Advisories

CERT-In Advisory CIAD-2009-0050

Multiple Vulnerabilities in Mozilla Products

Original Issue Date: November 10, 2009

Severity Rating: High

Systems Affected

Mozilla Firefox versions 3.5.x prior to 3.5.4
Mozilla Firefox versions 3.0.x prior to 3.0.15
Mozilla SeaMonkey Versions prior to 2.0

Overview

Multiple vulnerabilities have been reported in Mozilla Firefox, which could allow a remote attacker to bypass certain security restrictions, disclose potentially sensitive information, cause a denial of service conditions, execute an arbitrary code, or potentially compromise an affected system.

Description

1. Heap Buffer overflow Vulnerability ( CVE-2009-1563 )

This vulnerability is caused due to an array indexing error when allocating space for floating point numbers in string to floating point number conversion routines in Mozilla Firefox. A remote attacker could exploit this vulnerability via a specially crafted JavaScript code containing a very long string to be converted to a floating point number to trigger improper memory allocation error. Successful exploitation of this vulnerability could allow a remote attacker to execute an arbitrary code.

Successful exploitation of this vulnerability could allow a remote attacker to execute an arbitrary code.

2. Form history Information disclosure Vulnerability ( CVE-2009-3370 )

This vulnerability is caused due to an error in the form history functionality in Mozilla Firefox. A remote attacker could exploit this vulnerability via a specially crafted web page that triggers the automatic filling of form fields and then reading the entries. Successful exploitation of this vulnerability could allow a remote attacker to obtain potentially sensitive information ( including web content and smart location bar history) .

3. Recursive web-worker calls Denial of Service Vulnerability ( CVE-2009-3371 )

This vulnerability is caused due to a memory corruption error when creating JavaScript web-workers recursively in Mozilla Firefox. A remote attacker could exploit this vulnerability by creating a set of JavaScript web-workers objects whose memory could be freed prior to their use to trigger the use of freed memory error.

Successful exploitation of this vulnerability could allow a remote attacker to causes denial of service conditions or potentially execute an arbitrary code.

4. Proxy Auto-configuration regexp Parsing Remote Code Execution Vulnerability ( CVE-2009-3372   )

This vulnerability is caused due to an error when parsing regular expressions used in Proxy Auto-configuration (PAC) files in Mozilla Firefox and SeaMonkey. A remote attacker could exploit this vulnerability via a specially crafted regular expressions in a Proxy Auto-configuration (PAC) file to trigger memory corruption error. Successful exploitation of this vulnerability could allow a remote attacker to cause denial of service conditions or potentially execute an arbitrary code.

5. GIF Color map parser Heap buffer overflow Vulnerability ( CVE-2009-3373   )

This vulnerability is caused due to an error when processing GIF color maps in Mozilla Firefox and SeaMonkey. A remote attacker could exploit this vulnerability via a specially crafted GIF file to trigger a heap-based buffer overflow error. Successful exploitation of this vulnerability could allow a remote attacker to cause denial of service condition or potentially execute an arbitrary code.

6. XPCVariant::VariantDataToJS Chrome privilege escalation Vulnerability ( CVE-2009-3374   )

This vulnerability is caused due to improper enforcement of intended restrictions on interaction between chrome privileged code and objects obtained from remote web sites in "XPCVariant::VariantDataToJS" function of XPCOM utility in Mozilla Firefox. A remote attacker could exploit this vulnerability via a specially crafted function call related to "doubly-wrapped objects". Successful exploitation of this vulnerability could allow a remote attacker to execute an arbitrary JavaScript code with chrome privileges.

7. 'document.getSelect' Cross Domain Information Disclosure Vulnerability ( CVE-2009-3375   )

This vulnerability is caused due to an error in the implementation of the JavaScript "document.getSelection()" function in Mozilla Firefox. A remote attacker could exploit this vulnerability by tricking user to open HTML page containing a specially crafted document.getSelection() statement to read text selected on a web page in a different domain.

Successful exploitation of this vulnerability could allow a remote attacker to conduct cross-domain scripting attacks.

8. Download Filename Spoofing with RTL override Vulnerability ( CVE-2009-3376   )

This vulnerability is caused due to an error in handling a right-to-left override (RLO) Unicode character in a download filename in Mozilla Firefox and SeaMonkey. A remote attacker could exploit this vulnerability via a specially crafted filename containing a right-to-left override character (RTL) to cause the dialog to display a different name in the title bar than in the dialog body. Successful exploitation of this vulnerability could allow a remote attacker to obfuscate the name and extension of a malicious file to be downloaded and opened.

9. Multiple unspecified Remote code execution Vulnerabilities ( CVE-2009-3377   CVE-2009-3378   CVE-2009-3379   )

Multiple unspecified vulnerabilities have been reported in Mozilla Firefox due to various errors in the embedded libvorbis library, embedded liboggplay library, and embedded liboggz library using in Mozilla Firefox. A remote attacker could exploit these vulnerabilities via unknown vectors to cause denial of service conditions or potentially execute an arbitrary code.

10. JavaScript Engine, Browser Engine Multiple Remote code execution Vulnerabilities ( CVE-2009-3380   CVE-2009-3381   CVE-2009-3382   CVE-2009-3383   )

Multiple vulnerabilities have been reported in Mozilla Firefox due to various memory corruption errors in the JavaScript and browser engines when parsing malformed data. A remote attacker could exploit these vulnerabilities via a specially crafted HTML page to trigger memory corruption errors in the JavaScript engine and the browser engine. Successful exploitation of these vulnerabilities could allow a remote attacker to cause denial of service conditions or potentially execute an arbitrary code.

Solution

Upgrade to Mozilla Firefox version 3.5.4 or 3.0.15 or later
http://www.mozilla.com/firefox/

Workaround

Disable JavaScript until a version containing these fixes can be installed.
Disable JavaScript until a version containing these fixes can be installed.
Disable Java until a version containing these fixes can be installed.
Disable JavaScript until a version containing this fix can be installed.

Vendor Information

Mozilla
http://www.mozilla.com/en-US/

References

Secunia
http://secunia.com/advisories/36711/1/

SecurityFocus
http://www.securityfocus.com/bid/36843

SecurityTracker
http://securitytracker.com/alerts/2009/Oct/1023094.html
http://securitytracker.com/alerts/2009/Oct/1023090.html
http://securitytracker.com/alerts/2009/Oct/1023099.html
http://securitytracker.com/alerts/2009/Oct/1023097.html
http://securitytracker.com/alerts/2009/Oct/1023098.html

VUPEN
http://www.vupen.com/english/advisories/2009/3063

CVE Name
CVE-2009-1563
CVE-2009-3370
CVE-2009-3371
CVE-2009-3372
CVE-2009-3373
CVE-2009-3374
CVE-2009-3375
CVE-2009-3376
CVE-2009-3377
CVE-2009-3378
CVE-2009-3379
CVE-2009-3380
CVE-2009-3381
CVE-2009-3382
CVE-2009-3383

CWE Name
CWE-16
CWE-119
CWE-264
CWE-399

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India