Secunia CSI 5.0
Overview
Advisories
Research
Forums
Create Profile
Our Commitment
Database
Search
Advisories by Product
Advisories by Vendor
Terminology
Report Vulnerability
Insecure Library Loading

Secunia Advisory SA39925

Mozilla Firefox Multiple Vulnerabilities
Secunia Advisory SA39925
DOWNLOAD CSI


DOWNLOAD PSI
Release Date 2010-05-27
Last Update 2010-08-03
   
Popularity 23,784 views
Comments 4 comments

Criticality level Highly criticalHighly critical
Impact Security Bypass
Cross Site Scripting
Spoofing
Exposure of sensitive information
System access
Where From remote
Authentication level Available in Customer Area
   
Report reliability Available in Customer Area
Solution Status Vendor Patch
   
   
3rd party PoC/exploit Link available in Customer Area
Systems affected Available in Customer Area
Approve distribution Available in Customer Area
Remediation status Secunia CSI, Secunia PSI
Automated scanning Secunia CSI, Secunia PSI
   
Software:
Mozilla Firefox 3.5.x
Mozilla Firefox 3.6.x
Secunia CVSS Score Available in Customer Area
CVE Reference(s) CVE-2010-0654 CVSS available in Customer Area
CVE-2010-1205 CVSS available in Customer Area
CVE-2010-1207 CVSS available in Customer Area
CVE-2010-1208 CVSS available in Customer Area
CVE-2010-1209 CVSS available in Customer Area
CVE-2010-1210 CVSS available in Customer Area
CVE-2010-1211 CVSS available in Customer Area
CVE-2010-1212 CVSS available in Customer Area
CVE-2010-1213 CVSS available in Customer Area
CVE-2010-1214 CVSS available in Customer Area
CVE-2010-1215 CVSS available in Customer Area
CVE-2010-2751 CVSS available in Customer Area
CVE-2010-2752 CVSS available in Customer Area
CVE-2010-2753 CVSS available in Customer Area
CVE-2010-2754 CVSS available in Customer Area
  

Description

Some weaknesses and vulnerabilities have been reported in Mozilla Firefox, which can be exploited by malicious people to disclose potentially sensitive information, potentially conduct cross-site scripting attacks, bypass certain security restrictions, conduct spoofing attacks, and compromise a user's system.

1) Multiple errors in the browser engine can be exploited to corrupt memory and potentially execute arbitrary code.

2) A use-after-free error within the DOM attribute cloning routine can be exploited to execute arbitrary code.

3) A use-after-free error within the NodeIterator implementation can be exploited to execute arbitrary code.

4) An error within the handling of parameters when embedding plugin content can be exploited to execute arbitrary code.

5) An error when accessing a content object via SJOW from the chrome scope can be exploited to execute arbitrary JavaScript code with chrome privileges.

6) An error when handling certain CSS array values (e.g. when handling external font resources) can be exploited to execute arbitrary code.

7) An integer overflow when calculating ranges for nsTreeSelection can be exploited to trigger the use of an invalid pointer and execute arbitrary code.

8) An error when handling certain PNG images can be exploited to execute arbitrary code.

For more information:
SA40302

9) An error within the Web Worker method importScripts can be exploited to bypass the same-origin policy and disclose potentially sensitive information.

10) An error within the canvas element after rendering cross-origin data can be exploited to bypass the same-origin policy and disclose potentially sensitive information.

11) A weakness exists when handling undefined positions within various 8 bit character encodings, which can lead to characters disappearing from the text run. This can potentially be leveraged to conduct cross-site scripting attacks.

12) A weakness exists when handling certain redirect sequences and responses in combination with JavaScript and SSL/TLS, which can be exploited to spoof the location bar to indicate a secure page, although the current document was served via plaintext.

13) A weakness when handling certain CSS selectors can be exploited to disclose potentially sensitive information by injecting CSS selectors into a target page and accessing the region between the selectors via e.g. the JavaScript "getComputedStyle()" API.

14) A vulnerability is caused due to the "window.onerror" handler being allowed to read the destination URL of a redirection. This can be exploited to e.g. disclose session-specific query parameters contained in a target URL by referencing a redirecting site via an HTML "<script>" tag.


Solution
Update to Firefox 3.5.11 or 3.6.7.

Provided and/or discovered by
2, 3, 7) regenrecht via ZDI.
4, 6) J23 via ZDI.
10) Reported by the vendor.

