==================================================================== CERT-Renater Note d'Information No. 2012/VULN283 ____________________________________________________________________ DATE : 18/07/2012 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S) : Systems running Firefox versions prior to 14, ESR 10.0.6, Thunderbird versions prior to 14, ESR 10.0.6, SeaMonkey versions prior to 2.11. ====================================================================== http://www.mozilla.org/security/announce/2012/mfsa2012-42.html http://www.mozilla.org/security/announce/2012/mfsa2012-43.html http://www.mozilla.org/security/announce/2012/mfsa2012-44.html http://www.mozilla.org/security/announce/2012/mfsa2012-45.html http://www.mozilla.org/security/announce/2012/mfsa2012-46.html http://www.mozilla.org/security/announce/2012/mfsa2012-47.html http://www.mozilla.org/security/announce/2012/mfsa2012-48.html http://www.mozilla.org/security/announce/2012/mfsa2012-49.html http://www.mozilla.org/security/announce/2012/mfsa2012-50.html http://www.mozilla.org/security/announce/2012/mfsa2012-51.html http://www.mozilla.org/security/announce/2012/mfsa2012-52.html http://www.mozilla.org/security/announce/2012/mfsa2012-53.html http://www.mozilla.org/security/announce/2012/mfsa2012-54.html http://www.mozilla.org/security/announce/2012/mfsa2012-55.html http://www.mozilla.org/security/announce/2012/mfsa2012-56.html ______________________________________________________________________ Mozilla Foundation Security Advisory 2012-42 Title: Miscellaneous memory safety hazards (rv:14.0/ rv:10.0.6) Impact: Critical Announced: July 17, 2012 Reporter: Mozilla Developers Products: Firefox, Thunderbird, SeaMonkey Fixed in: Firefox 14 Firefox ESR 10.0.6 Thunderbird 14 Thunderbird ESR 10.0.6 SeaMonkey 2.11 Description Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products. References Brian Smith, Gary Kwong, Christian Holler, Jesse Ruderman, Christoph Diehl, Chris Jones, Brad Lassey, and Kyle Huey reported memory safety problems and crashes that affect Firefox 13. Memory safety bugs fixed in Firefox 14 CVE-2012-1949 Benoit Jacob, Jesse Ruderman, Christian Holler, and Bill McCloskey reported memory safety problems and crashes that affect Firefox ESR 10 and Firefox 13. Memory safety bugs fixed in Firefox ESR 10.0.6 and Firefox 14 CVE-2012-1948 _____________________________________________________________________ Mozilla Foundation Security Advisory 2012-43 Title: Incorrect URL displayed in addressbar through drag and drop Impact: Moderate Announced: July 17, 2012 Reporter: Mario Gomes, Code Audit Labs Products: Firefox Fixed in: Firefox 14 Firefox ESR 10.0.6 Description Security researcher Mario Gomes andresearch firm Code Audit Labs reported a mechanism to short-circuit page loads through drag and drop to the addressbar by canceling the page load. This causes the address of the previously site entered to be displayed in the addressbar instead of the currently loaded page. This could lead to potential phishing attacks on users. References Reported spoof issues CVE-2012-1950 ______________________________________________________________________ Mozilla Foundation Security Advisory 2012-44 Title: Gecko memory corruption Impact: Critical Announced: July 17, 2012 Reporter: Abhishek Arya Products: Firefox, Thunderbird, SeaMonkey Fixed in: Firefox 14 Firefox ESR 10.0.6 Thunderbird 14 Thunderbird ESR 10.0.6 SeaMonkey 2.11 Description Google security researcher Abhishek Arya used the Address Sanitizer tool to uncover four issues: two use-after-free problems, one out of bounds read bug, and a bad cast. The first use-after-free problem is caused when an array of nsSMILTimeValueSpec objects is destroyed but attempts are made to call into objects in this array later. The second use-after-free problem is in nsDocument::AdoptNode when it adopts into an empty document and then adopts into another document, emptying the first one. The heap buffer overflow is in ElementAnimations when data is read off of end of an array and then pointers are dereferenced. The bad cast happens when nsTableFrame::InsertFrames is called with frames in aFrameList that are a mix of row group frames and column group frames. AppendFrames is not able to handle this mix. All four of these issues are potentially exploitable. References Heap-use-after-free in nsSMILTimeValueSpec::IsEventBased CVE-2012-1951 Heap-use-after-free in nsDocument::AdoptNode CVE-2012-1954 Out of bounds read in ElementAnimations::EnsureStyleRuleFor CVE-2012-1953 Bad cast in nsTableFrame::InsertFrames CVE-2012-1952 ______________________________________________________________________ Mozilla Foundation Security Advisory 2012-45 Title: Spoofing issue with location Impact: High Announced: July 17, 2012 Reporter: Mariusz Mlynski Products: Firefox, Thunderbird, SeaMonkey Fixed in: Firefox 14 Firefox ESR 10.0.6 Thunderbird 14 Thunderbird ESR 10.0.6 SeaMonkey 2.11 Description Security researcher Mariusz Mlynski reported an issue with spoofing of the location property. In this issue, calls to history.forward and