==================================================================== CERT-Renater Note d'Information No. 2012/VULN125 ____________________________________________________________________ DATE : 14/03/2012 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S) : Systems running Firefox versions prior to 11.0, ESR 10.0.3, 3.6.28, Thunderbird versions prior to 11.0, ESR 10.0.3, 3.1.20, Mozilla Foundation Security Advisory 2012-15. ====================================================================== http://www.mozilla.org/security/announce/2012/mfsa2012-12.html http://www.mozilla.org/security/announce/2012/mfsa2012-13.html http://www.mozilla.org/security/announce/2012/mfsa2012-14.html http://www.mozilla.org/security/announce/2012/mfsa2012-15.html http://www.mozilla.org/security/announce/2012/mfsa2012-16.html http://www.mozilla.org/security/announce/2012/mfsa2012-17.html http://www.mozilla.org/security/announce/2012/mfsa2012-18.html http://www.mozilla.org/security/announce/2012/mfsa2012-19.html ______________________________________________________________________ Mozilla Foundation Security Advisory 2012-12 Title: Use-after-free in shlwapi.dll Impact: Critical Announced: March 13, 2012 Reporter: Blair Strang, Scott Bell Products: Firefox, Thunderbird, SeaMonkey Fixed in: Firefox 11.0 Firefox ESR 10.0.3 Thunderbird 11.0 Thunderbird ESR 10.0.3 SeaMonkey 2.8 Description Security researchers Blair Strang and Scott Bell of Security Assessment found that when a parent window spawns and closes a child window that uses the file open dialog, a crash can be induced in shlwapi.dll on 32-bit Windows 7 systems. This crash may be potentially exploitable. Firefox 3.6 and Thunderbird 3.1 are not affected by this vulnerability. References * Exploitable "use after free" @ SHLWAPI!IUnknown_QueryService 0x3b * CVE-2012-0454 ______________________________________________________________________ Mozilla Foundation Security Advisory 2012-13 Title: XSS with Drag and Drop and Javascript: URL Impact: Moderate Announced: March 13, 2012 Reporter: Soroush Dalili Products: Firefox, Thunderbird, SeaMonkey Fixed in: Firefox 11.0 Firefox ESR 10.0.3 Firefox 3.6.28 Thunderbird 11.0 Thunderbird ESR 10.0.3 Thunderbird 3.1.20 SeaMonkey 2.8 Description Firefox prevents the dropping of javascript: links onto a frame to prevent malicious sites from tricking users into performing a cross-site scripting (XSS) attacks on themselves. Security researcher Soroush Dalili reported a way to bypass this protection. References * "DragAndDropJacking" (?) + javAscript: URL = XSS * CVE-2012-0455 ______________________________________________________________________ Mozilla Foundation Security Advisory 2012-14 Title: SVG issues found with Address Sanitizer Impact: Critical Announced: March 13, 2012 Reporter: Atte Kettunen Products: Firefox, Thunderbird, SeaMonkey Fixed in: Firefox 11.0 Firefox ESR 10.0.3 Firefox 3.6.28 Thunderbird 11.0 Thunderbird ESR 10.0.3 Thunderbird 3.1.20 SeaMonkey 2.8 Description Security researcher Atte Kettunen from OUSPG found two issues with Firefox's handling of SVG using the Address Sanitizer tool. The first issue, critically rated, is a use-after-free in SVG animation that could potentially lead to arbitrary code execution. The second issue is rated moderate and is an out of bounds read in SVG Filters. This could potentially incorporate data from the user's memory, making it accessible to the page content. References * ASAN: heap-use-after-free READ of size 8 at nsSMILTimeValueSpec::ConvertBetweenTimeContainers * CVE-2012-0457 * SVGFilter out of bounds read (Address Sanitizer) * CVE-2012-0456 ______________________________________________________________________ Mozilla Foundation Security Advisory 2012-15 Title: XSS with multiple Content Security Policy headers Impact: Moderate Announced: March 13, 2012 Reporter: Mike Products: Firefox, Thunderbird, SeaMonkey Fixed in: Firefox 11.0 Firefox ESR 10.0.3 Thunderbird 11.0 Thunderbird ESR 10.0.3 SeaMonkey 2.8 Description Security Researcher Mike Brooks of Sitewatch reported that if multiple Content Security Policy (CSP) headers are present on a page, they have an additive effect page policy. Using carriage return line feed (CRLF) injection, a new CSP rule can be introduced which allows for cross-site scripting (XSS) on sites with a separate header injection vulnerability. Firefox 3.6 and Thunderbird 3.1 are not affected by this vulnerability. References * Bad intersection