CERT-In Advisory CIAD-2009-21
Multiple Vulnerabilities in Mozilla Products
Original issue date:
April 24, 2009
Severity Rating: High
Systems Affected
- Mozilla Firefox versions 2.x and prior
- Mozilla Firefox versions 3.x prior to 3.0.9
- Mozilla Thunderbird versions 2.x prior to 2.0.0.22
- Mozilla SeaMonkey versions 1.x prior to 1.1.17
Overview
Multiple vulnerabilities have been reported in Mozilla Firefox, Thunderbird and SeaMonkey which could allow a remote attacker to bypass certain security restrictions, obtain potentially sensitive information, execute an arbitrary code, cause a denial of service or potentially compromise an affected system.
Description
1. IDN Subdomain URI Spoofing Vulnerability (CVE-2009-0652)
This vulnerability is caused due to improper rendering of homoglyph characters in IDN (International Domain Name) support in Mozilla Firefox. A remote attacker could exploit this vulnerability to spoof URL via a URL via (e.g. a ".cn") domain containing certain international characters that resemble other commonly used characters (e.g. "/" and “?” ) in the sub-domain part. Successful exploitation of this vulnerability could allow a remote attacker to spoof URLs and conduct phishing attacks.
Note : Mozilla SeaMonkey and Thunderbird versions is not affected by this issue.
2. Browser Engine and JavaScript Engine Memory Corruption Vulnerabilities
(CVE-2009-1302 , CVE-2009-1303 ,
CVE-2009-1304 , CVE-2009-1305)
These vulnerabilities are caused due to multiple errors in the browser engine and Java Script Engine in Mozilla Firefox, Thunderbird and SeaMonkey. A remote attacker could exploit this vulnerability via a specially crafted HTML page to trigger the memory corruption error. Successful exploitation of this vulnerability could allow a remote attacker to execute an arbitrary code.
Workaround
Disable JavaScript until a version containing these fixes can be installed.
3. 'jar:' Scheme Error Processing the 'content-disposition:' Header Vulnerability (CVE-2009-1306)
This vulnerability is caused due to an error when the "jar:" scheme is used to wrap a URI , which serves content with "Content-Disposition: attachment". in Mozilla Firefox Thunderbird and SeaMonkey. A remote attacker could exploit this vulnerability on sites that allow users to upload arbitrary content, which is served as "application/java-archive" or "application/x-jar", and that rely on the HTTP header "Content-Disposition: attachment" to prevent potentially untrusted content.
Successful exploitation of this vulnerability could allow a remote attacker to subvert sites and conduct cross-site scripting attacks.
4. Adobe Flash Contents processing Cross-Domain Restrictions security bypass Vulnerability
(CVE-2009-1307)
This vulnerability is caused due to an error when loading a Adobe Flash file via the "view-source:" scheme in Mozilla Firefox, Thunderbird and SeaMonkey. A remote attacker could exploit this vulnerability by loading a specially crafted Adobe Flash content via the 'view-source:' scheme to bypass cross-domain restrictions.
Successful exploitation of this vulnerability could allow a remote attacker to conduct cross-site request forgery attacks (CSRF) or read and write Local Shared Objects on a user's system for tracking purposes.
5. Third-party stylesheets script injection Vulnerability
(CVE-2009-1308)
This vulnerability is caused due to an error in the processing of XBL bindings when third-party stylesheets embedded in websites in Mozilla Firefox, Thunderbird and SeaMonkey. A remote attacker could exploit this vulnerability to conduct script insertion attacks on sites that allow user to embed third-party style sheets.
Note : Thunderbird may be affected if JavaScript is enabled.
6. XMLHttpRequest and XPCNativeWrapper.toString
Same-Origin Restrictions bypass Vulnerability
(CVE-2009-1309)
This vulnerability is caused due to same-origin policy validation errors in "XMLHttpRequest" and "XPCNativeWrapper.toString" in Mozilla Firefox, Thunderbird and SeaMonkey. A remote attacker could exploit this vulnerability via a specially crafted HTML that makes an XMLHttpRequest to trigger a mismatch between the document's URI and the document's principal.
Successful exploitation of this vulnerability could allow a remote attacker to bypass the same-origin policy and potentially execute code with chrome privileges or execute JavaScript in the context of another domain.
Note: Thunderbird may be affected if JavaScript is enabled in mail.
7. ‘MozSearch' Cross-Site Scripting Vulnerability
(CVE-2009-1310)
This vulnerability is caused due to a weakness in the handling of "SearchForm" URIs in Mozilla Firefox. A remote attacker could exploit this vulnerability by tricking a user to install a specially crafted MozSearch plugin using a 'javascript:' URI in the SearchForm value and perform an empty search.
Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code in the context of an arbitrary site.
8. Frame Saving Sensitive Data disclosure Vulnerability
(CVE-2009-1311)
This vulnerability is caused due to an error in the handling of POST data in Mozilla Firefox and SeaMonkey. A remote attacker could exploit this vulnerability to disclose potentially sensitive data when saving an inner frame of a web page as file POST data of the outer page is sent to the URL of the inner frame.
