====================================================================

                             CERT-Renater

                  Note d'Information No. 2012/VULN408
____________________________________________________________________

DATE                : 11/10/2012

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S) : Systems running Firefox versions prior to 16,
                                     ESR 10.0.8,
                         Thunderbird versions prior to 16, ESR 10.0.8,
                         SeaMonkey versions prior to 2.13.

======================================================================
http://www.mozilla.org/security/announce/2012/mfsa2012-74.html
http://www.mozilla.org/security/announce/2012/mfsa2012-75.html
http://www.mozilla.org/security/announce/2012/mfsa2012-76.html
http://www.mozilla.org/security/announce/2012/mfsa2012-77.html
http://www.mozilla.org/security/announce/2012/mfsa2012-78.html
http://www.mozilla.org/security/announce/2012/mfsa2012-79.html
http://www.mozilla.org/security/announce/2012/mfsa2012-80.html
http://www.mozilla.org/security/announce/2012/mfsa2012-81.html
http://www.mozilla.org/security/announce/2012/mfsa2012-82.html
http://www.mozilla.org/security/announce/2012/mfsa2012-83.html
http://www.mozilla.org/security/announce/2012/mfsa2012-84.html
http://www.mozilla.org/security/announce/2012/mfsa2012-85.html
http://www.mozilla.org/security/announce/2012/mfsa2012-86.html
http://www.mozilla.org/security/announce/2012/mfsa2012-87.html
______________________________________________________________________

Mozilla Foundation Security Advisory 2012-74

Title: Miscellaneous memory safety hazards (rv:16.0/ rv:10.0.8)

Impact: Critical
Announced: October 9, 2012
Reporter: Mozilla Developers
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 16
  Firefox ESR 10.0.8
  Thunderbird 16
  Thunderbird ESR 10.0.8
  SeaMonkey 2.13

Description

Mozilla developers identified and fixed several memory safety bugs in
the browser engine used in Firefox and other Mozilla-based products.
Some of these bugs showed evidence of memory corruption under certain
circumstances, and we presume that with enough effort at least some of
these could be exploited to run arbitrary code.

In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but
are potentially a risk in browser or browser-like contexts in those
products.


References

Henrik Skupin, Jesse Ruderman and moz_bug_r_a4 reported memory safety
problems and crashes that affect Firefox 15.

    Memory safety bugs fixed in Firefox 16
    CVE-2012-3983

Christian Holler and Jesse Ruderman reported memory safety problems and
crashes that affect Firefox ESR 10 and Firefox 15.

    Memory safety bugs fixed in Firefox ESR 10.0.8 and Firefox 16
    CVE-2012-3982
_______________________________________________________________________

Mozilla Foundation Security Advisory 2012-75

Title: select element persistance allows for attacks
Impact: Critical
Announced: October 9, 2012
Reporter: David Bloom
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 16
  Thunderbird 16
  SeaMonkey 2.13


Description

Security researcher David Bloom of Cue discovered that <select>
elements are always-on-top chromeless windows and that navigation away
from a page with an active <select> menu does not remove this
window.When another menu is opened programmatically on a new page, the
original <select> menu can be retained and arbitrary HTML content
within it rendered, allowing an attacker to cover arbitrary portions of
the new page through absolute positioning/scrolling, leading to
spoofing attacks. Security researcher Jordi Chancel found a variation
that would allow for click-jacking attacks was well.

In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but
are potentially a risk in browser or browser-like contexts in those
products.


References

    Navigation away from a page with an active <select> dropdown menu
can be used for URL spoofing, other evil
    CVE-2012-3984

    Firefox 10.0.1 : Navigation away from a page with multiple active
<select> dropdown menu can be used for Spoofing And ClickJacking with
XPI using window.open and geolocalisation

______________________________________________________________________

Mozilla Foundation Security Advisory 2012-76

Title: Continued access to initial origin after setting document.domain
Impact: High
Announced: October 9, 2012
Reporter: Collin Jackson
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 16
  Thunderbird 16
  SeaMonkey 2.13


Description

Security researcher Collin Jackson reported a violation of the HTML5
specifications for document.domain behavior. Specified behavior
requires pages to only have access to windows in a new document.domain
but the observed violation allowed pages to retain access to windows
from the page's initial origin in addition to the new document.domain.
This could potentially lead to cross-site scripting (XSS) attacks.

In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but
are potentially a risk in browser or browser-like contexts in those
products.


References

    Script access checks should use effective script origin, not origin
    CVE-2012-3985
______________________________________________________________________

Mozilla Foundation Security Advisory 2012-77

Title: Some DOMWindowUtils methods bypass security checks
Impact: High
Announced: October 9, 2012
Reporter: Johnny Stenback
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 16
  Firefox ESR 10.0.8
  Thunderbird 16
  Thunderbird ESR 10.0.8
  SeaMonkey 2.13

Description

Mozilla developer Johnny Stenback discovered that several methods of a
feature used for testing (DOMWindowUtils) are not protected by existing
security checks, allowing these methods to be called through script by
web pages. This was addressed by adding the existing security checks to
these methods.