of injected HTTP headers leads to Content Security Policy (CSP) Bypass * CVE-2012-0451 ______________________________________________________________________ Mozilla Foundation Security Advisory 2012-16 Title: Escalation of privilege with Javascript: URL as home page Impact: Critical Announced: March 13, 2012 Reporter: Mariusz Mlynski Products: Firefox, Thunderbird, SeaMonkey Fixed in: Firefox 11.0 Firefox ESR 10.0.3 Firefox 3.6.28 Thunderbird 11.0 Thunderbird ESR 10.0.3 Thunderbird 3.1.20 SeaMonkey 2.8 Description Security researcher Mariusz Mlynski reported that an attacker able to convince a potential victim to set a new home page by dragging a link to the "home" button can set that user's home page to a javascript: URL. Once this is done the attacker's page can cause repeated crashes of the browser, eventually getting the script URL loaded in the privileged about:sessionrestore context. References * loads of principal-inheriting URIs (e.g. javascript:) on chrome-privileged pages (e.g. about:sessionstore) allows unexpected privilege escalation * prevent self-XSS in homepage icon (disallow javascript: drops) * disallow inheriting of system principal in type=content docshells * CVE-2012-0458 ______________________________________________________________________ Mozilla Foundation Security Advisory 2012-17 Title: Crash when accessing keyframe cssText after dynamic modification Impact: Critical Announced: March 13, 2012 Reporter: Daniel Glazman Products: Firefox, Thunderbird, SeaMonkey Fixed in: Firefox 11.0 Firefox ESR 10.0.3 Thunderbird 11.0 Thunderbird ESR 10.0.3 SeaMonkey 2.8 Description Mozilla community member Daniel Glazman of Disruptive Innovations reported a crash when accessing a keyframe's cssText after dynamic modification. This crash may be potentially exploitable. Firefox 3.6 and Thunderbird 3.1 are not affected by this vulnerability. References * Access to a keyframe's cssText after dynamic modification always crashes Gecko * CVE-2012-0459 ______________________________________________________________________ Mozilla Foundation Security Advisory 2012-18 Title: window.fullScreen writeable by untrusted content Impact: Moderate Announced: March 13, 2012 Reporter: Matt Brubeck Products: Firefox, Thunderbird, SeaMonkey Fixed in: Firefox 11.0 Firefox ESR 10.0.3 Thunderbird 11.0 Thunderbird ESR 10.0.3 SeaMonkey 2.8 Description Mozilla developer Matt Brubeck reported that window.fullScreen is writeable by untrusted content now that the DOM fullscreen API is enabled. Because window.fullScreen does not include mozRequestFullscreen's security protections, it could be used for UI spoofing. This code change makes window.fullScreen read only by untrusted content, forcing the use of the DOM fullscreen API in normal usage. Firefox 3.6 and Thunderbird 3.1 are not affected by this vulnerability. References * window.fullScreen can be set by untrusted content but does not check for permission or show escape UI * CVE-2012-0460 ______________________________________________________________________ Mozilla Foundation Security Advisory 2012-19 Title: Miscellaneous memory safety hazards (rv:11.0/ rv:10.0.3 / rv:1.9.2.28) Impact: Critical Announced: March 13, 2012 Reporter: Mozilla developers and community Products: Firefox, Thunderbird, SeaMonkey Fixed in: Firefox 11.0 Firefox ESR 10.0.3 Firefox 3.6.28 Thunderbird 11.0 Thunderbird ESR 10.0.3 Thunderbird 3.1.20 SeaMonkey 2.8 Description Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products. References Bob Clary reported two bugs that causes crashes that affected Firefox 3.6, Firefox ESR, and Firefox 10. * Memory safety bugs fixed in Firefox 11, Firefox ESR 10.0.3, and Firefox 3.6 * CVE-2012-0461 Christian Holler, Jesse Ruderman, Nils, Michael Bebenita, Dindog, and David Anderson reported memory safety problems and crashes that affect Firefox ESR and Firefox 10. * Memory safety bugs fixed in Firefox 11 and Firefox ESR 10.0.3 * CVE-2012-0462 Jeff Walden reported a memory safety problem in the array.join function. This bug was independently reported by Vincenzo Iozzo via TippingPoint's Zero Day Initiative Pwn2Own contest. * array.join("") is GC-hazardous * CVE-2012-0464 Masayuki Nakano reported a memory safety problem that affected Mobile Firefox 10. * nsWindow for Android doesn't check whether the instance is destroyed or not after dispatching an event * CVE-2012-0463 ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================