===================================================================== CERT-Renater Note d'Information No. 2013/VULN193 _____________________________________________________________________ DATE : 15/05/2013 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S) : Systems running Firefox versions 21.0, ESR 17.0.6, Thunderbird versions 17.0.6, ESR 17.0.6. ====================================================================== http://www.mozilla.org/security/announce/2013/mfsa2013-41.html http://www.mozilla.org/security/announce/2013/mfsa2013-42.html http://www.mozilla.org/security/announce/2013/mfsa2013-43.html http://www.mozilla.org/security/announce/2013/mfsa2013-44.html http://www.mozilla.org/security/announce/2013/mfsa2013-45.html http://www.mozilla.org/security/announce/2013/mfsa2013-46.html http://www.mozilla.org/security/announce/2013/mfsa2013-47.html http://www.mozilla.org/security/announce/2013/mfsa2013-48.html ______________________________________________________________________ Mozilla Foundation Security Advisory 2013-41 Title: Miscellaneous memory safety hazards (rv:21.0 / rv:17.0.6) Impact: Critical Announced: May 14, 2013 Reporter: Mozilla Developers Products: Firefox, Thunderbird Fixed in: Firefox 21.0 Firefox ESR 17.0.6 Thunderbird 17.0.6 Thunderbird ESR 17.0.6 Description Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. Note: In general these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled, but are potentially a risk in browser or browser-like contexts. References Christoph Diehl, Christian Holler, Jesse Ruderman, Timothy Nikkel, and Jeff Walden reported memory safety problems and crashes that affect Firefox ESR 17, and Firefox 20. Memory safety bugs fixed in Firefox 17.0.6 and Firefox 21.0 (CVE-2013-0801) Bob Clary, Ben Turner, Benoit Jacob, Bobby Holley, Christoph Diehl, Christian Holler, Andrew McCreight, Gary Kwong, Jason Orendorff, Jesse Ruderman, Matt Wobensmith, and Mats Palmgren reported memory safety problems and crashes that affect Firefox 20. Memory safety bugs fixed in Firefox 21.0 (CVE-2013-1669) ______________________________________________________________________ Mozilla Foundation Security Advisory 2013-42 Title: Privileged access for content level constructor Impact: High Announced: May 14, 2013 Reporter: Cody Crews Products: Firefox, Thunderbird Fixed in: Firefox 21.0 Firefox ESR 17.0.6 Thunderbird 17.0.6 Thunderbird ESR 17.0.6 Description Security researcher Cody Crews reported a method to call a content level constructor that allows for this constructor to have chrome privileged accesss. This affects chrome object wrappers (COW) and allows for write actions on objects when only read actions should be allowed. This can lead to cross-site scripting (XSS) attacks. Note: In general these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled, but are potentially a risk in browser or browser-like contexts. References Call content level constructor as if from a chrome/privileged page (CVE-2013-1670) ______________________________________________________________________ Mozilla Foundation Security Advisory 2013-43 Title: File input control has access to full path Impact: Moderate Announced: May 14, 2013 Reporter: moz_bug_r_a4 Products: Firefox Fixed in: Firefox 21.0 Description Mozilla security researcher moz_bug_r_a4 reported a mechanism to exploit the control when set to the file type in order to get the full path. This can lead to information leakage and could be combined with other exploits to target attacks on the local file system. References File input control has access to full path (CVE-2013-1671) ______________________________________________________________________ Mozilla Foundation Security Advisory 2013-44 Title: Local privilege escalation through Mozilla Maintenance Service Impact: High Announced: May 14, 2013 Reporter: Seb Patane Products: Firefox, Thunderbird Fixed in: Firefox 21.0 Firefox ESR 17.0.6 Thunderbird 17.0.6 Thunderbird ESR 17.0.6 Description Security researcher Seb Patane reported an issue with the Mozilla Maintenance Service on Windows. This issue allows unprivileged users to local privilege escalation through the system privileges used by the service when interacting with local malicious software. This allows the user to bypass integrity checks leading to local privilege escalation. Local file system