The vendor credits:
1) Jesse Ruderman, Ehsan Akhgari, Mats Palmgren, Igor Bukanov, Gary Kwong, Tobias Markus and Daniel Holbert, Jesse Ruderman, David Anderson, and Johnny Stenback
5) moz_bug_r_a4
8) Aki Helin, OUSPG
9) Yosuke Hasegawa
11) O. Andersen
12) Jordi Chancel
13) Chris Evans, Google
14) Soroush Dalili

Changelog
Further details available in Customer Area

Original Advisory
Mozilla:
http://www.mozilla.org/security/announce/2010/mfsa2010-34.html
http://www.mozilla.org/security/announce/2010/mfsa2010-35.html
http://www.mozilla.org/security/announce/2010/mfsa2010-36.html
http://www.mozilla.org/security/announce/2010/mfsa2010-37.html
http://www.mozilla.org/security/announce/2010/mfsa2010-38.html
http://www.mozilla.org/security/announce/2010/mfsa2010-39.html
http://www.mozilla.org/security/announce/2010/mfsa2010-40.html
http://www.mozilla.org/security/announce/2010/mfsa2010-41.html
http://www.mozilla.org/security/announce/2010/mfsa2010-42.html
http://www.mozilla.org/security/announce/2010/mfsa2010-43.html
http://www.mozilla.org/security/announce/2010/mfsa2010-44.html
http://www.mozilla.org/security/announce/2010/mfsa2010-45.html
http://www.mozilla.org/security/announce/2010/mfsa2010-46.html
http://www.mozilla.org/security/announce/2010/mfsa2010-47.html

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-130/
http://www.zerodayinitiative.com/advisories/ZDI-10-132/
http://www.zerodayinitiative.com/advisories/ZDI-10-134/
http://www.zerodayinitiative.com/advisories/ZDI-10-133/
http://www.zerodayinitiative.com/advisories/ZDI-10-131/

Soroush Dalili:
http://soroush.secproject.com/blog/2010/05/cross-site-url-hijacking-by-using-error-object-in-mozilla-firefox/

Chris Evans:
http://code.google.com/p/chromium/issues/detail?id=9877

Other references
Further details available in Customer Area

Deep Links
Links available in Customer Area


Do you have additional information related to this advisory?

Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this information to vuln@secunia.com

Subject: Mozilla Firefox Multiple Vulnerabilities
 
User Message
Jesant13 RE: Mozilla Firefox Error Handling Information Disclosure Vulnerability
Member 4th Jun, 2010 18:44
Score: -7
Posts: 18
User Since: 10th Sep 2009
System Score: 100%
Location: US
Last edited on 4th Jun, 2010 18:44		 I went to Mozilla's Bugzilla to report this vulnerability to them and discovered that somebody already has and that someone is working on it: https://bugzilla.mozilla.org/show_bug.cgi?id=56856...
Was this reply relevant?
+4
-0

motty

 RE: Mozilla Firefox Error Handling Information Disclosure Vulnerability
[+]
This reply has been minimised due to a negative Relevancy Score.
TenorBrian RE: Mozilla Firefox Error Handling Information Disclosure Vulnerability
Member 24th Jun, 2010 22:41
Score: 0
Posts: 1
User Since: 12th Jan 2010
System Score: 100%
Location: US
Last edited on 24th Jun, 2010 22:44		 Firefox just released 3.6.4....since this vulnerability has been out for awhile, I would have thought they'd have fixed it already. When I look at Firefox in the PSI "patched" section, it sees version 3.6.4, and shows that this patched a Cat 4 vulnerability, but all that was showing before was a Cat 2. Is Secunia sure this hasn't been patched?
Was this reply relevant?
+0
-0
Anthony Wells RE: Mozilla Firefox Error Handling Information Disclosure Vulnerability
Expert Contributor 25th Jun, 2010 00:21
Score: 2057
Posts: 2,896
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 25th Jun, 2010 00:31		 @TenorBrian ,

As a new poster to the Community Forum , let me advise you that the threads in this , the "vulnerabilities" sub-forum , are reserved for technical commentary on the Secunia Advisory itself ; in this case your comments/questions are not relevant to the actual technicalities of SA39925 .

I would suggest you repost your question by "creating" your own thread in either the "Program" or "PSI" sub-forum in the Community Forum - see the left hand column on this web page ; this thread already deals with some of your points :-

http://secunia.com/community/forum/thread/show/459...

Take care
Anthony


--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0

-

You must be logged in to post a comment.



 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Factsheets
Reports & Papers
Webinars
Events
 About us
Careers
Memberships
Newsroom
 
© 2002-2012 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability