==================================================================== CERT-Renater Note d'Information No. 2012/VULN469 ____________________________________________________________________ DATE : 22/11/2012 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S) : Systems running Firefox versions prior to 17.0, ESR 10.0.11, Thunderbird versions prior to 17.0, ESR 10.0.11, SeaMonkey versions prior to 2.14. ====================================================================== http://www.mozilla.org/security/announce/2012/mfsa2012-91.html http://www.mozilla.org/security/announce/2012/mfsa2012-92.html http://www.mozilla.org/security/announce/2012/mfsa2012-93.html http://www.mozilla.org/security/announce/2012/mfsa2012-94.html http://www.mozilla.org/security/announce/2012/mfsa2012-95.html http://www.mozilla.org/security/announce/2012/mfsa2012-96.html http://www.mozilla.org/security/announce/2012/mfsa2012-97.html http://www.mozilla.org/security/announce/2012/mfsa2012-98.html http://www.mozilla.org/security/announce/2012/mfsa2012-99.html http://www.mozilla.org/security/announce/2012/mfsa2012-100.html http://www.mozilla.org/security/announce/2012/mfsa2012-101.html http://www.mozilla.org/security/announce/2012/mfsa2012-102.html http://www.mozilla.org/security/announce/2012/mfsa2012-103.html http://www.mozilla.org/security/announce/2012/mfsa2012-104.html http://www.mozilla.org/security/announce/2012/mfsa2012-105.html http://www.mozilla.org/security/announce/2012/mfsa2012-106.html ______________________________________________________________________ Mozilla Foundation Security Advisory 2012-91 Title: Miscellaneous memory safety hazards (rv:17.0/ rv:10.0.11) Impact: Critical Announced: November 20, 2012 Reporter: Mozilla Developers Products: Firefox, Thunderbird, SeaMonkey Fixed in: Firefox 17.0 Firefox ESR 10.0.11 Thunderbird 17.0 Thunderbird ESR 10.0.11 SeaMonkey 2.14 Description Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products. References Gary Kwong, Jesse Ruderman, Christian Holler, Bob Clary, Kyle Huey, Ed Morley, Chris Lord, Boris Zbarsky, Julian Seward, and Bill McCloskey reported memory safety problems and crashes that affect Firefox 16. Memory safety bugs fixed in Firefox 17 CVE-2012-5843 Jesse Ruderman, Andrew McCreight, Bob Clary, and Kyle Huey reported memory safety problems and crashes that affect Firefox ESR 10 and Firefox 16. Memory safety bugs fixed in Firefox ESR 10.0.11 and Firefox 17 CVE-2012-5842 _________________________________________________________________ Mozilla Foundation Security Advisory 2012-92 Title: Buffer overflow while rendering GIF images Impact: Critical Announced: November 20, 2012 Reporter: Atte Kettunen Products: Firefox, Thunderbird, SeaMonkey Fixed in: Firefox 17.0 Firefox ESR 10.0.11 Thunderbird 17.0 Thunderbird ESR 10.0.11 SeaMonkey 2.14 Description Security researcher Atte Kettunen from OUSPG used the Address Sanitizer tool to discover a buffer overflow while rendering GIF format images. This issue is potentially exploitable and could lead to arbitrary code execution. References ASAN: Heap-buffer-overflow at image::RasterImage::DrawFrameTo CVE-2012-4202 _________________________________________________________________ Mozilla Foundation Security Advisory 2012-93 Title: evalInSanbox location context incorrectly applied Impact: High Announced: November 20, 2012 Reporter: moz_bug_r_a4 Products: Firefox, Thunderbird, SeaMonkey Fixed in: Firefox 17.0 Firefox ESR 10.0.11 Thunderbird 17.0 Thunderbird ESR 10.0.11 SeaMonkey 2.14 Description Mozilla security researcher moz_bug_r_a4 reported that if code executed by the evalInSandbox function sets location.href, it can get the wrong subject principal for the URL check, ignoring the sandbox's Javascript context and gaining the context of evalInSandbox object. This can lead to malicious web content being able to perform a cross-site scripting (XSS) attack or stealing a copy of a local file if the user has installed an add-on vulnerable to this attack. References Problem with evalInSandbox and location CVE-2012-4201 _________________________________________________________________ Mozilla Foundation Security Advisory 2012-94 Title: Crash when combining SVG text on path with CSS Impact: Critical Announced: November 20, 2012 Reporter: Jonathan Stephens Products: Firefox, Thunderbird, SeaMonkey Fixed in: Firefox 17.0 Thunderbird 17.0 SeaMonkey 2.14 Description Security researcher Jonathan Stephens discovered that combining SVG text on a path with the setting of CSS properties could lead to a potentially exploitable crash. References SVG text on path + setting a style crashes Firefox CVE-2012-5836 _______________________________________________________________ Mozilla Foundation Security Advisory 2012-95 Title: Javascript: URLs run in privileged context on New Tab page Impact: Moderate Announced: November 20, 2012 Reporter: kakzz.ng@gmail.com Products: Firefox Fixed in: Firefox 17.0 Description Security researcher kakzz.ng@gmail.com reported that if a javascript: URL is selected from the list of Firefox "new tab" page, the script will inherit the privileges