history.back are used to navigate to a site while displaying the previous site in the addressbar but changing the baseURI to the newer site. This can be used for phishing by allowing the user input form or other data on the newer, attacking, site while appearing to be on the older, displayed site. References History navigation error with late location.hash changes CVE-2012-1955 ______________________________________________________________________ Mozilla Foundation Security Advisory 2012-46 Title: XSS through data: URLs Impact: High Announced: July 17, 2012 Reporter: moz_bug_r_a4 Products: Firefox Fixed in: Firefox 14 Firefox ESR 10.0.6 Description Mozilla security researcher moz_bug_r_a4 reported a cross-site scripting (XSS) attack through the context menu using a data: URL. In this issue, context menu functionality ("View Image", "Show only this frame", and "View background image") are disallowed in a javascript: URL but allowed in a data: URL, allowing for XSS. This can lead to arbitrary code execution. References XSS with context menu CVE-2012-1966 ______________________________________________________________________ Mozilla Foundation Security Advisory 2012-47 Title: Improper filtering of javascript in HTML feed-view Impact: High Announced: July 17, 2012 Reporter: Mario Heiderich Products: Firefox, Thunderbird, SeaMonkey Fixed in: Firefox 14 Firefox ESR 10.0.6 Thunderbird 14 Thunderbird ESR 10.0.6 SeaMonkey 2.11 Description Security researcher Mario Heiderich reported that javascript could be executed in the HTML feed-view using tag within the RSS . This problem is due to tags not being filtered out during parsing and can lead to a potential cross-site scripting (XSS) attack. The flaw existed in a parser utility class and could affect other parts of the browser or add-ons which rely on that class to sanitize untrusted input. References JavaScript execution via special HTML in RSS view; XSS when pasting malicious content into contenteditable CVE-2012-1957 ______________________________________________________________________ Mozilla Foundation Security Advisory 2012-48 Title: use-after-free in nsGlobalWindow::PageHidden Impact: Moderate Announced: July 17, 2012 Reporter: Arthur Gerkis Products: Firefox, Thunderbird, SeaMonkey Fixed in: Firefox 14 Firefox ESR 10.0.6 Thunderbird 14 Thunderbird ESR 10.0.6 SeaMonkey 2.11 Description Security researcher Arthur Gerkis used the Address Sanitizer tool to find a use-after-free in nsGlobalWindow::PageHidden when mFocusedContent is released and oldFocusedContent is used afterwards. This use-after-free could possibly allow for remote code execution. References Use-after-free in nsGlobalWindow::PageHidden CVE-2012-1958 ______________________________________________________________________ Mozilla Foundation Security Advisory 2012-49 Title: Same-compartment Security Wrappers can be bypassed Impact: Critical Announced: July 17, 2012 Reporter: Bobby Holley Products: Firefox, Thunderbird, SeaMonkey Fixed in: Firefox 14 Firefox ESR 10.0.6 Thunderbird 14 Thunderbird ESR 10.0.6 SeaMonkey 2.11 Description Mozilla developer Bobby Holley found that same-compartment security wrappers (SCSW) can be bypassed by passing them to another compartment. Cross-compartment wrappers often do not go through SCSW, but have a filtering policy built into them. When an object is wrapped cross-compartment, the SCSW is stripped off and, when the object is read read back, it is not known that SCSW was previously present, resulting in a bypassing of SCSW. This could result in untrusted content having access to the XBL that implements browser functionality. References Same- compartment security wrappers can be bypassed by passing them to another compartment CVE-2012-1959 ______________________________________________________________________ Mozilla Foundation Security Advisory 2012-50 Title: Out of bounds read in QCMS Impact: Moderate Announced: July 17, 2012 Reporter: Tony Payne Products: Firefox, Thunderbird, SeaMonkey Fixed in: Firefox 14 Thunderbird 14 SeaMonkey 2.11 Description Google developer Tony Payne reported an out of bounds (OOB) read in QCMS, Mozilla’s color management library. With a carefully crafted color profile portions of a user's memory could be incorporated into a transformed image and possibly deciphered. References Out of bounds read in qcms_transform_data_rgb_out_lut_sse2 CVE-2012-1960 Mozilla Portions of this content are ©1998–2012 by individual mozilla.org contributors. Content available under a Creative Commons license. __________________________________________________________________ Mozilla Foundation Security Advisory 2012-51 Title: X-Frame-Options header ignored when duplicated Impact: Moderate Announced: July 17, 2012 Reporter: Frédéric Buclin Products: Firefox, Thunderbird, SeaMonkey Fixed in: Firefox 14 Firefox ESR 10.0.6 Thunderbird 14 Thunderbird ESR 10.0.6 SeaMonkey 2.11 Description Bugzilla developer Frédéric Buclin reported that the "X-Frame-Options header is ignored when the value is duplicated, for example X-Frame-Options: SAMEORIGIN, SAMEORIGIN. This