-2014-1499]
- Unauthorized-access vulnerability exists because local file can be accessed through 'Open Link in new Tab' from the context menu using the 'file:' protocol. [CVE-2014-1501] Note: This issue affects Firefox on Android systems.
- Security-bypass vulnerability occurs because 'WebGL' content could inject content from its context to that of another site's WebGL context. Specifically, this issue occurs because 'WebGL.compressedTex(Sub)Image2D()' function fails to call MakeCurrent. [CVE-2014-1502]
- Cross-site-scripting vulnerability occurs in the Content Security Policy(CSP) for 'data:' documents. [CVE-2014-1504]
- Security vulnerability that occurs in the 'CrashReporter'. [CVE-2014-1506] Note: This issue affects Firefox on Android systems.
- Directory-traversal vulnerability that occurs because it fails to properly implement 'DeviceStorage API'. Attackers can exploit this issue to escape the media sandbox and potentially read or write any file on the device. [CVE-2014-1507]
- An information-disclosure vulnerability that occurs due to an out-of-bounds read error in 'libxul.so!gfxContext::Polygon()' function. Attackers can exploit this issue to potentially read protected memory addresses. [CVE-2014-1508]
- Memory-corruption vulnerability in the 'Cairo' graphics library when rendering font of a PDF file for display. Specifically, this issue occurs in the 'memcpy buffer overrun when _cairo_truetype_index_to_ucs4 calls _cairo_dwrite_load_truetype_table()' function. [CVE-2014-1509]
- Information-disclosure vulnerability that occurs in the 'feDisplacementMap()' function because it fails to check taintedness of the image with the displacements. [CVE-2014-1505]
- Remote memory-corruption vulnerability because of out-of-bounds read/write error. Specifically, this issue occurs in the 'TypedArrayObject.cpp' source file because it fails to handle the case where 'ArrayBuffer' objects are neutered. [CVE-2014-1513]
- Privilege escalation vulnerability using WebIDL-implemented APIs. [CVE-2014-1510, CVE-2014-1511]
- An out-of-bounds write through TypedArrayObject after neutering. [CVE-2014-1514]
Successful exploitation could result in an attacker gaining the same privileges as the affected application. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts will likely cause denial-of-service conditions.
We recommend the following actions be taken:
- Update vulnerable Mozilla products immediately after appropriate testing.
- Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
- Do not open email attachments or click on URLs from unknown or untrusted sources.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.