CERT-In Advisory
CIAD-2010-0067
Multiple Vulnerabilities in Mozilla Products
Original Issue Date: November 03, 2010
Severity Rating: High
Systems Affected
- Mozilla Firefox versions prior to 3.6.11
- Mozilla Firefox versions prior to 3.5.14
- Mozilla Thunderbird versions prior to 3.1.5
- Mozilla Thunderbird versions prior to 3.0.9
- Mozilla Sea Monkey versions prior to 2.0.9
Overview
Multiple vulnerabilities has been reported in Mozilla Firefox, Thunderbird and Sea Monkey, which could allow a remote attacker to gain elevated privileges, conduct spoofing attacks, bypass certain security restrictions, disclose sensitive information, execute arbitrary code , cause denial of service condition or potentially compromise the affected system.
Description
1. Multiple Memory corruption vulnerabilities
(
CVE-2010-3174
CVE-2010-3175
CVE-2010-3176
)
Multiple memory corruption vulnerabilities have been reported in the browser engine in Mozilla Firefox, Thunderbird and Sea Monkey. A remote attacker could exploit these vulnerabilities via a specially crafted HTML page to trigger memory corruption errors in the the browser engine. Successful exploitation of these vulnerabilities could allow a remote attacker to potentially execute an arbitrary code or cause denial of service conditions.
2. document.write() Stack Buffer overflow Vulnerability
(
CVE-2010-3179
)
This vulnerability is caused due to an error when processing excessively long string that is passed to 'document.write' in Mozilla Firefox, Thunderbird and SeaMonkey. A remote attacker could exploit this vulnerability by passing a specially crafted long string value to'document.write' to trigger a Stack-based buffer overflow error. Successful exploitation of this vulnerability could allow a remote attacker to potentially execute an arbitrary code or cause denial of service condition.
3. Use-after-free error in nsBarProp
(
CVE-2010-3180
)
This vulnerability is caused due to a use-after-free error in "nsBarProp" when accessing the "locationbar" property of a "window" object after it had been closed in Mozilla Firefox, Thunderbird and SeaMonkey. A remote attacker could exploit this vulnerability by accessing the locationbar property of a closed window to potentially execute an arbitrary code.
4. Dangling pointer vulnerability in LookupGetterOrSetter
(
CVE-2010-3183
)
This vulnerability is caused a dangling pointer issue in the 'LookupGetterOrSetter()' function of 'js3250.dll' when called with no arguments. When window.__lookupGetter__ is called with no arguments the code assumes the top JavaScript stack value is a property name. Since there were no arguments passed into the function, the top value could represent uninitialized memory or a pointer to a previously freed JavaScript object. A remote attacker could exploit this vulnerability via a crafted HTML document to potentially execute an arbitrary code or cause denial of service condition.
5. XSS in gopher parser when parsing hrefs
(
CVE-2010-3177
)
A cross-site scripting vulnerability has been reported in the Gopher parser when processing 'hrefs' in Mozilla Firefox and SeaMonkey. A remote attacker could exploit this vulnerability via a crafted file name or directory on a Gopher server to inject arbitrary Java script or HTML.
6. Cross-site information disclosure via modal calls
(
CVE-2010-3178
)
A cross-domain information disclosure vulnerability has been reported in Mozilla Firefox, Thunderbird and SeaMonkey due an error when handling modal call. A remote attacker could exploit this vulnerability to bypass same-origin policy and conduct cross-dmain scripting attacks.
7. SSL wildcard certificate matching IP addresses
(
CVE-2010-3170
)
A SSL certificate spoofing vulnerability has been reported in Mozilla Firefox, Thunderbird and SeaMonkey due an error when handling SSL certificates. A remote attacker could exploit this vulnerability to conduct man-in-the-middle attacks to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.
