===================================================================== CERT-Renater Note d'Information No. 2013/VULN486 _____________________________________________________________________ DATE : 24/10/2013 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Firefox versions prior to 25.0, ESR 24.1, Thunderbird versions prior to 24.1, ESR 17.0.10, Seamonkey versions prior to 2.22. ====================================================================== http://www.mozilla.org/security/announce/2013/mfsa2013-93.html http://www.mozilla.org/security/announce/2013/mfsa2013-94.html http://www.mozilla.org/security/announce/2013/mfsa2013-95.html http://www.mozilla.org/security/announce/2013/mfsa2013-96.html http://www.mozilla.org/security/announce/2013/mfsa2013-97.html http://www.mozilla.org/security/announce/2013/mfsa2013-98.html http://www.mozilla.org/security/announce/2013/mfsa2013-99.html http://www.mozilla.org/security/announce/2013/mfsa2013-100.html http://www.mozilla.org/security/announce/2013/mfsa2013-101.html http://www.mozilla.org/security/announce/2013/mfsa2013-102.html ______________________________________________________________________ Mozilla Foundation Security Advisory 2013-93 Title: Miscellaneous memory safety hazards (rv:25.0 / rv:24.1 / rv:17.0.10) Impact: Critical Announced: October 29, 2013 Reporter: Mozilla Developers Products: Firefox, Thunderbird, Seamonkey Fixed in: Firefox 25.0 Firefox ESR 24.1 Firefox ESR 17.0.10 Thunderbird 24.1 Thunderbird ESR 17.0.10 Seamonkey 2.22 Description Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. In general these flaws cannot be exploited through email in the Thunderbird and Seamonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts. References Jesse Ruderman and Christoph Diehl reported memory safety problems and crashes that affect Firefox ESR 17, Firefox ESR 24, and Firefox 24. Memory safety bugs fixed in Firefox ESR 17.0.10, Firefox ESR 24.1, and Firefox 25.0 (CVE-2013-5590) Vladimir Vukicevic reported a crash that affected Firefox ESR 24, and Firefox 24. Memory safety bug fixed in Firefox ESR 24.1 and Firefox 25.0 (CVE-2013-5591) Jesse Ruderman, Gary Kwong, and Kannan Vijayan reported memory safety problems and crashes that affect Firefox 24. Memory safety bugs fixed in Firefox 25.0 (CVE-2013-5592) Carsten Book reported a crash fixed in the NSS library used by Mozilla-based products fixed in Firefox 25, Firefox ESR 24.1, and Firefox ESR 17.0.10. Assertion failure: inputLen >= spec->mac_size, at c:/work/mozilla/builds/beta/mozilla/security/nss/lib/ssl/ssl3con.c:2057 (CVE-2013-1739) ___________________________________________________________________ Mozilla Foundation Security Advisory 2013-94 Title: Spoofing addressbar though SELECT element Impact: Moderate Announced: October 29, 2013 Reporter: Jordi Chancel Products: Firefox, Thunderbird, Seamonkey Fixed in: Firefox 25.0 Firefox ESR 24.1 Thunderbird 24.1 Seamonkey 2.22 Description Security researcher Jordi Chancel discovered a method to put arbitrary HTML content within dropdown menu can be used for URL/SSL spoofing and ClickJacking Attacks (CVE-2013-5593) ______________________________________________________________________ Mozilla Foundation Security Advisory 2013-95 Title: Access violation with XSLT and uninitialized data Impact: High Announced: October 29, 2013 Reporter: Abhishek Arya Products: Firefox, Thunderbird, Seamonkey Fixed in: Firefox 25.0 Firefox ESR 24.1 Firefox ESR 17.0.10 Thunderbird 24.1 Thunderbird ESR 17.0.10 Seamonkey 2.22 Description Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team used the Address Sanitizer tool to discover an access violation due to uninitialized data during Extensible Stylesheet Language Transformation (XSLT) processing. This leads to a potentially exploitable crash. In general this flaw cannot be exploited through email in the Thunderbird and Seamonkey products because scripting is disabled, but is potentially a risk in browser or browser-like contexts. References Stack-buffer-overflow in txXPathNodeUtils::getBaseURI (CVE-2013-5604) ______________________________________________________________________ Mozilla Foundation Security Advisory 2013-96 Title: Improperly initialized memory and overflows in some JavaScript functions Impact: Moderate Announced: October 29, 2013 Reporter: Dan Gohman Products: Firefox, Thunderbird, Seamonkey Fixed in: Firefox 25.0 Firefox ESR 24.1 Firefox ESR 17.0.10 Thunderbird 24.1 Thunderbird ESR 17.0.10 Seamonkey 2.22 Description Compiler Engineer Dan Gohman of Google discovered a flaw in the JavaScript engine where memory was being incorrectly allocated for some functions and the calls for allocations were not always properly checked for overflow, leading to potential buffer overflows. When combined with other vulnerabilities, these flaws could be potentially exploitable. In general this flaw cannot be exploited through email in the Thunderbird and Seamonkey products because scripting is disabled, but is potentially a risk in browser or browser-like contexts. References Use of uninitialized memory, and buffer size computations not checked for overflow (CVE-2013-5595) ______________________________________________________________________ Mozilla Foundation Security Advisory 2013-97 Title: Writing to cycle collected object during image decoding Impact: High Announced: October 29, 2013 Reporter: Ezra Pool Products: