South Carolina Information Sharing and Analysis Center
SC INFORMATION SHARING AND ANALYSIS CENTER BULLETIN
DATE ISSUED: 1/9/2013
SUBJECT: Multiple Vulnerabilities in Mozilla Products Could Allow Remote Code Execution
Multiple vulnerabilities have been discovered in Mozilla Firefox, Thunderbird, and SeaMonkey applications, which could allow remote code execution. Mozilla Firefox is a web browser used to access the Internet. Mozilla Thunderbird is an email client. Mozilla SeaMonkey is a cross platform Internet suite of tools ranging from a web browser to an email client. Successful exploitation of these vulnerabilities could result in either an attacker gaining the same privileges as the logged on user, or gaining session authentication credentials. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.
Multiple vulnerabilities have been discovered in Mozilla Firefox, Thunderbird, and SeaMonkey. The details of these vulnerabilities are as follows:
- Miscellaneous memory safety hazards (MFSA 2013-01) - several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products have been identified. Some of these bugs showed evidence of memory corruption under certain circumstances, and some of these could be exploited to run arbitrary code.
- Use-after-free issue (MFSA 2013-02) - this issue affects the Address Sanitizer tool and could allow remote code execution.
- Buffer Overflow in Canvas (MFSA 2013-03) - there is an error when handling specific bad height and width values given through HTML. This issue causes a crash that may be exploitable.
- URL spoofing in address bar during page loads (MFSA 2013-04) - there is an issue where the displayed URL values within the address bar can be spoofed by a page during loading. This could allow for phishing attacks where a malicious page can spoof the identity of another site.
- Use-after-free when displaying table with many columns and column groups (MFSA 2013-05) - this issue is caused by an array containing a large number of columns and column groups that causes the array to overwrite itself during rendering leading to a crash that may be exploitable.
- Touch events are shared across iframes Android (MFSA 2013-06) - this allows for information leakage and possibilities for cross-site scripting (XSS)
- Crash due to handling of SSL on threads (MFSA 2013-07) - there is a crashing issue found through Thunderbird when downloading messages over a Secure Sockets Layer (SSL) connection. The resulting crash is potentially exploitable.
- Compartment mismatch with quick stubs returned values (MFSA 2013-09) - there is a problem where jsval-returning quick stubs fail to wrap their return values, causing a compartment mismatch. This mismatch can cause garbage collection to occur incorrectly and lead to a potentially exploitable crash.
- Event manipulation in plug-in handler to bypass same-origin policy (MFSA 2013-10) - the plug-in handler can be manipulated by web content to bypass same-origin policy (SOP) restrictions. This can allow for click-jacking on malicious web pages.
- Address space layout leaked in XBL objects (MFSA 2013-11) - using the to String function of XBL objects can lead to inappropriate information leakage by revealing the address space layout instead of just the ID of the object. This layout information could potentially be used to bypass ASLR and other security protections.
- Memory corruption in XBL with XML bindings containing SVG (MFSA 2013-13) - when using an XBL file containing multiple XML bindings with SVG content, a memory corruption can occur. In concern with remote XUL, this can lead to an exploitable crash.
- Chrome Object Wrapper (COW) bypass through changing prototype (MFSA 2013-14) - it is possible to change the prototype of an object and bypass Chrome Object Wrappers (COW) to gain access to chrome privileged functions. This could allow for arbitrary code execution.
- Privilege escalation through plug-in objects (MFSA 2013-15) - it is possible to open a chrome privileged web page through plug-in objects through interaction with SVG elements. This could allow for arbitrary code execution.
- Use-after-free in serialize ToStream (MFSA 2013-16) - there is a use-after-free issue in XML Serializer by the exposing of serialize ToStream to web content. This can lead to arbitrary code execution when exploited.
- Use-after-free in Listener Manager (MFSA 2013-17) - there is a use-after-free issue within the Listener Manager when garbage collection is forced after data in listener objects has been allocated in some circumstances. This results in a use-after-free, which can lead to arbitrary code execution.
- Use-after-free in Vibrate (MFSA 2013-18) - there is a use-after-free issue when using the domDoc pointer within Vibrate library. This can lead to arbitrary code execution when exploited.
- Mis-issued TURKTRUST certificates (MFSA 2013-20) - TURKTRUST, a certificate authority in Mozilla’s root program, had mis-issued two intermediate certificates to customers. The issue was not specific to Firefox but there was evidence that one of the certificates was used for man-in-the-middle (MITM) traffic management of domain names that the customer did not legitimately own or control. This issue was resolved by revoking the trust for these specific mis-issued certificates. Successful exploitation of these vulnerabilities could result in either an attacker gaining the same privileges as the logged on user, or gaining session authentication credentials. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.
- Firefox versions prior to 18.0
- Firefox Extended Support Release (ESR) versions prior to 10.0.12 and 17.0.2
- Thunderbird versions prior to 17.0.2
- Thunderbird Extended Support Release (ESR) versions prior to 10.0.12 and 17.0.2
- SeaMonkey versions prior to 2.15
- Large and medium government entities: High
- Small government entities: High
- Large and medium business entities: High
- Small business entities: High
Home users: High
We recommend the following actions be taken:
· Upgrade vulnerable Mozilla products immediately after appropriate testing.
· Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
· Do not open email attachments or click on URLs from unknown or un-trusted sources.
· Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
Please feel free to contact the SC ISAC if you have any questions or need any additional information.
The SC ISAC will provide amplifying information as it becomes available.
SC-ISAC Contact Information
SC ISAC Security Line: 803-896-1650
24-hour hotline: +1 803-896-0001
Fax: +1 803-896-0375
DSIT Budget and Control Board
4430 Broad River Road
Columbia S.C. 29210
SC-ISAC is available via hotline 08:00-17:00 EST (GMT-5)/ EDT (GMT-4)
Monday through Friday
We strongly urge you to encrypt sensitive information sent by email. Our
public PGP key is available from:
Any material furnished by SC-ISAC is furnished on an "as is" basis.
SC-ISAC makes no warranties of any kind, either expressed or implied as to
any matter including, but not limited to, warranty of fitness for a particular
purpose or merchantability, exclusivity or results obtained from use of the
material. SC-ISAC does not make any warranty of any kind with respect to
freedom from patent, trademark, or copyright infringement.