Link to CCU Home Page
Link to Quick Links
Link to Search Link to CCU Home Page
Information Technology Services
spacer image
 
Coastal Network Status - Issue Detail
Security
Alert

Multiple Vulnerabilities in Mozilla Products Could Allow Remote Code Execution
Posted: April 4, 2013, 9:55 am
Last Updated: August 12, 2013, 2:42 pm

South Carolina Information Sharing and Analysis Center

 

SC INFORMATION SHARING AND ANALYSIS CENTER BULLETIN

 

DATE ISSUED:        4/3/2013

                                               

SUBJECT:                 Multiple Vulnerabilities in Mozilla Products Could Allow Remote Code Execution

 

 

OVERVIEW:

 

Multiple vulnerabilities have been discovered in Mozilla Firefox, Thunderbird, and SeaMonkey applications, which could allow for remote code execution. Mozilla Firefox is a web browser used to access the Internet. Mozilla Thunderbird is an email client. Mozilla SeaMonkey is a cross platform Internet suite of tools ranging from a web browser to an email client.

 

Successful exploitation of these vulnerabilities could result in either an attacker gaining the same privileges as the logged on user, or gaining session authentication credentials. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

 

DESCRIPTION:

 

Multiple vulnerabilities have been discovered in Mozilla Firefox, Thunderbird, and SeaMonkey. The details of these vulnerabilities are as follows:

·          Miscellaneous memory safety hazards: Multiple memory-corruption vulnerabilities exist in the browser engine that could lead to arbitrary code execution.

·          Out-of-bounds write in Cairo library: This issue is caused when performing an out-of-bounds write in Cairo graphics library, and could cause a potential exploitable crash.

·          Privilege escalation through Mozilla Maintenance Service: A privilege-escalation vulnerability requiring local system access exists as a result of an error that occurs when using Mozilla Maintenance Service.

·          World read and write access to app_tmp directory on Android: The app-tmp directory for Firefox on Android is readable and writable, giving third parties the ability to alter and/or replace Firefox add-ons that are being stored temporarily in the app_tmp directory before installation.

·          Privilege escalation through Mozilla Updater: An error exists where the Mozilla Updater can be made to load a malicious local DLL file, resulting in privileged escalation procedure to occur. In order for this vulnerability to be exploited the malicious DLL must be placed in a specific location locally on a host prior to Mozilla Updater being run. Local file system access is necessary in order for this issue to be exploitable.

·          WebGL crash with Mesa graphics driver on Linux: A denial-of-service condition exists resulting in a possible exploitable condition. This issue occurs when the 'WebGL' library crashes and primarily affects the Linux users using a Mesa graphics driver.

·          Bypass of SOW protections allows cloning of protected nodes: A security-bypass vulnerability affecting the System Only Wrappers (SOW) exists which if exploited could allow an attacker to clone a protected node, and possibly result in a privilege escalation condition and  the execution of arbitrary code.

·          Bypass of tab-modal dialog origin disclosure:   A method for removing the origin indication on tab-modal dialog boxes in combination with browser navigation exists. This could allow for attackers to overlay a page to show another sites content, and could possibly be used in phishing campaigns.

·          Cross-site scripting (XSS) using timed history navigations: A cross-site scripting vulnerability exists and can be exploited when an attacker uses timed history navigations to load an arbitrary website with that page's baseURI property pointing to another site instead of the seemingly loaded one.

·          Memory corruption while rendering grayscale PNG images: A memory-corruption vulnerability exist that affects specially crafted grayscale PNG images. This issue occurs if the gfx.color_management.enablev4 preference is enabled in the about:config – by default, this preference is not enabled.

·          Out-of-bounds array read in CERT_DecodeCertPackage: An out-of-bounds read issue exists affecting the 'CERT_DecodeCertPackage' function of the Network Security Services (NSS) library, and if exploited could result in a memory corruption and a non-exploitable crash.

 

Successful exploitation of these vulnerabilities could result in either an attacker gaining the same privileges as the logged on user, or gaining session authentication credentials. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

 

SYSTEM AFFECTED:

·         Firefox versions prior to 20.0

·         Firefox Extended Support Release (ESR) versions prior to 17.0.5

·         Thunderbird versions prior to 17.0.5

·         Thunderbird Extended Support Release (ESR) versions prior to 17.0.5

·         SeaMonkey versions prior to 2.17

 

 

RISK:

 

Government:

Large and medium government entities: High

Small government entities: High

 

Businesses:

Large and medium business entities: High

Small business entities: High

 

Home users: High

 

RECOMMENDATIONS:

 

We recommend the following actions be taken:

 

·         Upgrade vulnerable Mozilla products immediately after appropriate testing.

·         Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

·         Do not open email attachments or click on URLs from unknown or untrusted sources.

·         Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

 

 

 

REFERENCES:

 

Mozilla:

 

http://www.mozilla.org/security/announce/

http://www.mozilla.org/security/announce/2013/mfsa2013-30.html

http://www.mozilla.org/security/announce/2013/mfsa2013-31.html

http://www.mozilla.org/security/announce/2013/mfsa2013-32.html

http://www.mozilla.org/security/announce/2013/mfsa2013-33.html

http://www.mozilla.org/security/announce/2013/mfsa2013-34.html

http://www.mozilla.org/security/announce/2013/mfsa2013-35.html

http://www.mozilla.org/security/announce/2013/mfsa2013-36.html

http://www.mozilla.org/security/announce/2013/mfsa2013-37.html

http://www.mozilla.org/security/announce/2013/mfsa2013-38.html

http://www.mozilla.org/security/announce/2013/mfsa2013-39.html

http://www.mozilla.org/security/announce/2013/mfsa2013-40.html

 

CVE:

 

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0788

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0789

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0790

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0792

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0793

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0794

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0795

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0796

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0797

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0798

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0799

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0800

 

SecurityFocus:

 

http://www.securityfocus.com/bid/58818

 

 Please feel free to contact the SC ISAC if you have any questions or need any additional information.

 

The SC ISAC will provide amplifying information as it becomes available.

 

SC-ISAC Contact Information

 

Email: SC-ISAC@cio.sc.gov

SC ISAC Security Line: 803-896-1650

24-hour hotline: +1 803-896-0001  Option 2

Fax: +1 803-896-0375

 

Postal address:

 

SC-ISAC

DSIT Budget and Control Board

4430 Broad River Road

Columbia S.C. 29210

SC-ISAC is available via hotline 08:00-17:00 EST (GMT-5)/ EDT (GMT-4)

Monday through Friday

 

 

 

Using Encryption

 

We strongly urge you to encrypt sensitive information sent by email. Our

public PGP key is available from:

 

https://sc-isac.sc.gov/public.key

 

NO WARRANTY

 

Any material furnished by SC-ISAC is furnished on an "as is" basis.

 

SC-ISAC makes no warranties of any kind, either expressed or implied as to

any matter including, but not limited to, warranty of fitness for a particular

purpose or merchantability, exclusivity or results obtained from use of the

material. SC-ISAC does not make any warranty of any kind with respect to

freedom from patent, trademark, or copyright infringement.

 

Link to CCU Home Page
University Policies | Site Policies | Contact Us
© 2014 Coastal Carolina University | P.O. Box 261954, Conway, SC 29528-6054 | +1 843-347-3161