-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2011-0032. Title: Multiple vulnerabilities on Mozilla Firefox / Thunderbird / SeaMonkey Version history: 21.12.2011 Initial publication Summary ======= Multiple vulnerabilities have been found in Mozilla Firefox / Thunderbird. A fix is available. * Potential crash and arbitrary code execution via an Ogg VIDEO element (CVE-2011-3665) * Keystrokes capture without JavaScript via SVG animation (CVE-2011-3663) * Potential crash and arbitrary code execution nsSVGValue (CVE-2011-3658) * Potential crash and arbitrary code execution via the YARR regular expression library (CVE-2011-3661) * Potential crash and arbitrary code execution via nsDOMMessageEvent::GetData function(CVE-2011-3660) These vulnerabilities can potentially lead to a disruption of service or eventually allows unauthorized disclosure and modification of information in the context of the user; See [6] for further details. Remote Yes Credibility Vendor Confirmed Ease Exploit Available CVSSv2 [7] Base Score:10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C) Technical description ============================== Mozilla Firefox 4.x through 8.0, Thunderbird 5.0 through 8.0, and SeaMonkey before 2.6 allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an Ogg VIDEO element that is not properly handled after scaling. (CVE-2011-3665) Mozilla Firefox 4.x through 8.0, Thunderbird 5.0 through 8.0, and SeaMonkey before 2.6 allow remote attackers to capture keystrokes entered on a web page by using SVG animation accessKey events within that web page. (CVE-2011-3663) The SVG implementation does not properly interact with DOMAttrModified event handlers, which allows remote attackers to cause a denial of service (out-of-bounds memory access) or possibly have unspecified other impact via vectors involving removal of SVG elements.(CVE-2011-3658) YARR allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted JavaScript. (CVE-2011-3661) Multiple unspecified vulnerabilities allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors that trigger a compartment mismatch associated with the nsDOMMessageEvent::GetData function, and unknown other vectors. (CVE-2011-3660 ) More description may be found in [1][2][3][4][5]. Vulnerable systems ================== Prior version of: Firefox 9.0 Thunderbird 9.0 SeaMonkey 2.6 Note: Firefox 3.6 is not affected by CVE-2011-3665. The YARR library was not used in older versions of the Mozilla browser engine. This vulnerability does not affect Firefox 3.6 or Thunderbird 3.1 (CVE-2011-3661) SVG animation is not supported in Thunderbird 3.1 or Firefox 3.6. (CVE-2011-3663) What can you do? ================ Update to Firefox 9.0 Thunderbird 9.0 SeaMonkey 2.6 See [1][2][3][4][5] What to tell your users? ======================== Normal security best practices apply. Especially, inform your Web users to be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Users are to be aware not to click on the link in suspicious emails; to immediately forward the suspicious email to the respective IT security officer / contact in your institution. Run your applications with non-privilege account. More information ================ [1] http://www.mozilla.org/security/announce/2011/mfsa2011-53.html [2] http://www.mozilla.org/security/announce/2011/mfsa2011-54.html [3] http://www.mozilla.org/security/announce/2011/mfsa2011-55.html [4] http://www.mozilla.org/security/announce/2011/mfsa2011-56.html [5] http://www.mozilla.org/security/announce/2011/mfsa2011-58.html [6] http://www.mozilla.org/security/announce/ [7] Information about CVSS: http://www.first.org/cvss/cvss-guide.html Best regards, CERT-EU CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 (DISCLAIMER: CERT-EU, the CERT for the EU institutions, is currently in its setup phase, until May 2012. Services are provided in a pilot fashion, and are not yet fully functional. Announcements, alerts and warnings are sent out in best effort manner, and to contact information currently known to us. We apologise if you are not the correct recipient, or if you had already been warned about this issue from another source . Format, content and way of alerting are subject to change in the future. Contact information or even the team name may change as well.) -----BEGIN PGP SIGNATURE----- Version: BCPG v1.39 iQJXBAEBAgBBBQJO8jecOhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4O0Tw/+JbpyYLNv U+PXGaySS5OU0gRqPCKTLgu+kvReImr9ciSHyYecFeMrZL4Lk405Rd2sFtIS9z5O loMqBmRLzKF9h0RJh/rFLBEQO11hIWAbRA4FMYKInKQfbnkIoRmcDem80WQ2llX2 NJ5JbmgFNHRCqonsr2faGgAdwOMV+0hS2GYIoJRCUwCFuG3Dl7aaC6FkqpNx/oZk TxullPlksz1lwyfv3UGPyCce8DQJ8axeN2UPgxmTfP9TJ7cqy6YkM0NjvM7BjJ7Q yDhIXpD2sUfNc5ClRVvsSPdCl8NQ3a0AkdQ3B3/qmgl1nzBT7s3PkXR4D+Ef9Q0q K6HBZc1M0IL+wuGax8VViyb0//zTERO28gtTqV/cQBIcWIsSTs9qIaNk/pTwi1Gh QZq21xJYjbcAS6+6o7mQtDScowcdAEu6SoxV5FZvR7963AFj/ilUoA2LkaHFem7I UfKKm+4IqWslr9dCerpYScFQLh3a8WEQosfKK7B/Z9/y3lcoIPqqF4jcVAVY+wub 3M3abZVQkScC9CRwPhZtG/w3LUPhpu/A/DPXUdOlRmrAko+6M8V+e2BMinnhlXyz ejlGMCa5Txki4zB63eBlS7ZOha9T3uNvq3ygdufRJijK6rHJnrSEI4MRnuTHT8kH QEVrEvhkOFxV0eulwZzoCARzhKQ0noZr3fg= =YRfu -----END PGP SIGNATURE-----