Coastal Network Status

South Carolina Information Sharing and Analysis Center

SC INFORMATION SHARING AND ANALYSIS CENTER BULLETIN

DATE ISSUED: 1/9/2013

SUBJECT: Multiple Vulnerabilities in Mozilla Products Could Allow Remote Code Execution

OVERVIEW:

Multiple vulnerabilities have been discovered in Mozilla Firefox, Thunderbird, and SeaMonkey applications, which could allow remote code execution. Mozilla Firefox is a web browser used to access the Internet. Mozilla Thunderbird is an email client. Mozilla SeaMonkey is a cross platform Internet suite of tools ranging from a web browser to an email client. Successful exploitation of these vulnerabilities could result in either an attacker gaining the same privileges as the logged on user, or gaining session authentication credentials. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

DESCRIPTION:

Multiple vulnerabilities have been discovered in Mozilla Firefox, Thunderbird, and SeaMonkey. The details of these vulnerabilities are as follows:

Miscellaneous memory safety hazards (MFSA 2013-01) - several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products have been identified. Some of these bugs showed evidence of memory corruption under certain circumstances, and some of these could be exploited to run arbitrary code.
Use-after-free issue (MFSA 2013-02) - this issue affects the Address Sanitizer tool and could allow remote code execution.
Buffer Overflow in Canvas (MFSA 2013-03) - there is an error when handling specific bad height and width values given through HTML. This issue causes a crash that may be exploitable.
URL spoofing in address bar during page loads (MFSA 2013-04) - there is an issue where the displayed URL values within the address bar can be spoofed by a page during loading. This could allow for phishing attacks where a malicious page can spoof the identity of another site.
Use-after-free when displaying table with many columns and column groups (MFSA 2013-05) - this issue is caused by an array containing a large number of columns and column groups that causes the array to overwrite itself during rendering leading to a crash that may be exploitable.
Touch events are shared across iframes Android (MFSA 2013-06) - this allows for information leakage and possibilities for cross-site scripting (XSS)
Crash due to handling of SSL on threads (MFSA 2013-07) - there is a crashing issue found through Thunderbird when downloading messages over a Secure Sockets Layer (SSL) connection. The resulting crash is potentially exploitable.
AutoWrapper Changer fails to keep objects alive during garbage collection (MFSA 2013-08) - the AutoWrapper Changer class fails to keep some javascript objects alive during garbage collection. This can lead to an exploitable crash allowing for arbitrary code execution.
Compartment mismatch with quick stubs returned values (MFSA 2013-09) - there is a problem where jsval-returning quick stubs fail to wrap their return values, causing a compartment mismatch. This mismatch can cause garbage collection to occur incorrectly and lead to a potentially exploitable crash.
Event manipulation in plug-in handler to bypass same-origin policy (MFSA 2013-10) - the plug-in handler can be manipulated by web content to bypass same-origin policy (SOP) restrictions. This can allow for click-jacking on malicious web pages.
Address space layout leaked in XBL objects (MFSA 2013-11) - using the to String function of XBL objects can lead to inappropriate information leakage by revealing the address space layout instead of just the ID of the object. This layout information could potentially be used to bypass ASLR and other security protections.
Buffer overflow in Javascript string concatenation (MFSA 2013-12) - an integer overflow is possible when calculating the length for a Javascript string concatenation, which is then used for memory allocation. This results in a buffer overflow, leading to a potentially exploitable memory corruption.
Memory corruption in XBL with XML bindings containing SVG (MFSA 2013-13) - when using an XBL file containing multiple XML bindings with SVG content, a memory corruption can occur. In concern with remote XUL, this can lead to an exploitable crash.
Chrome Object Wrapper (COW) bypass through changing prototype (MFSA 2013-14) - it is possible to change the prototype of an object and bypass Chrome Object Wrappers (COW) to gain access to chrome privileged functions. This could allow for arbitrary code execution.
Privilege escalation through plug-in objects (MFSA 2013-15) - it is possible to open a chrome privileged web page through plug-in objects through interaction with SVG elements. This could allow for arbitrary code execution.
Use-after-free in serialize ToStream (MFSA 2013-16) - there is a use-after-free issue in XML Serializer by the exposing of serialize ToStream to web content. This can lead to arbitrary code execution when exploited.
Use-after-free in Listener Manager (MFSA 2013-17) - there is a use-after-free issue within the Listener Manager when garbage collection is forced after data in listener objects has been allocated in some circumstances. This results in a use-after-free, which can lead to arbitrary code execution.
Use-after-free in Vibrate (MFSA 2013-18) - there is a use-after-free issue when using the domDoc pointer within Vibrate library. This can lead to arbitrary code execution when exploited.
Use-after-free in Javascript Proxy objects (MFSA 2013-19) - there is a garbage collection flaw in Javascript Proxy objects. This can lead to a use-after-free leading to arbitrary code execution.
Mis-issued TURKTRUST certificates (MFSA 2013-20) - TURKTRUST, a certificate authority in Mozilla’s root program, had mis-issued two intermediate certificates to customers. The issue was not specific to Firefox but there was evidence that one of the certificates was used for man-in-the-middle (MITM) traffic management of domain names that the customer did not legitimately own or control. This issue was resolved by revoking the trust for these specific mis-issued certificates. Successful exploitation of these vulnerabilities could result in either an attacker gaining the same privileges as the logged on user, or gaining session authentication credentials. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.