of the privileged "new tab" page. This allows for the execution of locally installed programs if a user can be convinced to save a bookmark of a malicious javascript: URL. References Bookmarklets on the new tab page are able to run privileged javascript CVE-2012-4203 __________________________________________________________________ Mozilla Foundation Security Advisory 2012-96 Title: Memory corruption in str_unescape Impact: High Announced: November 20, 2012 Reporter: Scott Bell Products: Firefox, Thunderbird, SeaMonkey Fixed in: Firefox 17.0 Thunderbird 17.0 SeaMonkey 2.14 Description Security researcher Scott Bell of Security-Assessment.com used the Address Sanitizer tool to discover a memory corruption in str_unescape in the Javascript engine. This could potentially lead to arbitrary code execution. In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products. References Crash in str_unescape CVE-2012-4204 _________________________________________________________________ Mozilla Foundation Security Advisory 2012-97 Title: XMLHttpRequest inherits incorrect principal within sandbox Impact: High Announced: November 20, 2012 Reporter: Gabor Krizsanits Products: Firefox, Thunderbird, SeaMonkey Fixed in: Firefox 17.0 Thunderbird 17.0 SeaMonkey 2.14 Description Mozilla developer Gabor Krizsanits discovered that XMLHttpRequest objects created within sandboxes have the system principal instead of the sandbox principal. This can lead to cross-site request forgery (CSRF) or information theft via an add-on running untrusted code in a sandbox. References XHR created from sandboxes end up having system principal instead of principal of the sandbox CVE-2012-4205 ___________________________________________________________________ Mozilla Foundation Security Advisory 2012-98 Title: Firefox installer DLL hijacking Impact: High Announced: November 20, 2012 Reporter: Robert Kugler Products: Firefox Fixed in: Firefox 17.0 Firefox ESR 10.0.11 Description Security researcher Robert Kugler reported that when a specifically named DLL file on a Windows computer is placed in the default downloads directory with the Firefox installer, the Firefox installer will load this DLL when it is launched. In circumstances where the installer is run by an administrator privileged account, this allows for the downloaded DLL file to be run with administrator privileges. This can lead to arbitrary code execution from a privileged account. References DLL Hijacking - Firefox installer CVE-2012-4206 ___________________________________________________________________ Mozilla Foundation Security Advisory 2012-99 Title: XrayWrappers exposes chrome-only properties when not in chrome compartment Impact: High Announced: November 20, 2012 Reporter: Peter Van der Beken Products: Firefox, Thunderbird, SeaMonkey Fixed in: Firefox 17.0 Thunderbird 17.0 SeaMonkey 2.14 Description Mozilla developer Peter Van der Beken discovered that same-origin XrayWrappers expose chrome-only properties even when not in a chrome compartment. This can allow web content to get properties of DOM objects that are intended to be chrome-only. In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products. References Xrays for new DOM bindings need to filter properties based on their compartment CVE-2012-4208 ___________________________________________________________________ Mozilla Foundation Security Advisory 2012-100 Title: Improper security filtering for cross-origin wrappers Impact: High Announced: November 20, 2012 Reporter: Bobby Holley Products: Firefox, Thunderbird, SeaMonkey Fixed in: Firefox 17.0 Firefox ESR 10.0.11 Thunderbird 17.0 Thunderbird ESR 10.0.11 SeaMonkey 2.14 Description Mozilla developer Bobby Holley reported that security wrappers filter at the time of property access, but once a function is returned, the caller can use this function without further security checks. This affects cross-origin wrappers, allowing for write actions on objects when only read actions should be properly allowed. This can lead to cross-site scripting (XSS) attacks. In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products. References Filtering wrapper should filter setters when returning a property descriptor CVE-2012-5841 ___________________________________________________________________ Mozilla Foundation Security Advisory 2012-101 Title: Improper character decoding in HZ-GB-2312 charset Impact: High Announced: November 20, 2012 Reporter: Masato Kinugawa Products: Firefox, Thunderbird, SeaMonkey Fixed in: Firefox 17.0 Firefox ESR 10.0.11 Thunderbird 17.0 Thunderbird ESR 10.0.11 SeaMonkey 2.14 Description Security researcher Masato Kinugawa found when HZ-GB-2312 charset encoding is used for text, the "~" character will destroy another character near the chunk delimiter. This can lead to a cross-site scripting (XSS) attack in pages encoded in HZ-GB-2312. References "~" eats a char near chunk delimiter in HZ-GB-2312 encoding CVE-2012-4207 ___________________________________________________________________ Mozilla Foundation Security Advisory 2012-102 Title: Script entered into Developer Toolbar runs