8. Multiple library loading vulnerabilities
(
CVE-2010-3181
CVE-2010-3182
)
Multiple Library loading vulnerabilities have been reported in Mozilla Firefox, Thunderbird and SeaMonkey due to various errors when loading libraries on Windows and Linux. An attacker could exploit these vulnerabilities to gain privileges via Trojan horse shared library and Trojan horse DLL in the current working directory.
9. Insecure Diffie-Hellman key exchange
(
CVE-2010-3173
)
This vulnerability is cause due to an error in the SSL implementation permitting servers to use Diffie-Hellman Ephemeral mode (DHE) with insecure keys in Mozilla Firefox, Thunderbird and SeaMonkey. A remote attacker could exploit this vulnerability to defeat cryptographic protection mechanisms via a brute-force attack.
Solution
Upgrade to Mozilla Firefox version 3.6.11 or 3.5.14
http://www.mozilla.com/firefox/
Upgrade to Mozilla Thunderbird version 3.1.5 or 3.0.9
http://www.mozilla.com/thunderbird/
Upgrade to Mozilla SeaMonkey version 2.0.9
http://www.mozilla.com/seamonkey/
Vendor Information
Mozilla
http://www.mozilla.org/security/announce/2010/mfsa2010-64.html
http://www.mozilla.org/security/announce/2010/mfsa2010-65.html
http://www.mozilla.org/security/announce/2010/mfsa2010-66.html
http://www.mozilla.org/security/announce/2010/mfsa2010-67.html
http://www.mozilla.org/security/announce/2010/mfsa2010-68.html
http://www.mozilla.org/security/announce/2010/mfsa2010-69.html
http://www.mozilla.org/security/announce/2010/mfsa2010-70.html
http://www.mozilla.org/security/announce/2010/mfsa2010-71.html
http://www.mozilla.org/security/announce/2010/mfsa2010-72.html
References
ZDI
http://www.zerodayinitiative.com/advisories/ZDI-10-219/
Secunia
http://secunia.com/advisories/41890/
Bugzilla
https://bugzilla.mozilla.org/show_bug.cgi?id=578697
https://bugzilla.mozilla.org/show_bug.cgi?id=589190
https://bugzilla.mozilla.org/show_bug.cgi?id=590753
https://bugzilla.mozilla.org/buglist.cgi?bug_id=554354,595300
https://bugzilla.mozilla.org/buglist.cgi?bug_id=509075,559344,%0b566141,568073,568303,580151,583957,594760
https://bugzilla.mozilla.org/buglist.cgi?bug_id=554670,590291,%0b590116
https://bugzilla.mozilla.org/show_bug.cgi?id=476547
https://bugzilla.mozilla.org/show_bug.cgi?id=583077
https://bugzilla.mozilla.org/show_bug.cgi?id=588929
https://bugzilla.mozilla.org/show_bug.cgi?id=598669
https://bugzilla.mozilla.org/show_bug.cgi?id=556734
https://bugzilla.mozilla.org/show_bug.cgi?id=576616
Security Focus
http://www.securityfocus.com/bid/44228
http://www.securityfocus.com/bid/44243
http://www.securityfocus.com/bid/44245
http://www.securityfocus.com/bid/44246
http://www.securityfocus.com/bid/44247
http://www.securityfocus.com/bid/44248
http://www.securityfocus.com/bid/44249
http://www.securityfocus.com/bid/44250
http://www.securityfocus.com/bid/44251
http://www.securityfocus.com/bid/44252
http://www.securityfocus.com/bid/44253
http://www.securityfocus.com/bid/42817/
Security Tracker
http://securitytracker.com/alerts/2010/Oct/1024608.html
Vupen
http://www.vupen.com/english/advisories/2010/2726
CVE Name
CVE-2010-3170
CVE-2010-3173
CVE-2010-3174
CVE-2010-3175
CVE-2010-3176
CVE-2010-3177
CVE-2010-3178
CVE-2010-3179
CVE-2010-3180
CVE-2010-3181
CVE-2010-3182
CVE-2010-3183
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|