CERT-In Advisory
CIAD-2013-0090
Multiple vulnerabilities in Mozilla products
Original Issue Date: December 16, 2013
Severity Rating: High
Systems Affected
- Mozilla Firefox prior to 26
- Mozilla Firefox ESR prior to 24.2
- Mozilla Thunderbird prior to 24.2
- Mozilla Seamonkey prior to 2.23
Overview
Multiple Vulnerabilities have been reported in Mozilla Firefox, Thunderbird and SeaMonkey which could allow a remote attacker to execute arbitrary code, disclose potentially sensitive information, conduct spoofing and cross-site scripting attacks, bypass certain security restrictions or cause a denial of service(memory corruption and application crash) condition.
Description
These vulnerabilities are caused due to memory corruption error, inherited character set encoding information, error while handling an <object> element within a sandboxed iframe, error in generation of GetElementIC typed array stubs outside observed typesets during JavaScript compilation, use-after-free error in libxul.so!nsEventListenerManager::HandleEventSubType() function and in nsNodeUtils::LastRelease function in the table-editing user interface, integer overflows in the binary-search implementation, improperly processing of the Start Of Scan (SOS) and Define Huffman Table (DHT) markers in the libjpeg library, heap-use-after-free in libxul.so!PresShell::DispatchSynthMouseMove function and in mozilla::RestyleManager::GetHoverGeneration() function, error in timed page navigation, error while validating extended validation (EV) certificates even if the user has explicitly removed their trust, error in pasting a selection with a middle-click on linux systems, mis-issued google certificates from ANSSI/DCSSI.
Successful exploitation of these vulnerabilities could allow a remote attacker to execute arbitrary code, disclose potentially sensitive information, conduct spoofing and cross-site scripting attacks, bypass certain security restrictions or cause a denial of service (memory corruption and application crash) condition.
Solution
Apply appropriate fixes as mentioned by the vendor
http://www.mozilla.org/security/announce/2013/mfsa2013-104.html
http://www.mozilla.org/security/announce/2013/mfsa2013-105.html
http://www.mozilla.org/security/announce/2013/mfsa2013-106.html
http://www.mozilla.org/security/announce/2013/mfsa2013-107.html
http://www.mozilla.org/security/announce/2013/mfsa2013-108.html
http://www.mozilla.org/security/announce/2013/mfsa2013-109.html
http://www.mozilla.org/security/announce/2013/mfsa2013-110.html
http://www.mozilla.org/security/announce/2013/mfsa2013-111.html
http://www.mozilla.org/security/announce/2013/mfsa2013-112.html
http://www.mozilla.org/security/announce/2013/mfsa2013-113.html
http://www.mozilla.org/security/announce/2013/mfsa2013-114.html
http://www.mozilla.org/security/announce/2013/mfsa2013-115.html
http://www.mozilla.org/security/announce/2013/mfsa2013-116.html
http://www.mozilla.org/security/announce/2013/mfsa2013-117.html
Vendor Information
Mozilla
http://www.mozilla.org/security/announce/2013/mfsa2013-104.html
http://www.mozilla.org/security/announce/2013/mfsa2013-105.html
http://www.mozilla.org/security/announce/2013/mfsa2013-106.html
http://www.mozilla.org/security/announce/2013/mfsa2013-107.html
http://www.mozilla.org/security/announce/2013/mfsa2013-108.htmlq
http://www.mozilla.org/security/announce/2013/mfsa2013-109.html
http://www.mozilla.org/security/announce/2013/mfsa2013-110.html
http://www.mozilla.org/security/announce/2013/mfsa2013-111.html
http://www.mozilla.org/security/announce/2013/mfsa2013-112.html
http://www.mozilla.org/security/announce/2013/mfsa2013-113.html
http://www.mozilla.org/security/announce/2013/mfsa2013-114.html
http://www.mozilla.org/security/announce/2013/mfsa2013-115.html
http://www.mozilla.org/security/announce/2013/mfsa2013-116.html
http://www.mozilla.org/security/announce/2013/mfsa2013-117.html
References
Security Focus
http://www.securityfocus.com/bid/64204
http://www.securityfocus.com/bid/64206
http://www.securityfocus.com/bid/64214
http://www.securityfocus.com/bid/64205
http://www.securityfocus.com/bid/64203
http://www.securityfocus.com/bid/64207
http://www.securityfocus.com/bid/64216
http://www.securityfocus.com/bid/64209
http://www.securityfocus.com/bid/64211
http://www.securityfocus.com/bid/64215
http://www.securityfocus.com/bid/63676
http://www.securityfocus.com/bid/63679
http://www.securityfocus.com/bid/64212
http://www.securityfocus.com/bid/64210
http://www.securityfocus.com/bid/64213
Security Tracker
http://securitytracker.com/id/1029476
Secunia
http://secunia.com/advisories/56002/
http://secunia.com/advisories/56005/
CVE Name
CVE-2013-5590
CVE-2013-5591
CVE-2013-5592
CVE-2013-5593
CVE-2013-5595
CVE-2013-5596
CVE-2013-5597
CVE-2013-5598
CVE-2013-5599
CVE-2013-5600
CVE-2013-5601
CVE-2013-5602
CVE-2013-5603
CVE-2013-5604
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|