Vulnerability

CERT-In Vulnerability Note CIVN-2010-0270
Multiple Remote Code Execution Vulnerabilities in Mozilla Firefox

Original Issue Date:December 15, 2010

Severity Rating: HIGH

Systems Affected

Mozilla Firefox versions prior to 3.5.16
Mozilla Firefox 3.6.x versions prior to 3.6.13

Overview

Multiple remote code execution vulnerabilities have been reported in Mozilla Firefox, exploitation of these vulnerabilities could allow cross-site scripting and spoofing attacks, bypass certain security restrictions, and compromise a affected system in context of logged in user.

Description

1. nsDOMAttribute() MutationObserver Remote Code Execution Vulnerability ( CVE-2010-3766   )

A vulnerability is reported in Mozilla Firefox when handling a nsDOMAttribute node that can be modified without informing the iterator object responsible for various DOM traversals. This flaw could lead to a inconsistent state where the iterator points to an object it believes is part of the DOM but actually points to some other object. If such an object had been deleted and its memory reclaimed by the system, then the iterator could be used to call into attacker-controlled memory.

2. NewIdArray Integer overflow vulnerability ( CVE-2010-3767   )

A integer overflow vulnerability is reported in Mozilla Firefox when handling NewIdArray . The specific flaw shows that an array could be constructed containing a very large number of items such that when memory was allocated to store the array items, the integer value used to calculate the buffer size would overflow resulting in too small a buffer being allocated. Subsequent use of the array object could then result in data being written past the end of the buffer and causing memory corruption.

3. OTS font sanitizer Add support vulnerability ( CVE-2010-3768   )

A vulnerability is reported in Mozilla Firefox when handling OTS font sanitizer that do not properly validate downloadable fonts before use within an operating systems font implementation, which allows remote attackers to execute arbitrary code via vectors related to @font-face Cascading Style Sheets (CSS) rules

4. Buffer overflow line breaking after document.write with long string vulnerability ( CVE-2010-3769   )

A vulnerability is reported in Mozilla Firefox when handling document.write() was called with a very long string a buffer overflow was caused in line breaking routines attempting to process the string for display. Such cases triggered an invalid read past the end of an array causing a crash which an attacker could potentially use to run arbitrary code on a affected computer.

5. Cross site scripting vulnerability in multiple character encodings ( CVE-2010-3770   )

A vulnerability is reported in Mozilla Firefox when handling certain character encoding .The flaw exist in the x-mac-arabic, x-mac-farsi and x-mac-hebrew character encodings that are vulnerable to XSS attacks due to some characters being converted to angle brackets when displayed by the rendering engine. Sites using these character encodings would thus be potentially vulnerable to script injection attacks if their script filtering code fails to strip out these specific characters.

6. Chrome window.open and <isindex> element privilege escalation vulnerability ( CVE-2010-3771   )

A vulnerability is reported in Mozilla Firefox when handling window.open and (isindex) elements. An attacker exploit this vulnerability by creating a webpage that could open a window with an about:blank location and then inject an (isindex) element into that page which upon submission would redirect to a chrome: document. The effect of this defect was that the original page would wind up with a reference to a chrome-privileged object, the opened window, which could be leveraged for privilege escalation attacks.

7. XUL tree remote code execution using HTML tags vulnerability ( CVE-2010-3772   )

A vulnerability is reported in Mozilla Firefox when processing HTML tags in XUL tree. The Flaw shows that when a XUL tree had an HTML <div> element nested inside a <treechildren> element then code attempting to display content in the XUL tree would incorrectly treat the <div> element as a parent node to tree content underneath it resulting in incorrect indexes being calculated for the child content. These incorrect indexes were used in subsequent array operations which resulted in writing data past the end of an allocated buffer. An attacker could exploit this vulnerability to crash a affected browser and run arbitrary code on their vulnerable system.

8. XMLHttpRequestSpy object remote code execution vulnerability ( CVE-2010-3773   )

A vulnerability is reported in Mozilla Firefox when handling the XMLHttpRequestSpy module in the Firebug add-on is used, does not properly handle interaction between the XMLHttpRequestSpy object and chrome privileged objects. Successful exploitation of this vulnerability could allow remote attacker to execute arbitrary JavaScript via a crafted HTTP response.

9. Location bar SSL spoofing using network error page vulnerability ( CVE-2010-3774   )

A vulnerability is reported in Mozilla Firefox NS_SecurityCompareURIs function in netwerk/base /public/ns NetUtil.h does not properly handle about:neterror and about:certerror pages.The Flaw shows that when a window was opened to a site resulting in a network or certificate error page, the opening site could access the document inside the opened window and inject arbitrary content. An attacker could use this bug to spoof the location bar and entice user into thinking they were on a different site than they actually were. Successful exploitation of this vulnerability could allow remote attacker to spoof the location bar via specially crafted web site.

10. Java security bypass from LiveConnect loaded via data: URL meta refresh vulnerability ( CVE-2010-3775   )

A vulnerability is reported in Mozilla Firefox when handling certain redirections that does not properly involving data: URLs and Java LiveConnect scripts. The Flaw shows that when a Java LiveConnect script was loaded via a data: URL which redirects via a meta refresh, then the resulting plug-in object was created with the wrong security principal and thus received elevated privileges such as the abilities to read local files, launch processes, and create network connections. This vulnerability allows remote attacker to start processes, read arbitrary local files, and establish network connections via vectors involving a refresh value in the http-equiv attribute of a META element.

11. Multiple memory safety vulnerabilities ( CVE-2010-3776   CVE-2010-3777   CVE-2010-3778   )

Multiple vulnerability is reported in Mozilla Firefox browser engine. Successful exploitation of this vulnerability could allow remote attacker to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

Solution

Upgrade to higher version 3.6.13 or 3.5.16

Vendor Information

References

Zero day initiative
http://www.zerodayinitiative.com/advisories/ZDI-10-264/
http://www.zerodayinitiative.com/advisories/ZDI-10-265/

Secunia
http://secunia.com/advisories/42517

CVE Name
CVE-2010-3766
CVE-2010-3767
CVE-2010-3768
CVE-2010-3769
CVE-2010-3770
CVE-2010-3771
CVE-2010-3772
CVE-2010-3773
CVE-2010-3774
CVE-2010-3775
CVE-2010-3776
CVE-2010-3777
CVE-2010-3778

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India