with chrome privileges Impact: High Announced: November 20, 2012 Reporter: Masato Kinugawa Products: Firefox Fixed in: Firefox 17.0 Description Security researcher Masato Kinugawa reported that when script is entered into the Developer Toolbar, it runs in a chrome privileged context. This allows for arbitrary code execution or cross-site scripting (XSS) if a user can be convinced to paste malicious code into the Developer Toolbar. References XSS in Web Developer Toolbar's chrome privilege page CVE-2012-5837 ___________________________________________________________________ Mozilla Foundation Security Advisory 2012-103 Title: Frames can shadow top.location Impact: High Announced: November 20, 2012 Reporter: Mariusz Mlynski Products: Firefox, Thunderbird, SeaMonkey Fixed in: Firefox 17.0 Firefox ESR 10.0.11 Thunderbird 17.0 Thunderbird ESR 10.0.11 SeaMonkey 2.14 Description Security researcher Mariusz Mlynski reported that the location property can be accessed by binary plugins through top.location with a frame whose name attribute's value is set to "top". This can allow for possible cross-site scripting (XSS) attacks through plugins. In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products. References Frames can shadow |top| CVE-2012-4209 ___________________________________________________________________ Mozilla Foundation Security Advisory 2012-104 Title: CSS and HTML injection through Style Inspector Impact: Critical Announced: November 20, 2012 Reporter: Mariusz Mlynski Products: Firefox Fixed in: Firefox 17.0 Firefox ESR 10.0.11 Description Security researcher Mariusz Mlynski reported that when a maliciously crafted stylesheet is inspected in the Style Inspector, HTML and CSS can run in a chrome privileged context without being properly sanitized first. This can lead to arbitrary code execution. References Arbitrary code execution from Style Inspector CVE-2012-42 ___________________________________________________________________ Mozilla Foundation Security Advisory 2012-105 Title: Use-after-free and buffer overflow issues found using Address Sanitizer Impact: Critical Announced: November 20, 2012 Reporter: Abhishek Arya Products: Firefox, Thunderbird, SeaMonkey Fixed in: Firefox 17.0 Firefox ESR 10.0.11 Thunderbird 17.0 Thunderbird ESR 10.0.11 SeaMonkey 2.14 Description Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team discovered a series critically rated of use-after-free and buffer overflow issues using the Address Sanitizer tool in shipped software. These issues are potentially exploitable, allowing for remote code execution. We would also like to thank Abhishek for reporting five additional use-after-free, out of bounds read, and buffer overflow flaws introduced during Firefox development that were fixed before general release. In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products. References The following issues were fixed in Firefox 17 and ESR 10.0.11: Heap-use-after-free in nsTextEditorState::PrepareEditor (CVE-2012-4214) Heap-use-after-free in nsPlaintextEditor::FireClipboardEvent (CVE-2012-4215) Heap-use-after-free in gfxFont::GetFontEntry (CVE-2012-4216) Heap-buffer-overflow in nsWindow::OnExposeEvent (CVE-2012-5829) heap-buffer-overflow in gfxShapedWord::CompressedGlyph::IsClusterStart - CVE-2012-5839 Heap-use-after-free in nsTextEditorState::PrepareEditor (CVE-2012-5840) The following issues were fixed in Firefox 17: Heap-use-after-free in XPCWrappedNative::Mark (CVE-2012-4212) Heap-use-after-free in nsEditor::FindNextLeafNode (CVE-2012-4213) Heap-use-after-free in nsViewManager::ProcessPendingUpdates (CVE-2012-4217) Heap-use-after-free BuildTextRunsScanner::BreakSink::SetBreaks (CVE-2012-4218) ___________________________________________________________________ Mozilla Foundation Security Advisory 2012-106 Title: Use-after-free, buffer overflow, and memory corruption issues found using Address Sanitizer Impact: Critical Announced: November 20, 2012 Reporter: miaubiz Products: Firefox, Thunderbird, SeaMonkey Fixed in: Firefox 17.0 Firefox ESR 10.0.11 Thunderbird 17.0 Thunderbird ESR 10.0.11 SeaMonkey 2.14 Description Security researcher miaubiz used the Address Sanitizer tool to discover a series critically rated of use-after-free, buffer overflow, and memory corruption issues in shipped software. These issues are potentially exploitable, allowing for remote code execution. We would also like to thank miaubiz for reporting two additional use-after-free and memory corruption issues introduced during Firefox development that were fixed before general release. In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products. References The following issues were fixed in Firefox 17 and ESR 10.0.11: use-after-free when loading html file on osx (CVE-2012-5830) Mesa crashes on certain texImage2D calls involving level>0 (CVE-2012-5833) integer overflow, invalid write w/webgl bufferdata (CVE-2012-5835) The following issues were fixed in Firefox 17: crash in copyTexImage2D with image dimensions too large for given level (CVE-2012-5838) ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================