Firefox, Thunderbird, Seamonkey Fixed in: Firefox 25.0 Firefox ESR 24.1 Thunderbird 24.1 Seamonkey 2.22 Description Mozilla community member Ezra Pool reported a potentially exploitable crash on extremely large pages. This was caused when a cycle collected image object was released on the wrong thread during decoding, creating a race condition. In general this flaw cannot be exploited through email in the Thunderbird and Seamonkey products because scripting is disabled, but is potentially a risk in browser or browser-like contexts. References Crash on long pages (neverending reddit with images enabled) (CVE-2013-5596) ______________________________________________________________________ Mozilla Foundation Security Advisory 2013-98 Title: Use-after-free when updating offline cache Impact: Critical Announced: October 29, 2013 Reporter: Byoungyoung Lee Products: Firefox, Thunderbird, Seamonkey Fixed in: Firefox 25.0 Firefox ESR 24.1 Firefox ESR 17.0.10 Thunderbird 24.1 Thunderbird ESR 17.0.10 Seamonkey 2.22 Description Security researcher Byoungyoung Lee of Georgia Tech Information Security Center (GTISC) used the Address Sanitizer tool to discover a use-after-free during state change events while updating the offline cache. This leads to a potentially exploitable crash. In general this flaw cannot be exploited through email in the Thunderbird and Seamonkey products because scripting is disabled, but is potentially a risk in browser or browser-like contexts. References Heap-use-after-free in nsDocLoader::doStopDocumentLoad() (CVE-2013-5597) ______________________________________________________________________ Mozilla Foundation Security Advisory 2013-99 Title: Security bypass of PDF.js checks using iframes Impact: High Announced: October 29, 2013 Reporter: Cody Crews Products: Firefox Fixed in: Firefox 25.0 Firefox ESR 24.1 Description Security researcher Cody Crews discovered a method to append an iframe into an embedded PDF object rendered with the chrome privileged PDF.js. This can used to bypass security restrictions to load local or chrome privileged files and objects within the embedded PDF object. This can lead to information disclosure of local system files. In general this flaw cannot be exploited through email in the Thunderbird and Seamonkey products because scripting is disabled, but is potentially a risk in browser or browser-like contexts. References pdf.js iframe injection allows sites to load local files or even chrome privileged pages into an iframe (CVE-2013-5598) ______________________________________________________________________ Mozilla Foundation Security Advisory 2013-100 Title: Miscellaneous use-after-free issues found through ASAN fuzzing Impact: Critical Announced: October 29, 2013 Reporter: Nils Products: Firefox, Thunderbird, Seamonkey Fixed in: Firefox 25.0 Firefox ESR 24.1 Firefox ESR 17.0.10 Thunderbird 24.1 Thunderbird ESR 17.0.10 Seamonkey 2.22 Description Security researcher Nils used the Address Sanitizer tool while fuzzing to discover missing strong references in browsing engine leading to use-after-frees. This can lead to a potentially exploitable crash. In general these flaws cannot be exploited through email in the Thunderbird and Seamonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts. References ASAN heap-use-after-free in nsIPresShell::GetPresContext() with canvas, onresize and mozTextStyle (CVE-2013-5599) ASAN use-after-free in nsIOService::NewChannelFromURIWithProxyFlags with Blob URL (CVE-2013-5600) ASAN use-after free in GC allocation in nsEventListenerManager::SetEventHandler (CVE-2013-5601) ______________________________________________________________________ Mozilla Foundation Security Advisory 2013-101 Title: Memory corruption in workers Impact: Critical Announced: October 29, 2013 Reporter: Nils Products: Firefox, Thunderbird, Seamonkey Fixed in: Firefox 25.0 Firefox ESR 24.1 Firefox ESR 17.0.10 Thunderbird 24.1 Thunderbird ESR 17.0.10 Seamonkey 2.22 Description Security researcher Nils used the Address Sanitizer tool while fuzzing to discover a memory corruption issue with the JavaScript engine when using workers with direct proxies. This results in a potentially exploitable crash. In general this flaw cannot be exploited through email in the Thunderbird and Seamonkey products because scripting is disabled, but is potentially a risk in browser or browser-like contexts. References ASAN SEGV on unknown address in Worker::SetEventListener (CVE-2013-5602) ______________________________________________________________________ Mozilla Foundation Security Advisory 2013-102 Title: Use-after-free in HTML document templates Impact: Critical Announced: October 29, 2013 Reporter: Abhishek Arya Products: Firefox, Thunderbird, Seamonkey Fixed in: Firefox 25.0 Firefox ESR 24.1 Thunderbird 24.1 Seamonkey 2.22 Description Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team used the Address Sanitizer tool to discover a user-after-free when interacting with HTML document templates. This leads to a potentially exploitable crash. In general this flaw cannot be exploited through email in the Thunderbird and Seamonkey products because scripting is disabled, but is potentially a risk in browser or browser-like contexts. References Heap-use-after-free in nsContentUtils::ContentIsHostIncludingDescendantOf (CVE-2013-5603) ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================