access is necessary in order for this issue to be exploitable and it cannot be triggered through web content. References Arbitrary code execution by Mozilla Maintenance Service with junctions (CVE-2013-1672) ______________________________________________________________________ Mozilla Foundation Security Advisory 2013-45 Title: Mozilla Updater fails to update some Windows Registry entries Impact: High Announced: May 14, 2013 Reporter: Robert Kugler Products: Firefox Fixed in: Firefox 21.0 Description Security researcher Robert Kugler discovered that in some instances the Mozilla Maintenance Service on Windows will be vulnerable to some previously fixed privilege escalation attacks that allowed for local privilege escalation. This was caused by the Mozilla Updater not updating Windows Registry entries for the Mozilla Maintenance Service, which fixed the earlier issues present if Firefox 12 had been installed. New installations of Firefox after version 12 are not affected by this issue. Local file system access is necessary in order for this issue to be exploitable and it cannot be triggered through web content. References old MozillaMaintenance Service registry entry not updated leading to Trusted Path Privilege Escalation (CVE-2013-1673) Possible Arbitrary Code Execution by Update Service (CVE-2012-1942) ______________________________________________________________________ Mozilla Foundation Security Advisory 2013-46 Title: Use-after-free with video and onresize event Impact: Critical Announced: May 14, 2013 Reporter: Nils Products: Firefox, Thunderbird Fixed in: Firefox 21.0 Firefox ESR 17.0.6 Thunderbird 17.0.6 Thunderbird ESR 17.0.6 Description Security researcher Nils reported a use-after-free when resizing video while playing. This could allow for arbitrary code execution. Note: In general these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled, but are potentially a risk in browser or browser-like contexts. References UAF with video and onresize event (CVE-2013-1674) ______________________________________________________________________ Mozilla Foundation Security Advisory 2013-47 Title: Uninitialized functions in DOMSVGZoomEvent Impact: High Announced: May 14, 2013 Reporter: Ms2ger Products: Firefox, Thunderbird Fixed in: Firefox 21.0 Firefox ESR 17.0.6 Thunderbird 17.0.6 Thunderbird ESR 17.0.6 Description Mozilla community member Ms2ger discovered that some DOMSVGZoomEvent functions are used without being properly initialized, causing uninitialized memory to be used when they are called by web content. This could lead to a information leakage to sites depending on the contents of this uninitialized memory. Note: In general these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled, but are potentially a risk in browser or browser-like contexts. References nsDOMSVGZoomEvent::m{Previous,New}Scale are used uninitialized (CVE-2013-1675) ______________________________________________________________________ Mozilla Foundation Security Advisory 2013-48 Title: Memory corruption found using Address Sanitizer Impact: Critical Announced: May 14, 2013 Reporter: Abhishek Arya Products: Firefox, Thunderbird Fixed in: Firefox 21.0 Firefox ESR 17.0.6 Thunderbird 17.0.6 Thunderbird ESR 17.0.6 Description Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team used the Address Sanitizer tool to discover a series of use-after-free, out of bounds read, and invalid write problems rated as moderate to critical as security issues in shipped software. Some of these issues are potentially exploitable, allowing for remote code execution. We would also like to thank Abhishek for reporting additional use-after-free flaws in dir=auto code introduced during Firefox development. These were fixed before general release. References Out of Bounds Read in SelectionIterator::GetNextSegment (CVE-2013-1676) Out-of-bound read in gfxSkipCharsIterator::SetOffsets (CVE-2013-1677)) Invalid write in _cairo_xlib_surface_add_glyph (CVE-2013-1678) Heap-use-after-free in mozilla::plugins::child::_geturlnotify (CVE-2013-1679) Heap-use-after-free in nsFrameList::FirstChild (CVE-2013-1680) Heap-use-after-free in nsContentUtils::RemoveScriptBlocker (CVE-2013-1681) ====================================================================== ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================