duplication occurs for unknown reasons on some websites and when it occurs results in Mozilla browsers not being protected against possible clickjacking attacks on those pages References Firefox ignores X-Frame-Options when set to SAMEORIGIN, SAMEORIGIN (duplicated header) CVE-2012-1961 ______________________________________________________________________ Mozilla Foundation Security Advisory 2012-52 Title: JSDependentString::undepend string conversion results in memory corruption Impact: Critical Announced: July 17, 2012 Reporter: Bill Keese Products: Firefox, Thunderbird, SeaMonkey Fixed in: Firefox 14 Firefox ESR 10.0.6 Thunderbird 14 Thunderbird ESR 10.0.6 SeaMonkey 2.11 Description Security researcher Bill Keese reported a memory corruption. This is caused by JSDependentString::undepend changing a dependent string into a fixed string when there are additional dependent strings relying on the same base. When the undepend occurs during conversion, the base data is freed, leaving other dependent strings with dangling pointers. This can lead to a potentially exploitable crash. References memory corruption of strings CVE-2012-1962 ______________________________________________________________________ Mozilla Foundation Security Advisory 2012-53 Title: Content Security Policy 1.0 implementation errors cause data leakage Impact: High Announced: July 17, 2012 Reporter: Karthikeyan Bhargavan Products: Firefox, Thunderbird, SeaMonkey Fixed in: Firefox 14 Firefox ESR 10.0.6 Thunderbird 14 Thunderbird ESR 10.0.6 SeaMonkey 2.11 Description Security researcher Karthikeyan Bhargavan of Prosecco at INRIA reported Content Security Policy (CSP) 1.0 implementation errors. CSP violation reports generated by Firefox and sent to the "report-uri" location include sensitive data within the "blocked-uri" parameter. These include fragment components and query strings even if the "blocked-uri" parameter has a different origin than the protected resource. This can be used to retrieve a user's OAuth 2.0 access tokens and OpenID credentials by malicious sites. References Content Security Policy: violation reports leak OAuth 2.0 and OpenID credentials CVE-2012-1963 ______________________________________________________________________ Mozilla Foundation Security Advisory 2012-54 Title: Clickjacking of certificate warning page Impact: Moderate Announced: July 17, 2012 Reporter: Matt McCutchen Products: Firefox, Thunderbird, SeaMonkey Fixed in: Firefox 13 Firefox ESR 10.0.6 Thunderbird 13 Thunderbird ESR 10.0.6 SeaMonkey 2.10 Description Security Researcher Matt McCutchen reported that a clickjacking attack using the certificate warning page. A man-in-the-middle (MITM) attacker can use an iframe to display its own certificate error warning page (about:certerror) with the "Add Exception" button of a real warning page from a malicious site. This can mislead users to adding a certificate exception for a different site than the perceived one. This can lead to compromised communications with the user perceived site through the MITM attack once the certificate exception has been added. References Mitigate clickjacking of about:certerror CVE-2012-1964 ______________________________________________________________________ Mozilla Foundation Security Advisory 2012-55 Title: feed: URLs with an innerURI inherit security context of page Impact: Moderate Announced: July 17, 2012 Reporter: Mario Gomes, Soroush Dalili Products: Firefox Fixed in: Firefox 14 Firefox ESR 10.0.6 Description Security researchers Mario Gomes and Soroush Dalili reported that since Mozilla allows the pseudo-protocol feed: to prefix any valid URL, it is possible to construct feed:javascript: URLs that will execute scripts in some contexts. On some sites it may be possible to use this to evade output filtering that would otherwise strip javascript: URLs and thus contribute to cross-site scripting (XSS) problems on these sites. References Don't allow feed: URLs with an innerURI that inherits the page's security context CVE-2012-1965 ______________________________________________________________________ Mozilla Foundation Security Advisory 2012-56 Title: Code execution through javascript: URLs Impact: Critical Announced: July 17, 2012 Reporter: moz_bug_r_a4 Products: Firefox, Thunderbird, SeaMonkey Fixed in: Firefox 14 Firefox ESR 10.0.6 Thunderbird 14 Thunderbird ESR 10.0.6 SeaMonkey 2.11 Description Mozilla security researcher moz_bug_r_a4 reported a arbitrary code execution attack using a javascript: URL. The Gecko engine features a JavaScript sandbox utility that allows the browser or add-ons to safely execute script in the context of a web page. In certain cases, javascript: URLs are executed in such a sandbox with insufficient context that can allow those scripts to escape from the sandbox and run with elevated privilege. This can lead to arbitrary code execution. References Arbitrary code execution using javascript: url CVE-2012-1967 ====================================================================== ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================