University of Vermont

Information Technology

Update FireFox and Thunderbird Now: Multiple Vulnerabilities in Mozilla Products Could Allow Remote Code Execution

MULTI-STATE INFORMATION SHARING AND ANALYSIS CENTER CYBER SECURITY ADVISORY
 
MS-ISAC ADVISORY NUMBER:
2013-035
 
DATE(S) ISSUED:
4/3/2013
 
SUBJECT:
Multiple Vulnerabilities in Mozilla Products Could Allow Remote Code Execution
 
OVERVIEW:
Multiple vulnerabilities have been discovered in Mozilla Firefox, Thunderbird, and SeaMonkey applications, which could allow for remote code execution. Mozilla Firefox is a web browser used to access the Internet. Mozilla Thunderbird is an email client. Mozilla SeaMonkey is a cross platform Internet suite of tools ranging from a web browser to an email client.
 
Successful exploitation of these vulnerabilities could result in either an attacker gaining the same privileges as the logged on user, or gaining session authentication credentials. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.
 
SYSTEMS AFFECTED:
·      Firefox versions prior to 20.0
·      Firefox Extended Support Release (ESR) versions prior to 17.0.5
·      Thunderbird versions prior to 17.0.5
·      Thunderbird Extended Support Release (ESR) versions prior to 17.0.5
·      SeaMonkey versions prior to 2.17
 
RISK:
Government:
·      Large and medium government entities: High
·      Small government entities: High
Businesses:
·      Large and medium business entities: High
·      Small business entities: High
Home users: High
 
DESCRIPTION:
Multiple vulnerabilities have been discovered in Mozilla Firefox, Thunderbird, and SeaMonkey. The details of these vulnerabilities are as follows:
·      Miscellaneous memory safety hazards (MFSA 2013-30) (CVE-2013-0788) (CVE-2013-0789) (CVE-2013-0790): Multiple memory-corruption vulnerabilities exist in the browser engine that could lead to arbitrary code execution.
·      Out-of-bounds write in Cairo library (MFSA 2013-31) (CVE-2013-0800): This issue is caused when performing an out-of-bounds write in Cairo graphics library, and could cause a potential exploitable crash.
·      Privilege escalation through Mozilla Maintenance Service (MFSA 2013-32) (CVE-2013-0799): A privilege-escalation vulnerability requiring local system access exists as a result of an error that occurs when using Mozilla Maintenance Service.
·      World read and write access to app_tmp directory on Android (MFSA 2013-33) (CVE-2013-0798): The app-tmp directory for Firefox on Android is readable and writable, giving third parties the ability to alter and/or replace Firefox add-ons that are being stored temporarily in the app_tmp directory before installation.
·      Privilege escalation through Mozilla Updater (MFSA 2013-34) (CVE-2013-0797): An error exists where the Mozilla Updater can be made to load a malicious local DLL file, resulting in privileged escalation procedure to occur. In order for this vulnerability to be exploited the malicious DLL must be placed in a specific location locally on a host prior to Mozilla Updater being run. Local file system access is necessary in order for this issue to be exploitable.
·      WebGL crash with Mesa graphics driver on Linux (MFSA 2013-35) (CVE-2013-0796): A denial-of-service condition exists resulting in a possible exploitable condition. This issue occurs when the 'WebGL' library crashes and primarily affects the Linux users using a Mesa graphics driver.
·      Bypass of SOW protections allows cloning of protected nodes (MFSA 2013-36) (CVE-2013-0795): A security-bypass vulnerability affecting the System Only Wrappers (SOW) exists which if exploited could allow an attacker to clone a protected node, and possibly result in a privilege escalation condition and  the execution of arbitrary code.
·      Bypass of tab-modal dialog origin disclosure (MFSA 2013-37) (CVE-2013-0794): A method for removing the origin indication on tab-modal dialog boxes in combination with browser navigation exists. This could allow for attackers to overlay a page to show another sites content, and could possibly be used in phishing campaigns.
·      Cross-site scripting (XSS) using timed history navigations (MFSA 2013-38) (CVE-2013-0793): A cross-site scripting vulnerability exists and can be exploited when an attacker uses timed history navigations to load an arbitrary website with that page's baseURI property pointing to another site instead of the seemingly loaded one.
·      Memory corruption while rendering grayscale PNG images (MFSA 2013-39) (CVE-2013-0792): A memory-corruption vulnerability exist that affects specially crafted grayscale PNG images. This issue occurs if the gfx.color_management.enablev4 preference is enabled in the about:config – by default, this preference is not enabled.
·      Out-of-bounds array read in CERT_DecodeCertPackage (MFSA 2013-40) (CVE-2013-0791): An out-of-bounds read issue exists affecting the 'CERT_DecodeCertPackage' function of the Network Security Services (NSS) library, and if exploited could result in a memory corruption and a non-exploitable crash.
 
Successful exploitation of these vulnerabilities could result in either an attacker gaining the same privileges as the logged on user, or gaining session authentication credentials. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.
 
RECOMMENDATIONS:
We recommend the following actions be taken:
·      Upgrade vulnerable Mozilla products immediately after appropriate testing.
·      Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
·      Do not open email attachments or click on URLs from unknown or untrusted sources.
·      Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
 
REFERENCES:
Mozilla:
http://www.mozilla.org/security/announce/
http://www.mozilla.org/security/announce/2013/mfsa2013-30.html
http://www.mozilla.org/security/announce/2013/mfsa2013-31.html
http://www.mozilla.org/security/announce/2013/mfsa2013-32.html
http://www.mozilla.org/security/announce/2013/mfsa2013-33.html
http://www.mozilla.org/security/announce/2013/mfsa2013-34.html
http://www.mozilla.org/security/announce/2013/mfsa2013-35.html
http://www.mozilla.org/security/announce/2013/mfsa2013-36.html
http://www.mozilla.org/security/announce/2013/mfsa2013-37.html
http://www.mozilla.org/security/announce/2013/mfsa2013-38.html
http://www.mozilla.org/security/announce/2013/mfsa2013-39.html
http://www.mozilla.org/security/announce/2013/mfsa2013-40.html
 
CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0788
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0789
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0790
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0792
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0793
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0794
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0795
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0796
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0797
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0798
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0799
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0800
 
SecurityFocus:
http://www.securityfocus.com/bid/58818
 
Multi-State Information Sharing and Analysis Center
Center for Internet Security
31 Tech Valley Drive
East Greenbush, NY 12061
7x24 SOC: 1-866-787-4722 or (518) 266-3488
Email: soc@msisac.org
 
TLP:WHITE
Traffic Light Protocol (TLP): WHITE information may be distributed without restriction, subject to copyright controls.
http://www.us-cert.gov/tlp/
 
 

Contact UVM © 2014 The University of Vermont - Burlington, VT 05405 - (802) 656-3131