Date: 27 October 2009
References: ESB-2009.1456 ESB-2009.1458 ESB-2009.1475 ESB-2009.1493 ESB-2009.1513 ESB-2009.1524 ESB-2010.0011.2
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2009.1114
Firefox updates fix multiple vulnerabilities
28 October 2009
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Firefox
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Denial of Service -- Remote with User Interaction
Execute Arbitrary Code/Commands -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Overwrite Arbitrary Files -- Console/Physical
Resolution: Patch/Upgrade
CVE Names: CVE-2009-1563 CVE-2009-3370 CVE-2009-3274
CVE-2009-3371 CVE-2009-3372 CVE-2009-3373
CVE-2009-3374 CVE-2009-3375 CVE-2009-3376
CVE-2009-3377 CVE-2009-3378 CVE-2009-3379
CVE-2009-3380 CVE-2009-3381 CVE-2009-3382
CVE-2009-3383
Member content until: Friday, November 27 2009
OVERVIEW
Mozilla has released 11 advisories relating to Firefox describing a
total of 14 vulnerabilities. Mozilla has rated 6 of these
advisories as "Critical", 3 as "Moderate" and 2 as "Low" impact.
IMPACT
According to Mozilla, the vulnerabilties corrected in this
update are:
o MFSA 2009-52 (CVE-2009-3370): "...a user's form history, both from
web content as well as the smart location bar, was vulnerable to
theft. A malicious web page could synthesize events such as mouse
focus and key presses on behalf of the victim and trick the browser
into auto-filling the form fields with history entries and then
reading the entries." [1]
o MFSA 2009-53 (CVE-2009-3274): "...the file naming scheme used for
downloading a file which already exists in the downloads folder is
predictable. If an attacker had local access to a victim's computer
and knew the name of a file the victim intended to open through the
Download Manager, he could use this vulnerability to place a malicious
file in the world-writable directory used to save temporary downloaded
files and cause the browser to choose the incorrect file when opening
it." [2]
o MFSA 2009-54 (CVE-2009-3371): "...recursive creation of JavaScript
web-workers can be used to create a set of objects whose memory
could be freed prior to their use. These conditions often result in
a crash which could potentially be used by an attacker to run
arbitrary code on a victim's computer." [3]
o MFSA 2009-55 (CVE-2009-3372): "...a flaw in the parsing of regular
expressions used in Proxy Auto-configuration (PAC) files. In certain
cases this flaw could be used by an attacker to crash a victim's
browser and run arbitrary code on their computer." [4]
o MFSA 2009-56 (CVE-2009-3373): "...a heap-based buffer overflow in
Mozilla's GIF image parser. This vulnerability could potentially be
used by an attacker to crash a victim's browser and run arbitrary code
on their computer." [5]
o MFSA 2009-57 (CVE-2009-3374): "...the XPCOM utility
XPCVariant::VariantDataToJS unwrapped doubly-wrapped objects before
returning them to chrome callers. This could result in chrome
privileged code calling methods on an object which had previously
been created or modified by web content, potentially executing
malicious JavaScript code with chrome privileges." [6]
o MFSA 2009-59 (CVE-2009-1563): "...a heap-based buffer overflow in
Mozilla's string to floating point number conversion routines. Using
this vulnerability an attacker could craft some malicious JavaScript
code containing a very long string to be converted to a floating
point number which would result in improper memory allocation and the
execution of an arbitrary memory location. This vulnerability could
thus be leveraged by the attacker to run arbitrary code on a
victim's computer." [7]
o MFSA 2009-61 (CVE-2009-3375): "...text within a selection on a web page
can be read by JavaScript in a different domain using the
document.getSelection function, violating the same-origin policy." [8]
o MFSA 2009-62 (CVE-2009-3376): "...when downloading a file containing a
right-to-left override character (RTL) in the filename, the name
displayed in the dialog title bar conflicts with the name of the file
shown in the dialog body. An attacker could use this vulnerability to
obfuscate the name and file extension of a file to be downloaded and
opened, potentially causing a user to run an executable file when they
expected to open a non-executable file." [9]
o MFSA 2009-63 (CVE-2009-3377,CVE-2009-3378,CVE-2009-3379): "Mozilla
upgraded several third party libraries used in media rendering to
address multiple memory safety and stability bugs identified by
members of the Mozilla community. Some of the bugs discovered could
potentially be used by an attacker to crash a victim's browser and
execute arbitrary code on their computer." [10]
o MFSA 2009-64 (CVE-2009-3380,CVE-2009-3381,CVE-2009-3382,
CVE-2009-3383): "Mozilla developers and community members identified and
fixed several stability bugs in the browser engine used in Firefox and
other Mozilla-based products. Some of these crashes showed evidence of
memory corruption under certain circumstances and we presume that with
enough effort at least some of these could be exploited to run
arbitrary code." [11]
MITIGATION
These vulnerabilities have been fixed in Firefox 3.5.4 and
Firefox 3.0.15. Updated versions of these programs are available from
the Mozilla web site. [12]
REFERENCES
[1] Mozilla Foundation Security Advisory 2009-52
http://www.mozilla.org/security/announce/2009/mfsa2009-52.html
[2] Mozilla Foundation Security Advisory 2009-53
http://www.mozilla.org/security/announce/2009/mfsa2009-53.html
[3] Mozilla Foundation Security Advisory 2009-54
http://www.mozilla.org/security/announce/2009/mfsa2009-54.html
[4] Mozilla Foundation Security Advisory 2009-55
http://www.mozilla.org/security/announce/2009/mfsa2009-55.html
[5] Mozilla Foundation Security Advisory 2009-56
http://www.mozilla.org/security/announce/2009/mfsa2009-56.html
[6] Mozilla Foundation Security Advisory 2009-57
http://www.mozilla.org/security/announce/2009/mfsa2009-57.html
[7] Mozilla Foundation Security Advisory 2009-59
http://www.mozilla.org/security/announce/2009/mfsa2009-59.html
[8] Mozilla Foundation Security Advisory 2009-61
http://www.mozilla.org/security/announce/2009/mfsa2009-61.html
[9] Mozilla Foundation Security Advisory 2009-62
http://www.mozilla.org/security/announce/2009/mfsa2009-62.html
[10] Mozilla Foundation Security Advisory 2009-63
http://www.mozilla.org/security/announce/2009/mfsa2009-63.html
[11] Mozilla Foundation Security Advisory 2009-64
http://www.mozilla.org/security/announce/2009/mfsa2009-64.html
[12] Mozilla Firefox web browser
http://www.mozilla.org/firefox
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFK56FGNVH5XJJInbgRAs3vAJ4i+2YcUq3G42u1HOmpzALWlAQuigCdFisL
Y7mIiR6PH6izjC+oJFr4eHc=
=WzrH
-----END PGP SIGNATURE-----
|