Wednesday, June 17, 2009

CERT-In Advisory CIAD-2009-30

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

CERT-In Advisory CIAD-2009-30
Multiple Vulnerabilities in Mozilla Products
http://www.cert-in.org.in/advisory/ciad-2009-30.htm
Original issue date: June 17, 2009

Severity Rating: High

Systems Affected

Mozilla Firefox Versions prior to 3.0.11
Mozilla Thunderbird Versions prior to 2.0.0.22
Mozilla SeaMonkey Versions prior to 1.1.17
Overview


Multiple vulnerabilities have been reported in Mozilla Firefox, Thunderbird
and SeaMonkey which could allow a remote attacker to bypass certain
security restrictions, obtain potentially sensitive information, cause a
denial of service, execute arbitrary code or potentially compromise an
affected system.


Description

1. Multiple Memory corruption vulnerabilities in the JavaScript     and
browser engines (CVE-2009-1392 , CVE-2009-1832 ,
    CVE-2009-1833)

Multiple memory corruption vulnerabilities have been reported in Mozilla
Firefox, Thunderbird and SeaMonkey due to improper handling of malformed
data in JavaScript and Browser engines. A remote attacker could exploit
these vulnerabilities via a specially crafted HTML file to trigger memory
corruption error. Successful exploitation of these vulnerabilities could
allow a remote attacker to cause a denial of service condition or execute
an arbitrary code.

Workaround

Disable JavaScript until a version containing these fixes can be installed.
2. Unicode Character Processing URL spoofing Vulnerability
    (CVE-2009-1834)

This vulnerability is caused due to an error in the handling of certain
invalid unicode characters, when used as part of an IDN(Internationalized
Domain Name) in netwerk/dns/src/nsIDNService.cpp file in Mozilla Firefox
and SeaMonkey. A remote attacker could exploit this vulnerability via an
IDN with invalid Unicode characters that are displayed as whitespace.
Successful exploitation of this vulnerability could allow a remote attacker
to spoof the location bar.

3 . Arbitrary domain cookie access by local file: resources   
Vulnerability (CVE-2009-1835)

This vulnerability is caused due to an error when interpreting the "file:"
protocol in Mozilla Firefox and SeaMonkey. A remote attacker could exploit
this vulnerability by tricking a user into downloading and opening a
malicious file via the browser. Successful exploitation of this
vulnerability could allow a remote attacker to access any domain's cookies
saved on a vulnerable system.

4. Proxy CONNECT requests SSL tampering Vulnerability
    (CVE-2009-1836)

This vulnerability is caused due to an error in the handling of non-200
responses returned by a proxy in reply to a CONNECT request in Mozilla
Firefox, Thunderbird and SeaMonkey. A remote attacker could exploit this
vulnerability by intercepting a CONNECT request and reply with a specially
crafted non HTTP 200 response message containing malicious code. Successful
exploitation of this vulnerability could allow a remote attacker to execute
arbitrary HTML and script code on the
affected system within the context of requested SSL-protected domain.

Successful exploitation requires Man-in-the-Middle attack and that the
target user uses a proxy.

5 . Proxy CONNECT requests SSL tampering Vulnerability
    (CVE-2009-1837)

This vulnerability is caused due to a race condition in
"NPObjWrapper_NewResolve" function in
modules/plugin/base/src/nsJSNPRuntime.cpp file when accessing the
properties of a NPObject, a wrapped JSObject if navigating away from a web
page while loading a Java applet in Mozilla Firefox. A remote attacker
could exploit this vulnerability by tricking a user to load a specially
crafted web page to use already freed memory. Successful exploitation of
this vulnerability could allow a remote attacker to execute an arbitrary
code.

Workaround

Disable Java until a version containing these fixes can be installed.
Note : This vulnerability does not affect Firefox 2.

6. Event Listener Null Document Owner chrome privilege     escalation
Vulnerability (CVE-2009-1838)

This vulnerability is caused due to an error when handling event listeners
attached to an element whose owner document is null in Mozilla Firefox,
Thunderbird and SeaMonkey. The owner document of an element can become null
after garbage collection. A remote attacker could exploit this
vulnerability via a specially crafted event handler, related to an
incorrect context for this event handler. Successful exploitation of this
vulnerability could allow a remote attacker to execute an arbitrary
JavaScript code with chrome privileges.


7. file: resources Incorrect principal association Vulnerability   
(CVE-2009-1839)

This vulnerability is caused due to an incorrect association of a principal
when loading a "file:" resource via the location bar in Mozilla Firefox. A
remote attacker could exploit this vulnerability by tricking a user to open
a specially crafted HTML document in the local file system. Successful
exploitation of this vulnerability could allow a remote attacker to bypass
intended access restrictions and read the contents of other local files,
which would normally be protected.

8. XUL scripts content-policy checks bypass Vulnerability
    (CVE-2009-1840)

This vulnerability is caused due to an error in checking content-loading
policies before loading external script files into XUL documents in Mozilla
Firefox, Thunderbird and SeaMonkey. A remote attacker could exploit this
vulnerability via a specially crafted HTML document to bypass intended
access restrictions.

