CERT-In Advisory CIAD-2009-13
Multiple Vulnerabilities in Mozilla products

Original issue date: March 09, 2009

Severity Rating: High

Systems Affected

• Mozilla Firefox versions prior to 3.0.7
• Mozilla Thunderbird versions prior to 2.0.0.21
• Mozilla SeaMonkey versions prior to 1.1.15

Overview

Multiple vulnerabilities have been reported in Mozilla Firefox, SeaMonkey and Thunderbird which could allow a remote attacker to bypass certain security restrictions, to disclose sensitive information, cause a denial of service or to potentially compromise an affected system.

1. Multiple Layout and Java script engine memory corruption     vulnerabilities

A memory corruption error exists when parsing malformed data in the layout engines in Mozilla firefox, Thunderbird and Seamonkey. A remore attacker could exploit this vulnerability via a specially crafted HTML page to trigger memory corruption and and assertion failure errors. (CVE-2009-0771)

A memory corruption error exist in the layout engine of Mozilla Firefox, Thunderbird and SeaMonkey. A remote attacker could exploit this vulnerability via vectors related to nsCSSStyleSheet::GetOwnerNode, events, and garbage collection, which triggers memory corruption.
(CVE-2009-0772)

A memory corruption and assertion failure errors exist in JavaScript engine in Mozilla Firefox, Thunderbird and SeaMonkey. A remote attacker could exploit this vulnerability via a splice of an array that contains "some non-set elements” which triggers memory corruption and vectors related to js_DecompileValueGenerator which triggers assertion failure errors. (CVE-2009-0773)

A memory corruption error exist in layout engine in Mozilla Firefox, Thunderbird and SeaMonkey. A remote attacker could exploit this vulnerability via vectors related to gczeal to trigger memory corruption error. (CVE-2009-0774)

Successful exploitation of these vulnerabilities could allow a remote attacker to cause a denial of service condition or potentially execute an arbitrary code.

Workaround

• Disable JavaScript until a version containing these fixes can be installed.

2. Mozilla Firefox XUL Linked Clones Double Free Vulnerability     (CVE-2009-0775)

This vulnerability is caused due to improper memory management in the garbage collection process when handling a set of cloned XUL DOM elements linked as a parent and child in Mozilla Firefox, Thunderbird and SeaMonkey. A remote attacker could exploit this vulnerability via a specially crafted page containing a set of cloned XUL DOM elements that are linked as a parent and child to trigger memory management error.

Successful exploitation of this vulnerability could allow a remote attacker to execute an arbitrary code.

Workaround

• Disable JavaScript until a version containing these fixes can be installed

4. URL spoofing with invisible control characters vulnerability     (CVE-2009-0777)

This vulnerability is caused due to an error when handling invisible control characters included in the location bar in Mozilla Firefox. This vulnerability could allow remote attackers to spoof the location bar to display a misleading URLs and conduct phishing attacks.

Note : Mozilla Thunderbird and Mozilla SeaMonkey are not affected by          this issue.

5. Mozilla Firefox libpng Memory Error   (CVE-2009-0040)

This vulnerability is caused due to an error in libpng when handling out-of-memory conditions in the PNG reference library before 1.0.43, and 1.2.x before 1.2.35 used by Mozilla Firefox. A remote attacker could exploit this vulnerability using a specially crafted PNG image file which attempt to free uninitialized memory. Successful exploitation of this vulnerability could allow a remote attacker to cause a denial of service condition or possibly execute arbitrary code.

Solutions

Update to Mozilla Firefox version 3.0.7.
http://www.mozilla.com/en-US/firefox/all.html

Update to Mozilla SeaMonkey version 1.1.15
http://www.seamonkey-project.org/releases/

Update to Mozilla Thunderbird version 2.0.0.21
http://www.mozilla.com/en-US/thunderbird/all.html

Vendor Information

Mozilla
http://www.mozilla.org/security/announce/2009/mfsa2009-07.html
http://www.mozilla.org/security/announce/2009/mfsa2009-08.html
http://www.mozilla.org/security/announce/2009/mfsa2009-09.html
http://www.mozilla.org/security/announce/2009/mfsa2009-10.html
http://www.mozilla.org/security/announce/2009/mfsa2009-11.html

References

ZDI
http://www.zerodayinitiative.com/advisories/ZDI-09-013

Bugzilla
https://bugzilla.mozilla.org/buglist.cgi?bug_id=424276,435209,
436965,460706,466057,468578,471594,472502
https://bugzilla.mozilla.org/show_bug.cgi?id=475136
https://bugzilla.mozilla.org/buglist.cgi?bug_id=457521,467499,472787
https://bugzilla.mozilla.org/show_bug.cgi?id=473709
https://bugzilla.mozilla.org/show_bug.cgi?id=452979
https://bugzilla.mozilla.org/show_bug.cgi?id=478901

Nessus
http://www.nessus.org/plugins/index.php?view=single&id=35773

Secunia
http://secunia.com/advisories/34145/

SecurityFocus
http://www.securityfocus.com/bid/33990

SecurityTracker
http://www.securitytracker.com/alerts/2009/Mar/1021795.html
http://www.securitytracker.com/alerts/2009/Mar/1021796.html
http://www.securitytracker.com/alerts/2009/Mar/1021797.html
http://www.securitytracker.com/alerts/2009/Mar/1021798.html
http://www.securitytracker.com/alerts/2009/Mar/1021799.html

VUPEN Security
http://www.vupen.com/english/advisories/2009/0599

CVE Name
CVE-2009-0040
CVE-2009-0771
CVE-2009-0772
CVE-2009-0773
CVE-2009-0774
CVE-2009-0775
CVE-2009-0776
CVE-2009-0777

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003