In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but
are potentially a risk in browser or browser-like contexts in those
products.


References

    several nsDOMWindowUtils methods available to untrusted code
    CVE-2012-3986
______________________________________________________________________

Mozilla Foundation Security Advisory 2012-78

Title: Reader Mode pages have chrome privileges
Impact: Critical
Announced: October 9, 2012
Reporter: Warren He
Products: Firefox

Fixed in: Firefox 16

Description

Security researcher Warren He reported that when a page is transitioned
into Reader Mode in Firefox for Android, the resulting page has chrome
privileges and its content is not thoroughly sanitized. A successful
attack requires user enabling of reader mode for a malicious page,
which could then perform an attack similar to cross-site scripting
(XSS) to gain the privileges allowed to Firefox on an Android device.
This has been fixed by changing the Reader Mode page into an
unprivileged page.

This vulnerability only affects Firefox for Android.

References

    reader mode chrome xss
    CVE-2012-3987
______________________________________________________________________

Mozilla Foundation Security Advisory 2012-78

Title: Reader Mode pages have chrome privileges
Impact: Critical
Announced: October 9, 2012
Reporter: Warren He
Products: Firefox

Fixed in: Firefox 16

Description

Security researcher Warren He reported that when a page is transitioned
into Reader Mode in Firefox for Android, the resulting page has chrome
privileges and its content is not thoroughly sanitized. A successful
attack requires user enabling of reader mode for a malicious page,
which could then perform an attack similar to cross-site scripting
(XSS) to gain the privileges allowed to Firefox on an Android device.
This has been fixed by changing the Reader Mode page into an
unprivileged page.

This vulnerability only affects Firefox for Android.


References

    reader mode chrome xss
    CVE-2012-3987
______________________________________________________________________

Mozilla Foundation Security Advisory 2012-80

Title: Crash with invalid cast when using instanceof operator
Impact: Critical
Announced: October 9, 2012
Reporter: Ms2ger
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 16
  Thunderbird 16
  SeaMonkey 2.13

Description

Mozilla community member Ms2ger reported a crash due to an invalid cast
when using the instanceof operator on certain types of JavaScript
objects. This can lead to a potentially exploitable crash.

In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but
are potentially a risk in browser or browser-like contexts in those
products.

References

    ASSERTION: This only works on nsISupports classes! and segfault
    CVE-2012-3989
______________________________________________________________________

Mozilla Foundation Security Advisory 2012-81

Title: GetProperty function can bypass security checks
Impact: Critical
Announced: October 9, 2012
Reporter: Alice White
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 16
  Firefox ESR 10.0.8
  Thunderbird 16
  Thunderbird ESR 10.0.8
  SeaMonkey 2.13

Description

Mozilla community member Alice White reported that when the GetProperty
function is invoked through JSAPI, security checking can be bypassed
when getting cross-origin properties. This potentially allowed for
arbitrary code execution.

In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but
are potentially a risk in browser or browser-like contexts in those
products.

References

    Error: Error: Permission denied to access property 'toString' when
open certain site
    CVE-2012-3991
______________________________________________________________________

Mozilla Foundation Security Advisory 2012-82

Title: top object and location property accessible by plugins
Impact: High
Announced: October 9, 2012
Reporter: Mariusz Mlynski
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 16
  Firefox ESR 10.0.8
  Thunderbird 16
  Thunderbird ESR 10.0.8
  SeaMonkey 2.13

Description

Security researcher Mariusz Mlynski reported that the location property
can be accessed by binary plugins through top.location and top can be
shadowed by Object.defineProperty as well. This can allow for possible
cross-site scripting (XSS) attacks through plugins.

In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but
are potentially a risk in browser or browser-like contexts in those
products.

References

    Object.defineProperty can shadow top
    CVE-2012-3994
______________________________________________________________________

Mozilla Foundation Security Advisory 2012-83

Title: Chrome Object Wrapper (COW) does not disallow acces to privileged
functions or properties
Impact: Critical
Announced: October 9, 2012
Reporter: Mariusz Mlynski
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 16
  Firefox ESR 10.0.8
  Thunderbird 16
  Thunderbird ESR 10.0.8
  SeaMonkey 2.13

Description

Security researcher Mariusz Mlynski reported that when InstallTrigger
fails, it throws an error wrapped in a Chrome Object Wrapper (COW) that
fails to specify exposed properties. These can then be added to the
resulting object by an attacker, allowing access to chrome privileged
functions through script.

