-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2012-0069 Title: Several vulnerabilities in Firefox, Thunderbird and Seamonkey Version history 07.06.2012 Initial publication Summary and Potential impact ============================ The most severe vulnerability (Priority: urgent; Severity: urgent; classification done by Redhat) allows a remote attacker to run code in the security context of a user of Firefox, Thunderbird or Seamonkey, when they open a malicious website or email. (CVSS v2 Base Score: 9.3 CRITICAL AV:N/AC:M/Au:N/C:C/I:C/A:C)[6] List of all addressed vulnerabilities: CVE-2012-1938: Memory safety bugs fixed in Firefox 13[1] CVE-2012-1939: Assertion failure: [infer failure] Missing type pushed 0: float, at jsinfer.cpp:348[1] CVE-2012-1937: Memory safety bugs fixed in Firefox 10.0.5 and Firefox 13[1] CVE-2011-3101: Work around NVIDIA driver bug in glBufferData[1] CVE-2012-1944: script code execute even when inline scripts are blocked by CSP[2] CVE-2012-1945: Arbitrary File + Directory read via .lnk files on Windows Share[3] CVE-2012-1946: Use-after-free in nsINode::ReplaceOrInsertBefore[4] CVE-2012-1947: Heap-buffer-overflow in utf16_to_isolatin1[5] CVE-2012-1940: Heap-use-after-free in nsFrameList::FirstChild[5] CVE-2012-1941: Heap-buffer-overflow in nsHTMLReflowState::CalculateHypotheticalBox, with nested multi-column, relative position, and absolute position[5] Updates/Fixes =========== The vulnerabilities are fixed in Firefox 13.0 Firefox ESR 10.0.5 Thunderbird 13.0 Thunderbird ESR 10.0.5 SeaMonkey 2.10 What can you do? ================ A couple of vendors or maintainers of Linux Distributions (including RedHat) already issued an update for the packages. Please refer to the vendor or maintainer of your Software to learn about exact information about updates. What to tell your users? ======================== Normal security best practices apply. Especially, inform your Web users to be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Users are to be aware not to click on the link in suspicious emails; to immediately forward the suspicious email to the respective IT security officer / contact in your institution. More information ================ [1] http://www.mozilla.org/security/announce/2012/mfsa2012-34.html [2] http://www.mozilla.org/security/announce/2012/mfsa2012-36.html [3] http://www.mozilla.org/security/announce/2012/mfsa2012-37.html [4] http://www.mozilla.org/security/announce/2012/mfsa2012-38.html [5] http://www.mozilla.org/security/announce/2012/mfsa2012-40.html [6] More information about CVSS is available at: http://www.first.org/cvss/cvss-guide.html Best regards, CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBAgAGBQJP0GnZAAoJEPpzpNLI8SVoEy4P/iMz5h/IXuOBhrbnN+Cbd6dJ 7LnkUBp2Iu+MSWt3fuyiKFwXx5Ys4ZX5kGImlmgXC030oyZcpomO0KBdGwlRUBy1 n8e5Te8hfSvixJJZewj2f+odBnkYoXiovODjBOuV5DlaVlhAhjRtiRIzyKBOHm3i dZNJopqvBZEAclujkcqNf5tOk3OLYQ1dv1/WC2129hmSd4mX3eeeRffSEIOmPvlj hJeD9GU+/8uaSttdTJnjdM3aMeT0iXvwuMfFoCn69ELTyeoGaFklJA+2KZ/hqJAM 6lBqNIn007RAFjtG+fT/pFOtJ1ApvAX9uPOOodKLHDlx2z7zjb3eH5Xukl50K78S ebwRi68LyT39ysEf7Znk4wl2x2JG946sTV4R8vo71CxpP3BRCbR/foNwiGT+E8jL gLem1HRgyiy6ZuDWYXlvnE45oEsSzQYxkG0414IkIJYBHv4eRyyDkdYlXwdImSRz ibkAop5vIWKKF9Y77F7R8dEG3O4IXThGYCzHEN9XqeV+Cb+UJXV61AYfJqCkpcxG LGRrb3blefL1XIV5j6BHMMSOfAS40cDKLQoCqWBXcln5405OXlV2MuSvMtxtxry/ wCDIhSd+jj/PXdV2Ge7rmtsz8BB3ioT32FL5zL3TT/FEUqjqg6PVeXsWweecwRf9 u3JaaNgC7pkF79rngpu9 =7u8d -----END PGP SIGNATURE-----