9. JavaScript chrome privilege escalation Vulnerability
    (CVE-2009-1841)

This vulnerability is caused due to an error in
js/src/xpconnect/src/xpcwrappedjsclass.cpp file when a chrome privileged
object such as the browser sidebar or the FeedWriter, interacts with web
content in Mozilla Firefox, Thunderbird and SeaMonkey. A remote attacker
could exploit this vulnerability to execute arbitrary code with the
privileges of a chrome object.

Workaround

Disable JavaScript until a version containing this fix can be installed.
Solutions

Upgrade to Mozilla Firefox version 3.0.11
http://www.mozilla.com/firefox/

Upgrade to Mozilla SeaMonkey version 2.0.0.22
http://www.mozilla.org/projects/seamonkey/

Upgrade to Mozilla Thunderbird version 1.1.17
http://www.mozilla.com/thunderbird/


Vendor Information

Mozilla
http://www.mozilla.org/security/announce/


References

Mozilla
http://www.mozilla.org/security/announce/2009/mfsa2009-32.html
http://www.mozilla.org/security/announce/2009/mfsa2009-31.html
http://www.mozilla.org/security/announce/2009/mfsa2009-30.html
http://www.mozilla.org/security/announce/2009/mfsa2009-29.html
http://www.mozilla.org/security/announce/2009/mfsa2009-28.html
http://www.mozilla.org/security/announce/2009/mfsa2009-27.html
http://www.mozilla.org/security/announce/2009/mfsa2009-26.html
http://www.mozilla.org/security/announce/2009/mfsa2009-25.html
http://www.mozilla.org/security/announce/2009/mfsa2009-24.html

Bugzilla
https://bugzilla.mozilla.org/buglist.cgi?bug_id=380359,472776,
490410,429969,490513,432068,486398,489041,431086,
490425,451341
https://bugzilla.mozilla.org/show_bug.cgi?id=484031
https://bugzilla.mozilla.org/buglist.cgi?bug_id=369696,426520,
427196,487204
https://bugzilla.mozilla.org/show_bug.cgi?id=479413
https://bugzilla.mozilla.org/show_bug.cgi?id=491801
https://bugzilla.mozilla.org/show_bug.cgi?id=479880
https://bugzilla.mozilla.org/show_bug.cgi?id=486269
https://bugzilla.mozilla.org/show_bug.cgi?id=489131
https://bugzilla.mozilla.org/show_bug.cgi?id=479943
https://bugzilla.mozilla.org/show_bug.cgi?id=477979
https://bugzilla.mozilla.org/show_bug.cgi?id=479560

Secunia
http://secunia.com/advisories/35331/1/

SecurityFocus
http://www.securityfocus.com/bid/35326

SecurityTracker
http://www.securitytracker.com/alerts/2009/Jun/1022376.html
http://www.securitytracker.com/alerts/2009/Jun/1022377.html
http://www.securitytracker.com/alerts/2009/Jun/1022380.html
http://www.securitytracker.com/alerts/2009/Jun/1022382.html
http://www.securitytracker.com/alerts/2009/Jun/1022383.html
http://www.securitytracker.com/alerts/2009/Jun/1022386.html
http://www.securitytracker.com/alerts/2009/Jun/1022385.html
http://www.securitytracker.com/alerts/2009/Jun/1022381.html
http://www.securitytracker.com/alerts/2009/Jun/1022379.html
http://www.securitytracker.com/alerts/2009/Jun/1022384.html

VUPEN
http://www.vupen.com/english/advisories/2009/1572

CVE Name
CVE-2009-1392
CVE-2009-1832
CVE-2009-1833
CVE-2009-1834
CVE-2009-1835
CVE-2009-1836
CVE-2009-1837
CVE-2009-1838
CVE-2009-1839
CVE-2009-1840
CVE-2009-1841

CWE
CWE-20
CWE-59
CWE-264

Disclaimer

The information provided herein is on "as is" basis, without warranty of
any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003


Note: Please do not reply to this e-mail. For further queries contact
CERT-In Information Desk. Email: info@cert-in.org.in

 

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)

wsBVAwUBSjjCrnWXeYNsoT30AQo0LggApIx/WoGdiqInN3tGVBCi2rHCd86DhiHZ
LZe994soQ7FPSkOCSAiWbH13LSWkeR+NABTpKZ0rGxpMfDFccEmoQwgnqNpoKFJI
Oc1C7S5nofA0m428yq5yLlpnVXPhrctyG2iFBkfag3q6k11w6oSlWNEkUW/V2NMs
alC8dFfQQPckybCqcBep/q2/Yn39k58ta28acsQpkVpMbOfof56d0OTwCfIQeIGc
bH0Mu73QtkgLv3E79G/OJqaJwF5ExmZt8A+hcfrKnDkxevB88f4PRqPUv5gNRTZZ
/6j/Rs+w4q/+/n12IuA1IF81RcJJn1Ugf7+bGYZAwhv3sIQ5ysxCDQ==
=ZD09
-----END PGP SIGNATURE-----

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)