HOME > ADVISORIES


   ADVISORY

CERT-In Advisory CIAD-2009-06
Multiple Vulnerabilities in Mozilla products

Original issue date: February 11, 2009

Severity Rating: High

Systems Affected

  • Mozilla Firefox 3 version 3.0.5 and prior
  • Mozilla Thunderbird version 2.0.0.20 and prior
  • Mozilla SeaMonkey version 1.1.14 and prior

Overview

Multiple vulnerabilities have been reported in Mozilla Firefox, SeaMonkey and Thunderbird which could allow a remote attacker to bypass certain security restrictions, to disclose sensitive information, or to potentially compromise an affected system.

Description

1. Mozilla layout engine crash vulnerability (CVE-2009-0352)

Multiple memory corruption bugs exist in the layout engine of Mozilla Firefox 3.x , Thunderbird 2.x and SeaMonkey 1.x which could allow remote attackers to create denial of service (application crash) condition on the target system. Some of these bugs may allow execution of arbitrary code.

Workaround

  • Disable JavaScript until a version containing these fixes can be installed.

2. JavaScript engine crash vulnerability (CVE-2009-0353)

A memory corruption vulnerability exists JavaScript engine available with Mozilla Firefox 3.x, Thunderbird 2.x, and SeaMonkey 1.x which could allow remote attackers to cause denial of service (application crash) condition or to execute arbitrary code on the target system.

Workaround

  • Disable JavaScript until a version containing these fixes can be installed.

3. chrome XBL method and window.eval XSS vulnerability
    (CVE-2009-0354)

This vulnerability is caused due to an error while handling a chrome XBL method used in conjunction with "window.eval" method. This could allow remote attackers to violate the same origin policy and conduct cross site scripting attacks.

A remote attacker can exploit this vulnerability by creating a specially crafted HTML file and enticing the user to open the same. The crafted html file will invokes a chrome XBL method in conjunction with the window.eval method which allows arbitrary scripting code to be executed. The code will run in the security context of an arbitrary site.

Mozilla Thunderbird and Mozilla SeaMonkey are not affected by this issue.

Workaround

  • Disable JavaScript until a version containing these fixes can be installed.

4. SessionStore Local file disclosure vulnerability
    (CVE-2009-0355)

An error exists in the SessionRestore feature of Firefox 3.x which could allow attackers to disclose the contents of arbitrary files on a vulnerable system.

This vulnerability is caused due to a form input control's text value of a closed tab can be changed when restoring a closed tab. A remote attacker can exploit this issue by setting an input control's text value to the path of a local file and then persuading the user to re-open the closed tab. This will enable the page to automatically submit the form and disclose the contents of the user's local file.

Mozilla Thunderbird and Mozilla SeaMonkey are not affected by this issue.

5. local .desktop Chrome privilege escalation vulnerability
    (CVE-2009-0356)

This vulnerability is caused due to a fix for an earlier vulnerability
(MFSA 2008-47) could be bypassed by redirecting to a privileged about: URI such as about:plugins.

A remote attacker can exploit this by creating a specially crafted '.desktop' shortcut file and HTML file and persuading the user to download the same. This will be enable the attacker to load a privileged chrome document, inject arbitrary code into the document, and execute the document with chrome privileges.If an attacker could get a victim to download two files, a malicious HTML file and a .desktop shortcut file, they could have the HTML document load a privileged chrome document via the shortcut and both documents would be treated as same origin.

Mozilla Thunderbird is not affected.

6. HTTPOnly flag cookies Enforcement error vulnerability
    (CVE-2009-0357)

This vulnerability is caused due to an error while reading the cookies by JavaScript XMLHttpRequest.getResponseHeader and XMLHttpRequest.getAllResponseHeaders APIs. This error allows the cookies with "HTTPOnly" flag to be read by JavaScript, which bypasses the security mechanism provided by the HTTPOnly flag which intends to restrict JavaScript access to document.cookie.

Mozilla Thunderbird is not affected by this issue.

7. Cache-Control: directives vulnerability (CVE-2009-0358)

This vulnerability is caused due to the "Cache-Control: no-store" and "Cache-Control: no-cache" HTTP directives are being ignored by the Firefox 3.x, which can be exploited to disclose potentially sensitive information via cached pages. A local user on the system could use this vulnerability to view improperly cached pages containing private data by navigating the browser back.

Mozilla Thunderbird and Mozilla SeaMonkey are not affected by this issue.

Solutions

update to Mozilla Firefox version 3.0.6.
http://www.mozilla.com/en-US/firefox/all.html

Update to Mozilla SeaMonkey version 1.1.15
http://www.seamonkey-project.org/releases/

Update to Mozilla Thunderbird version 2.0.0.21
http://www.mozilla.com/en-US/thunderbird/all.html

Vendor Information

Mozilla
http://www.mozilla.org/security/announce/2009/mfsa2009-01.html
http://www.mozilla.org/security/announce/2009/mfsa2009-02.html
http://www.mozilla.org/security/announce/2009/mfsa2009-03.html
http://www.mozilla.org/security/announce/2009/mfsa2009-04.html
http://www.mozilla.org/security/announce/2009/mfsa2009-05.html
http://www.mozilla.org/security/announce/2009/mfsa2009-06.html


References

 Bugzilla
https://bugzilla.mozilla.org/buglist.cgi?bug_id=449006,331088,
401042,416461,422283,422301,431705,437142,421839,420697,
461027
https://bugzilla.mozilla.org/show_bug.cgi?id=452913
https://bugzilla.mozilla.org/show_bug.cgi?id=468581
https://bugzilla.mozilla.org/show_bug.cgi?id=441751

Nessus
http://www.nessus.org/plugins/index.php?view=single&id=35581

Secunia
http://secunia.com/advisories/33799/

SecurityFocus
http://www.securityfocus.com/bid/33598

SecurityTracker
http://securitytracker.com/alerts/2009/Feb/1021663.html
http://securitytracker.com/alerts/2009/Feb/1021664.html
http://securitytracker.com/alerts/2009/Feb/1021666.html
http://securitytracker.com/alerts/2009/Feb/1021668.html
http://securitytracker.com/alerts/2009/Feb/1021667.html

VUPEN Security
http://www.vupen.com/english/advisories/2009/0313

CVE Name
CVE-2009-0352
CVE-2009-0353
CVE-2009-0354
CVE-2009-0355
CVE-2009-0356
CVE-2009-0357
CVE-2009-0358

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003