While investigating this issue, Mozilla security researcher
moz_bug_r_a4 found that COW did not disallow accessing of properties
from a standard prototype in some situations, even when the original
issue had been fixed.

These issues could allow for a cross-site scripting (XSS) attack or
arbitrary code execution.

In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but
are potentially a risk in browser or browser-like contexts in those
products.

References

    XrayWrapper pollution via unsafe COW
    CVE-2012-3993

    ChromeObjectWrapper is not implemented as intended
    CVE-2012-4184
______________________________________________________________________

Mozilla Foundation Security Advisory 2012-84

Title: Spoofing and script injection through location.hash
Impact: High
Announced: October 9, 2012
Reporter: Mariusz Mlynski
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 16
  Firefox ESR 10.0.8
  Thunderbird 16
  Thunderbird ESR 10.0.8
  SeaMonkey 2.13

Description

Security researcher Mariusz Mlynski reported an issue with spoofing of
the location property. In this issue, writes to location.hash can be
used in concert with scripted history navigation to cause a specific
website to be loaded into the history object. The baseURI can then be
changed to this stored site, allowing an attacker to inject a script or
intercept posted data posted to a location specified with a relative
path.

In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but
are potentially a risk in browser or browser-like contexts in those
products.

References

    History state error with late navigation involving a hash change
    CVE-2012-3992
______________________________________________________________________

Mozilla Foundation Security Advisory 2012-85

Title: Use-after-free, buffer overflow, and out of bounds read issues
found using Address Sanitizer
Impact: Critical
Announced: October 9, 2012
Reporter: Abhishek Arya
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 16
  Firefox ESR 10.0.8
  Thunderbird 16
  Thunderbird ESR 10.0.8
  SeaMonkey 2.13

Description

Security researcher Abhishek Arya (Inferno) of the Google Chrome
Security Team discovered a series of use-after-free, buffer overflow,
and out of bounds read issues using the Address Sanitizer tool in
shipped software. These issues are potentially exploitable, allowing
for remote code execution. We would also like to thank Abhishek for
reporting two additional use-after-free flaws introduced during Firefox
16 development and fixed before general release.

In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but
are potentially a risk in browser or browser-like contexts in those
products.

References

    Out of bounds read in IsCSSWordSpacingSpace
    CVE-2012-3995

    Heap-use-after-free in nsHTMLCSSUtils::CreateCSSPropertyTxn
    CVE-2012-4179

    Heap-buffer-overflow in nsHTMLEditor::IsPrevCharInNodeWhitespace
    CVE-2012-4180

    Heap-use-after-free in nsSMILAnimationController::DoSample
    CVE-2012-4181

    Heap-use-after-free in nsTextEditRules::WillInsert
    CVE-2012-4182

    Heap-use-after-free in DOMSVGTests::GetRequiredFeatures
    CVE-2012-4183
______________________________________________________________________

Mozilla Foundation Security Advisory 2012-86

Title: Heap memory corruption issues found using Address Sanitizer
Impact: Critical
Announced: October 9, 2012
Reporter: Atte Kettunen
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 16
  Firefox ESR 10.0.8
  Thunderbird 16
  Thunderbird ESR 10.0.8
  SeaMonkey 2.13

Description

Security researcher Atte Kettunen from OUSPG reported several heap
memory corruption issues found using the Address Sanitizer tool. These
issues are potentially exploitable, allowing for remote code execution.

In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but
are potentially a risk in browser or browser-like contexts in those
products.

References

    Global-buffer-overflow in nsCharTraits::length
    CVE-2012-4185

    Heap-buffer-overflow in nsWaveReader::DecodeAudioData
    CVE-2012-4186

    Crash with ASSERTION: insPos too small
    CVE-2012-4187

    Heap-buffer-overflow in Convolve3x3
    CVE-2012-4188

Mozilla

Portions of this content are ©1998–2012 by individual mozilla.org
contributors. Content available under a Creative Commons license.

______________________________________________________________________

Mozilla Foundation Security Advisory 2012-87

Title: Use-after-free in the IME State Manager
Impact: Critical
Announced: October 9, 2012
Reporter: miaubiz
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 16
  Firefox ESR 10.0.8
  Thunderbird 16
  Thunderbird ESR 10.0.8
  SeaMonkey 2.13

Description

Security researcher miaubiz used the Address Sanitizer tool to discover
a use-after-free in the IME State Manager code. This could lead to a
potentially exploitable crash.

In general these flaws cannot be exploited through email in the
Thunderbird and SeaMonkey products because scripting is disabled, but
are potentially a risk in browser or browser-like contexts in those
products.

References

    use-after-free in nsIContent::GetNameSpaceID
    CVE-2012-3990

======================================================================

=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
=========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44          +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
+ 75013 Paris           | email: certsvp@renater.fr     +
=========================================================