HOME > ADVISORIES


   ADVISORY

CERT-In Advisory CIAD-2008-33
Multiple Vulnerabilities in Mozilla Products

Original issue date: July 08, 2008

Severity Rating: High

Systems Affected

  • Firefox Versions prior to 2.0.0.15
  • SeaMonkey Versions prior to 1.1.10
  • Thunderbird Version prior to and including 2.0.0.14

Overview

Multiple vulnerabilities have been reported in Mozilla products which could be exploited by an attacker to conduct cross-site scripting and spoofing attacks, bypass certain security restrictions, disclose sensitive information, or potentially compromise a user's system.

Description

1. Memory Corruption Vulnerabilities
    (CVE-2008-2798 , CVE-2008-2799)

Multiple vulnerabilities are reported in the browser engine used in Mozilla-based products. An attacker can exploit these by tricking a user into opening a malicious web page; thus causing a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program.

2. XSS through JavaScript same-origin violation
    (CVE-2008-2800)

Multiple vulnerabilities have been reported in JavaScript engine which allow scripts from one document to be executed in the context of a different document. A web page containing specially-crafted content could potentially trick a Firefox user into surrendering sensitive information.

3. Signed JAR tampering vulnerabilities (CVE-2008-2801)

These vulnerabilities are due to improper implementation of JAR singing. This allows JavaScript to be injected into the context of signed JAR files and executed under the context of the JAR's signer. This could allow an attacker to run JavaScript in a victim's browser with the privileges of a different website, provided the attacker possesses a JAR signed by the other website.

4. Chrome:// script privilege escalation Vulnerability
    (CVE-2008-2802)

XUL (XML User Interface Language) is a user interface markup language developed by the Mozilla project. XUL is used in Mozilla cross-platform applications, e.g. Firefox and Flock.

XUL provides a special URL form, called chrome:// URL method to give extended, or chrome, privileges to the code or scripts. The code loaded from a chrome:// URL has the privileges to access local files, preferences and bookmarks and perform other privileged operations, unlike the web content, which is restricted in several ways.

A vulnerability has been reported in Mozilla XML User Interface Language which could allow the remote attacker to run arbitrary JavaScript code with chrome privileges. This issue can be exploited by loading a chrome:// script from a non-chrome XUL document, and then taking the advantage of the privilege level stored in the pre-compiled "fastload" file.

5. Firefox JavaScript arbitrary code execution vulnerability
    (CVE-2008-2803)

A vulnerability has been reported in Firefox due to JavaScript loaded via mozIJSSubScriptLoader.loadSubScript() function does not use XPCNativeWrappers when accessing content. A remote attacker can exploit this vulnerability to overwrite trusted objects and execute arbitrary code with chrome privileges.

6. Arbitrary file disclosure vulnerability (CVE-2008-2805)

This vulnerability exists due to errors in 'originalTarget' and ' DOM Range '. If any user opening malicious content of web page, an attacker could exploit this to bypass the same-origin policy and create arbitrary socket connections to other domains. A remote attacker can exploit this vulnerability to steal arbitrary files from a victim's computer and disclose sensitive information.

7. Improper document origin indication vulnerability
    (CVE-2008-2806)

A vulnerability has been reported in Mozilla due to improper indication of the origin of a document to the Java Embedding Plugin (JEP). This vulnerability could be exploited by an attacker by allowing a malicious Java applet to bypass the same-origin policy and create arbitrary socket connections to other domains.

8. Vulnerability in trust model (CVE-2008-2809)

A Vulnerability has been reported in trust model used by Mozilla due to the acceptance of all alternate names used by a website on self signed certificate. This vulnerability in the trust model could be exploited by a remote attacker to spoof that site or perform a Man-in-the-Middle attack.

9. Remote site run as local file via Windows URL shortcut
    (CVE-2008-2810)

A vulnerability has been reported in Mozilla due to URL shortcut files on Windows which could be interpreted as if they were in the local file context when opened by Firefox, although the referenced remote content would be downloaded and displayed. This could be exploited by a remote attacker to run arbitrary code from the remote site would have access to all local file content in Firefox.

10. Crash and remote code execution in block reflow
      (CVE-2008-2811)

A remote code execution vulnerability has been reported in Mozilla's block reflow code which allows remote attacker to crash the browser and run arbitrary code on the victim's computer.

Note: Mozilla Thunderbird is affected by the issues described by CVE-2008-2798 , CVE-2008-2799 , CVE-2008-2802 , and CVE-2008-2803 only. No te that these issues arise in Thunderbird only when JavaScript is enabled. JavaScript is not enabled in the default installation

Workaround

Disable JavaScript until a version containing these fixes can be installed.

Solutions

Firefox Upgrade to version 2.0.0.15
http://www.mozilla.com/en-US/firefox/all-older.html

SeaMonkey Upgrade to Version 1.1.10
http://www.seamonkey-project.org/

Vendor Information

Mozilla
http://www.mozilla.org/security/announce/2008/mfsa2008-21.html http://www.mozilla.org/security/announce/2008/mfsa2008-22.html http://www.mozilla.org/security/announce/2008/mfsa2008-23.html http://www.mozilla.org/security/announce/2008/mfsa2008-24.html http://www.mozilla.org/security/announce/2008/mfsa2008-25.html http://www.mozilla.org/security/announce/2008/mfsa2008-27.html http://www.mozilla.org/security/announce/2008/mfsa2008-28.html http://www.mozilla.org/security/announce/2008/mfsa2008-31.html http://www.mozilla.org/security/announce/2008/mfsa2008-32.html http://www.mozilla.org/security/announce/2008/mfsa2008-33.html

References

 Bugzilla
https://bugzilla.mozilla.org/buglist.cgi?bug_id=378027,391178,
430814
https://bugzilla.mozilla.org/buglist.cgi?bug_id=418128,
431409,380833,356378
https://bugzilla.mozilla.org/buglist.cgi?bug_id=428672,432591,
433328,439035,440308
https://bugzilla.mozilla.org/show_bug.cgi?id=424188 https://bugzilla.mozilla.org/show_bug.cgi?id=419846 https://bugzilla.mozilla.org/show_bug.cgi?id=418356 https://bugzilla.mozilla.org/show_bug.cgi?id=423541 https://bugzilla.mozilla.org/show_bug.cgi?id=408329 https://bugzilla.mozilla.org/show_bug.cgi?id=240261 https://bugzilla.mozilla.org/show_bug.cgi?id=410156 https://bugzilla.mozilla.org/show_bug.cgi?id=439735
SecurityFocus
http://www.securityfocus.com/archive/1/493844

JuniperNetworks http://www.juniper.net/security/auto/vulnerabilities/vuln30038.html

Secunia
http://secunia.com/advisories/30911/ http://secunia.com/advisories/30915/

SecurityTracker http://securitytracker.com/alerts/2008/Jul/1020419.html

CVE-Name
CVE-2008-2798
CVE-2008-2799
CVE-2008-2800
CVE-2008-2801
CVE-2008-2802
CVE-2008-2803
CVE-2008-2805
CVE-2008-2806
CVE-2008-2809
CVE-2008-2810
CVE-2008-2811

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003