HOME > ADVISORIES


   ADVISORY

CERT-In Advisory CIAD-2008-48
Multiple Vulnerabilities in Mozilla Products

Original issue date: October 06, 2008

Severity Rating: High

Systems Affected

  • Mozilla Firefox before 2.0.0.17 and 3.x before 3.0.2
  • Thunderbird Versions prior to 2.0.0.17
  • SeaMonkey prior 1.1.12

Overview

Multiple vulnerabilities have been reported in Mozilla Firefox, SeaMonkey and Thunderbird which can be exploited by malicious people to bypass certain security restrictions, to disclose sensitive information, or to potentially compromise a user's system.

Description

1. Cancelled newsgroup messages buffer overflow     vulnerability (CVE-2008-4070)

A vulnerability has been reported in the handling of cancelled newsgroup messages. This vulnerability could be exploited by remote attackers to execute arbitrary code via a long header in a news article and cause denial of service.

        Note : Firefox is not affected.

2. JavaScript Layout Engine Memory Corruption Vulnerabilities     (CVE-2008-4063)

Multiple unspecified vulnerabilities have been reported in the browser engine used in Mozilla Firefox 3.x before 3.0.2. These vulnerabilities could be exploited by remote attacker can create a specially crafted HTML that, when loaded by the target user, will trigger a memory corruption error. It may be possible to denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to the layout engine and

  • a zero value of the "this" variable in the nsContentList::Item function;
  • interaction of the indic IME extension, a Hindi language selection, and the "g" character;
  • interaction of the nsFrameList::SortByContentOrder function with a certain insufficient protection of inline frames.

3. Arbitrary code execution vulnerability Mozilla Firefox's     XPConnect component (CVE-2008-4058 , CVE-2008-4059)

A vulnerability has been reported in "XPConnect component which allows a remote attacker to pollute XPCNativeWrappers. After successful exploitation of this vulnerability an attacker executes arbitrary code with the privileges of the chrome and via vectors related and chrome XBL and chrome JS and to a script element.

4. Arbitrary code execution vulnerability (CVE-2008-4060)

This vulnerability allows a remote atttacker to create documents that lack script-handling objects, and execute arbitrary code with chrome privileges, via vectors related to the document.loadBindingDocument function and XSLT.

5. Privilege escalation using feed preview page and XSS flaw
    (CVE-2008-3868)

Multiple privilege-escalation vulnerabilities reside in 'feedWriter' which allows a remote user to create specially crafted feed that will execute script on the target system with chrome level privileges

6. UTF-8 URL stack buffer overflow vulnerability
    (CVE-2008-0016)

A vulnerability has been reported in Mozilla Firefox and SeaMonkey due to errors in the URL parsing routines. An attacker can exploit this issue by tricking a user into opening a crafted hyperlink resulting in a stack buffer overflow and execute arbitrary code. Failed exploit attempts will result in a denial-of-service.

7. nsXMLDocument::OnChannelRedirect() Same-Origin     Violation Vulnerability (CVE-2008-3835)

This vulnerability is caused due to an error in the implementation of same-origin check in "nsXMLDocument::OnChannelRedirect()" function .Successful exploitation of this vulnerability could allow remote attackers to bypass the Same Origin Policy and execute arbitrary JavaScript code in the context of a different website.

Note: Firefox 3 is not affected by this vulnerability .

8. BOM characters, low surrogates stripped from JavaScript     before execution (CVE-2008-4065)

This vulnerability is caused due to an error in processing of Byte Order Mark characters included in JavaScript code can be exploited to potentially bypass script filters and facilitate cross-site scripting attacks.

This vulnerability can be exploited by an attacker by using a specially crafted HTML send to Firefox via web form to the site. Successful exploitation of this vulnerability could allow an attacker by using certain BOM characters are stripped from JavaScript code before it is executed. This can cause the code, which should be treated as part of a quoted text, to execute. Attackers could use this issue to bypass certain filters and carry out cross-site scripting attacks.

9. Resource Directory Traversal Vulnerability
    (CVE-2008-4067 , CVE-2008-4068)

Directory-traversal vulnerability occurs on Linux platforms when the 'resource:' protocol is used together with URL-encoded slashes. The restrictions imposed on local HTML files could be bypassed using the resource: protocol. The vulnerability allowed an attacker to read information about the system and prompt the victim to save the information in a file.

        Note: Mozilla Thunderbird is affected by the issues described by         CVE-2008-3835, CVE-2008-4070 , CVE-2008-4068,
        CVE-2008-4058 , CVE-2008-4060 , CVE-2008-4065 ,
         only. No te that these issues arise in Thunderbird only when         JavaScript is enabled. JavaScript is not enabled in the default         installation.

Workaround

Disable JavaScript until a version containing these fixes can be installed.

Solutions

Upgrade to fixed version

Firefox 2.0.0.17
http://www.mozilla.com/en-US/firefox/all-older.html

Firefox 3.0.2
http://www.mozilla.com/en-US/firefox/

SeaMonkey
http://www.seamonkey-project.org/releases/

Thinderbird Upgrade to version 2.0.0.17
http://www.mozilla.com/en-US/thunderbird/all.html

Vendor Information

Mozilla
http://www.mozilla.org/security/announce/2008/mfsa2008-37.html http://www.mozilla.org/security/announce/2008/mfsa2008-38.html http://www.mozilla.org/security/announce/2008/mfsa2008-39.html http://www.mozilla.org/security/announce/2008/mfsa2008-41.html http://www.mozilla.org/security/announce/2008/mfsa2008-42.html http://www.mozilla.org/security/announce/2008/mfsa2008-43.html http://www.mozilla.org/security/announce/2008/mfsa2008-44.html http://www.mozilla.org/security/announce/2008/mfsa2008-46.html


References

 Bugzilla
https://bugzilla.mozilla.org/show_bug.cgi?id=443089
https://bugzilla.mozilla.org/show_bug.cgi?id=443288
https://bugzilla.mozilla.org/show_bug.cgi?id=439034
https://bugzilla.mozilla.org/show_bug.cgi?id=430658
https://bugzilla.mozilla.org/show_bug.cgi?id=360529
https://bugzilla.mozilla.org/show_bug.cgi?id=329385
https://bugzilla.mozilla.org/show_bug.cgi?id=444077
https://bugzilla.mozilla.org/show_bug.cgi?id=419848
https://bugzilla.mozilla.org/show_bug.cgi?id=451037
https://bugzilla.mozilla.org/show_bug.cgi?id=443089

Secunia
http://secunia.com/advisories/32042

JuniperNetwroks
http://www.juniper.net/security/auto/vulnerabilities/vuln31346.html

CVE Name
CVE-2008-0016
CVE-2008-3835
CVE-2008-3868
CVE-2008-4058
CVE-2008-4059
CVE-2008-4060
CVE-2008-4063
CVE-2008-4065
CVE-2008-4067
CVE-2008-4068
CVE-2008-4070


Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003