9. Refresh Headers processing Cross-Site Scripting Vulnerability (CVE-2009-1312)
This vulnerability is caused due to an error when processing "Refresh" headers containing a "javascript:" URI in Mozilla Firefox and SeaMonkey. A remote attacker could exploit this vulnerability by injecting a Refresh header into a server response, or could control the value that a site places in the Refresh header. Successful exploitation of this vulnerability could allow a remote attacker to conduct cross-site scripting attacks and execute arbitrary JavaScript code within the context of that site.
Solution
Update to Mozilla Firefox version 3.0.9
http://www.mozilla.org/projects/firefox/
Update to Mozilla SeaMonkey version 1.1.17
http://www.mozilla.org/projects/seamonkey/
Upgrade to Mozilla Thunderbird version 2.0.0.22
http://www.mozilla.com/thunderbird/
Vendor Information
Mozilla
http://www.mozilla.org/security/announce/2009/mfsa2009-14.html
http://www.mozilla.org/security/announce/2009/mfsa2009-15.html
http://www.mozilla.org/security/announce/2009/mfsa2009-16.html
http://www.mozilla.org/security/announce/2009/mfsa2009-17.html
http://www.mozilla.org/security/announce/2009/mfsa2009-18.html
http://www.mozilla.org/security/announce/2009/mfsa2009-19.html
http://www.mozilla.org/security/announce/2009/mfsa2009-20.html
http://www.mozilla.org/security/announce/2009/mfsa2009-21.html
http://www.mozilla.org/security/announce/2009/mfsa2009-22.html
References
Mozilla
http://www.mozilla.org/security/announce/2009/mfsa2009-14.html
http://www.mozilla.org/security/announce/2009/mfsa2009-15.html
http://www.mozilla.org/security/announce/2009/mfsa2009-16.html
http://www.mozilla.org/security/announce/2009/mfsa2009-17.html
http://www.mozilla.org/security/announce/2009/mfsa2009-18.html
http://www.mozilla.org/security/announce/2009/mfsa2009-19.html
http://www.mozilla.org/security/announce/2009/mfsa2009-20.html
http://www.mozilla.org/security/announce/2009/mfsa2009-21.html
http://www.mozilla.org/security/announce/2009/mfsa2009-22.html
Bugzilla
https://bugzilla.mozilla.org/buglist.cgi?bug_id=462517,454276,
477775,483444,461053,467881,432114,428113,431260
https://bugzilla.mozilla.org/show_bug.cgi?id=453736
https://bugzilla.mozilla.org/buglist.cgi?bug_id=475971,461158
https://bugzilla.mozilla.org/show_bug.cgi?id=476049
https://bugzilla.mozilla.org/show_bug.cgi?id=479336
https://bugzilla.mozilla.org/show_bug.cgi?id=474536
https://bugzilla.mozilla.org/show_bug.cgi?id=481342
https://bugzilla.mozilla.org/show_bug.cgi?id=481558
https://bugzilla.mozilla.org/buglist.cgi?bug_id=482206,478433
https://bugzilla.mozilla.org/show_bug.cgi?id=483086
https://bugzilla.mozilla.org/show_bug.cgi?id=471962
https://bugzilla.mozilla.org/buglist.cgi?bug_id=475636
Secunia
http://secunia.com/advisories/34758/
http://secunia.com/advisories/34780/
http://secunia.com/advisories/34835/
http://secunia.com/advisories/34096
SecurityFocus
http://www.securityfocus.com/bid/34656
http://www.securityfocus.com/bid/33837
SecurityTracker
http://www.securitytracker.com/alerts/2009/Apr/1022098.html
http://www.securitytracker.com/alerts/2009/Apr/1022097.html
http://www.securitytracker.com/alerts/2009/Apr/1022096.html
http://www.securitytracker.com/alerts/2009/Apr/1022095.html
http://www.securitytracker.com/alerts/2009/Apr/1022094.html
http://www.securitytracker.com/alerts/2009/Apr/1022093.html
http://www.securitytracker.com/alerts/2009/Apr/1022090.html
http://www.securitytracker.com/alerts/2009/Apr/1022103.html
http://www.securitytracker.com/alerts/2009/Apr/1022102.html
VUPEN
http://www.vupen.com/english/advisories/2009/1125
http://www.vupen.com/english/advisories/2009/1124
http://www.vupen.com/english/advisories/2009/1123
XFORCE ISS
http://xforce.iss.net/xforce/xfdb/48974
CVE Name
CVE-2009-0652
CVE-2009-1302
CVE-2009-1303
CVE-2009-1304
CVE-2009-1305
CVE-2009-1306
CVE-2009-1307
CVE-2009-1308
CVE-2009-1309
CVE-2009-1310
CVE-2009-1311
CVE-2009-1312
CWE Name
CWE-20
CWE-200
CWE-451
CWE-633
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
