-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2011-0011 Title: Mozilla Firefox and Thunderbird 'loadSubScript()' Security Bypass Version history: 11.11.2011 Initial publication Summary ======= Mozilla Firefox and Thunderbird are prone to a security-bypass vulnerability [1]. This issue occurs because installed add-ons fail to properly use 'XPCNativeWrappers' in the 'loadSubScript()' function. CVE-2011-3647(Candidate) Severity Level[3]: CVSS2 Base 6.8/10 Remote Yes Local No Credibility Vendor Confirmed Ease No Exploit Available Authentication Not Required This issue is fixed in: Firefox 3.6.24 Thunderbird 3.1.16 Potential impact ================ Attackers can exploit this issue to bypass security protections and perform privilege-escalation attacks through affected add-ons. Impact Type: Allows unauthorized disclosure and modification of information and service disruption; 1. An attacker constructs a malicious Web page designed to leverage this issue. 2. The attacker distributes the page and entices an unsuspecting user to view it with an affected application. 3. When the application processes the page, the attacker's code runs with elevated privileges. Vulnerable Systems ================== Firefox 3.x prior to 3.6.24, Thunderbird 3.x prior to 3.1.16, Firefox prior to Firefox 8 and Thunderbird prior to Thunderbird 8 are affected. What can you do? ================ Solutions: Updates are available.[2] Work-arounds: Run all software as a nonprivileged user with minimal access rights. Run all non-administrative software as a non-administrative user with the least amount of privileges required to successfully operate. This will greatly reduce the potential damage that successful exploitation may achieve. Do not follow links provided by unknown or untrusted sources. Never follow links provided by unknown or untrusted sources. Set web browser security to disable the execution of script code or active content. Since the exploitation of some of these issues allows the execution of malicious script code in web clients, consider disabling support for script code and active content within the client browser. Note that this mitigation tactic might adversely affect websites that rely on the execution of browser-based script code. Implement multiple redundant layers of security. Various memory-protection schemes (such as non-executable and randomly mapped memory segments) may hinder an attacker's ability to exploit this vulnerability to execute arbitrary code. What to tell your users? ======================== Normal security best practices apply. Especially, inform your users to be aware not to click on the link in suspicious emails; to immediately forward the email to the respective IT security officer / contact in your institution. More information ================ [1] http://www.mozilla.org/security/announce/2011/mfsa2011-46.html [2] http://www.mozilla.org/ [3] CVSS details: CVSS Version 2 Scores CVSS2 Base 6.8 CVSS2 Temporal 5 CVSS2 Base Vector AV:N/AC:M/Au:N/C:P/I:P/A:P CVSS2 Temporal VectorE:U/RL:OF/RC:C More information about CVSS is available at: http://www.first.org/cvss/cvss-guide.html Best regards, CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 -----BEGIN PGP SIGNATURE----- Version: BCPG v1.39 iQJXBAEBAgBBBQJOvRqIOhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4P54w/+MBme1kuW hpYZdv1BVglTvb30VQbn2wiyQUkz/1V+cyyyb+7okIzUUGUfBRW4zmktiAAqotpf NeUakXQebv5RwwgCwg3MNmQL1Cjnsaw9+tz3/9adWFsiohcTeJCYu62ROPWtrKPq DVOGQ3P7vx2FPlLF9bKWi/Xst1a/VPCkpRvWvCogOWZZdb5YBZpg4wDcTcQfn2NG 9uH29y+jhaKRb/q8RzWNIrSEbOfgEVAr1k/oPcIBMas1WyxhofmeDwhhmZ7K4T75 aO9KUZry27gK3CR0d6ohezSjmNZQvd2gOzqK6mnHfzFQqvqGJl8SwogL+rDmeUeT mmr0H7J2US/m0rJ+9Y0sgkPkUQt8HaRxPM/+VX4AwTp+HHX9iTPiv/77mPGm22TT 4BJSzKjx7lY5RTNuoPQIY8vtX3jrEQqHJeLhtYLWuSa6gUKT8jniMfRCs6VwGSNK 5jRv1RnOOVTqclGAqEcC2JW9FiM5ROUzYqvEVnXUDPwieinem/JDOYZCp16T+6qW BPcsPqlhiymKTy/nVMIvtGE43EHaziMNU0qBHf93dPsRSvvHjp7CA5aZ7siD1MPM w5mXXYG3EpDB7XWVL1gb6MMAlcrA/FGpqiLwCBk9Jx4mPPJONsgBHAPxWYblMCJX CXDeaVQiXOv3ixK5RuqMKC3m2AyfZZlHun8= =778b -----END PGP SIGNATURE-----