-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2011-0010 Title: Mozilla Firefox and Thunderbird Shift-JIS Encoding HTML Injection Vulnerability Version history: 10.11.2011 Initial publication Summary ======= Mozilla Firefox and Thunderbird are prone to an HTML-injection vulnerability CVE-2011-3648(Candidate) Exploits are available. Fixes are available. Potential impact ================ An attacker could exploit this vulnerability in the following way: 1. The attacker scans for and identifies a site that is using the affected encoding. 2. The attacker crafts malicious script code and injects it into a vulnerable section. 3. When an unsuspecting user views the affected section, the attacker-supplied code is rendered in their browser in the context of the vulnerable site. The attacker could exploit this issue to steal cookie-based authentication credentials and gain unauthorized access; other attacks are also possible. Access Vector: Remotely exploitable; Authentication: Not Required Impact Type: Allows unauthorized disclosure and modification of information and service disruption; Exploitability: Exploit available; Remediation Level: Official Fix available; Report Confidence: The vulnerability has been acknowledged by the vendor; Vulnerable Systems Mozilla Firefox 3.6 and following 3.6.x before 3.6.24 Mozilla Firefox 4.0 and following 4.0.x Mozilla Firefox 5.0 Mozilla Firefox 6 Mozilla Firefox 7 Mozilla Thunderbird 3.1 and following 3.1.x before 3.1.16 Mozilla Thunderbird 5 Mozilla Thunderbird 6 Mozilla Thunderbird 7.0 and derivates Non-vulnerable Systems Mozilla Firefox 3.6.24 Mozilla Firefox 8.0 Mozilla Thunderbird 3.1.16 Mozilla Thunderbird 8.0 What can you do? ================ Fixes has been released by the Vendor [1]. Work-arounds: Deploy network intrusion detection systems to monitor network traffic for malicious activity. Also monitor network traffic for signs of anomalous or suspicious activity, including requests that include NOP sleds and unexplained incoming and outgoing traffic as these may be indications of exploit attempts or activity that results from successful exploits. Implement multiple redundant layers of security. Enable the memory-protection schemes if supported by the operating system (such as nonexecutable and randomly mapped memory segments). This may hinder an attacker's ability to exploit this vulnerability to execute arbitrary code. Configure your system to run all applicaiton as a non-privileged user and with minimal access rights required. What to tell your users? ======================== Normal security best practices apply. Especially, inform your users to be aware not to click on the link in suspicious emails; to immediately forward the email to the respective IT security officer / contact in your institution. More information ================ [1] http://www.mozilla.org/security/announce/2011/mfsa2011-47.html Best regards, CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 -----BEGIN PGP SIGNATURE----- Version: BCPG v1.39 iQJXBAEBAgBBBQJOu5d6OhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4MyyxAAqaD7Q1GO 49OjDXVrN5/gBgf/BZZevB49UulXzhSCMGu6gCN2VP/5O/MjJe93G0UgDtGcs2Sg Ci4YHECGI2Bt2PEVhtVUnZ6uw6QXj+P3jzFP3d5gqgYBo2AeISdv1WpiJS6EzLV+ GDjspIIBO8XEYwWEDPXiZ9kn2flrv78YlhbkJ3KqYApKcxrJ/nxmks1HyYws3RE5 ufiKDEgtgQRV2M8EDYeoe5jk8GpkMs9kBq/gkCbyhca0tfe05zw0JLy59fRbSljE DMJKCj9Du9TghpSgp/3MRFCDVy0+05x15lx13QvRPzMWhax6m2lsZlbBCGwjNFXA SHfqOQOXK31kk2adsa7+p4oaCsk3/Vtzw0Rm6N1TI5ofoim53q3EGPiLpbz13E8A YgbYIgX7aIcjB2GUK6HiUJ7aRLemHhg2bJfANHnPA7vvLk4aYWOPZ7XwQOTgp2qn KLBr5uSwj+bTr5VdSUcs2cNGu+xrXUl5ubJiGl0RZlMW1IAeQC/JeMY8sqVqkQHo c+fzonbHoB+/B7xN9XhPw6XrvOLyaooC/PI3js1xRsqXJazCIuwdfu9XOUaUsiJn N3Jmhzsg1b6wKeR2u0wfAiAbII9JhG5YX7Gt4/w5sm6zeXqJG1d+oB7IeVOiHVT0 mSC58zMZF+9Ik4BM9g8rAf8cWdQwuPiPQzI= =xW0z -----END PGP SIGNATURE-----