-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2012-0044 Title: Multiple vulnerabilities in Mozilla Thunderbird and Firefox [1] Version history: 22.03.2012 Initial publication Summary ======= Several vulnerabilities have been detected in Mozilla products; some of these have been covered by previous CERT-EU advisories already, but are mentioned here again for the sake of completeness. CVE-2012-0454: Use-after-free in shlwapi.dll Vendor severity rating: Critical CVE-2012-0455: XSS with Drag and Drop and Javascript Vendor severity rating: Moderate CVE-2012-0457, CVE-2012-0456: SVG issues found with Address Sanitizer Vendor severity rating: Critical CVE-2012-0451: XSS with multiple Content Security Policy headers Vendor severity rating: Moderate CVE-2012-0458: Escalation of privilege with Javascript: URL as home page Vendor severity rating: Critical CVE-2012-0459: Crash when accessing keyframe cssText after dynamic modification Vendor severity rating: Critical CVE-2012-0460: window.fullScreen writeable by untrusted content Vendor severity rating: Moderate CVE-2012-0461, CVE-2012-0462, CVE-2012-0464: Miscellaneous memory safety hazards Vendor severity rating: Critical Vulnerable systems ================== Firefox before 11.0 Firefox ESR before 10.0.3 Firefox before 3.6.28 Thunderbird before 11.0 Thunderbird ESR before 10.0.3 Thunderbird before 3.1.20 SeaMonkey before 2.8 Original Details ================ CVE-2012-0454: Use-after-free in shlwapi.dll Security researchers Blair Strang and Scott Bell of Security Assessment found that when a parent window spawns and closes a child window that uses the file open dialog, a crash can be induced in shlwapi.dll on 32-bit Windows 7 systems. This crash may be potentially exploitable. CVE-2012-0455: XSS with Drag and Drop and Javascript Firefox prevents the dropping of javascript links onto a frame to prevent malicious sites from tricking users into performing a cross-site scripting (XSS) attacks on themselves. Security researcher Soroush Dalili reported a way to bypass this protection. CVE-2012-0457, CVE-2012-0456: SVG issues found with Address Sanitizer Security researcher Atte Kettunen from OUSPG found two issues with Firefox's handling of SVG using the Address Sanitizer tool. The first issue, critically rated, is a use-after-free in SVG animation that could potentially lead to arbitrary code execution. The second issue is rated moderate and is an out of bounds read in SVG Filters. This could potentially incorporate data from the user's memory, making it accessible to the page content. CVE-2012-0451: XSS with multiple Content Security Policy headers Security Researcher Mike Brooks of Sitewatch reported that if multiple Content Security Policy (CSP) headers are present on a page, they have an additive effect page policy. Using carriage return line feed (CRLF) injection, a new CSP rule can be introduced which allows for cross-site scripting (XSS) on sites with a separate header injection vulnerability. Firefox 3.6 and Thunderbird 3.1 are not affected by this vulnerability. CVE-2012-0458: Escalation of privilege with Javascript: URL as home page Security researcher Mariusz Mlynski reported that an attacker able to convince a potential victim to set a new home page by dragging a link to the "home" button can set that user's home page to a javascript URL. Once this is done the attacker's page can cause repeated crashes of the browser, eventually getting the script URL loaded in the privileged about:sessionrestore context. CVE-2012-0459: Crash when accessing keyframe cssText after dynamic modification Mozilla community member Daniel Glazman of Disruptive Innovations reported a crash when accessing a keyframe's cssText after dynamic modification. This crash may be potentially exploitable. Firefox 3.6 and Thunderbird 3.1 are not affected by this vulnerability. CVE-2012-0460: window.fullScreen writeable by untrusted content Mozilla developer Matt Brubeck reported that window.fullScreen is writeable by untrusted content now that the DOM fullscreen API is enabled. Because window.fullScreen does not include mozRequestFullscreen's security protections, it could be used for UI spoofing. This code change makes window.fullScreen read only by untrusted content, forcing the use of the DOM fullscreen API in normal usage. Firefox 3.6 and Thunderbird 3.1 are not affected by this vulnerability. CVE-2012-0461, CVE-2012-0462, CVE-2012-0464: Miscellaneous memory safety hazards Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products. What can you do? ================ Software updates that address these vulnerabilities are available from the vendor [3] What to tell your users? ======================== N/A More information ================ [1] Orig. source: http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:032 [2] Mozilla advisories https://www.mozilla.org/security/announce/2012/mfsa2012-12.html https://www.mozilla.org/security/announce/2012/mfsa2012-13.html https://www.mozilla.org/security/announce/2012/mfsa2012-14.html https://www.mozilla.org/security/announce/2012/mfsa2012-15.html https://www.mozilla.org/security/announce/2012/mfsa2012-16.html https://www.mozilla.org/security/announce/2012/mfsa2012-17.html https://www.mozilla.org/security/announce/2012/mfsa2012-18.html https://www.mozilla.org/security/announce/2012/mfsa2012-19.html Best regards, CERT-EU CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 (DISCLAIMER: CERT-EU, the CERT for the EU institutions, is currently in its setup phase, until May 2012. Services are provided in a pilot fashion, and are not yet fully functional. Announcements, alerts and warnings are sent out in best effort manner, and to contact information currently known to us. We apologise if you are not the correct recipient, or if you had already been warned about this issue from another source . Format, content and way of alerting are subject to change in the future. Contact information or even the team name may change as well.) -----BEGIN PGP SIGNATURE----- Version: BCPG v1.39 iQJXBAEBAgBBBQJPacDuOhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4Pbkg/+OYjld9kp SGal9fz9zNoykUkF/SHAMvRcg8x6kB93vg9raesDbqs4qi2FJI5FPI3m212SODl/ 4dTCn9LXlhyUtGNSQmMo/Igk0MyH/4DSba2dBuwuVufWJ7+HCsxD797O0rEZchAY 2wq3fh/DagzShVqvhk+VAdhcF3/zIKJUZcTrzEJclRxoSN9TKobNwBxSZcTFKvov pGMtQBBSehM8//ec8a0khtxI4FiYgUBgZCDAG/BbMzA+Q4FSlgZklwf9U+1P8t1l K+EfNqpuk0RZr8lC5g6dICBQ/FSCFgErYuvkwiZwwHJvVxko3DturjD7/al3GF05 EYUFaBSV1tfPQqfTkEuaEakXeHnnTSxYPMOeBrogxMCrpGHH356+cOBmeUx+0Fpf GuwaIXDzzo2z+f8f3xxVVcWN5di1eNYjl7Z4ZK7x7+qfYc3eKYHRRe+VBOGXdLug fM5pzNwFdf3g4srJpfYAuMt2JLafRPlPA/LLwvXPQ4qcIazM8lDlZjSuQI8atuZO k54/Q3XpR83CR2Th+BIk467USSYWUk/xjFxNxWQTq21XtxWHQg4hsKmoJU1iWtO2 ofPy9CycWD9QvNups5BxdHG1Wp28hAzRUrvXlY5hoidLiRxxOZV3EN+ERgEqsFRB wRWl6Qh8I3SjW+AarXF0NZpcoOh0huMVXeQ= =NEpZ -----END PGP SIGNATURE-----