Mozilla Firefox / Thunderbird Multiple Vulnerabilities

SA48932

CVE-2011-1187, CVE-2011-3062, CVE-2012-0467, CVE-2012-0468, CVE-2012-0469, CVE-2012-0470, CVE-2012-0471, CVE-2012-0472, CVE-2012-0473, CVE-2012-0474, CVE-2012-0475, CVE-2012-0477, CVE-2012-0478, CVE-2012-0479

25 Apr 2012

Highly Critical

Unpatched

Mozilla Firefox 11.x
Mozilla Thunderbird 11.x

From remote

System access

This covers vulnerabilities where malicious people are able to gain system access and execute arbitrary code with the privileges of a local user.

Cross-Site Scripting

Cross-Site Scripting vulnerabilities allow a third party to manipulate the content or behaviour of a web application in a user's browser, without compromising the underlying system.

Different Cross-Site Scripting related vulnerabilities are also classified under this category, including "script insertion" and "cross-site request forgery".

Cross-Site Scripting vulnerabilities are often used against specific users of a website to steal their credentials or to conduct spoofing attacks.

Exposure of sensitive information

Vulnerabilities where documents or credentials are leaked or can be revealed either locally or from remote.

Exposure of system information

Vulnerabilities where excessive information about the system (e.g. version numbers, running services, installation paths, and similar) are exposed and can be revealed from remote and in some cases locally.

Security Bypass

This covers vulnerabilities or security issues where malicious users or people can bypass certain security mechanisms of the application.

The actual impact varies significantly depending on the design and purpose of the affected application.

Spoofing

This covers various vulnerabilities where it is possible for malicious users or people to impersonate other users or systems.

Multiple vulnerabilities have been reported in Mozilla Firefox and Thunderbird, which can be exploited by malicious people to conduct cross-site scripting and spoofing attacks, disclose certain system and sensitive information, bypass certain security restrictions, and compromise a user's system.

1) Multiple unspecified errors can be exploited to corrupt memory.

2) A use-after-free error exists within the XPConnect hashtable when handling IDBKeyRange indexedDB.

3) An error within the gfxImageSurface class when handling certain graphic values can be exploited to cause a heap-based buffer overflow.

4) An error when handling multi-octet encoding can be exploited to conduct cross-site scripting attacks.

5) An error within the "cairo_dwrite_font_face()" function when rendering fonts can be exploited to corrupt memory.

6) An error within the "WebGL.drawElements()" function when handling certain template arguments can be exploited to disclose contents of arbitrary video memory.

7) An error within docshell when loading pages can be exploited to display arbitrary content while showing the URL of a trusted web site in the address bar and e.g. conduct cross-site scripting attacks.

8) An error within the handling of XMLHttpRequest and WebSocket while using an IPv6 address can be exploited to bypass the same-origin policy.

9) An error when decoding ISO-2022-KR and ISO-2022-CN character sets can be exploited to conduct cross-site scripting attacks.

10) An error exists within the "texImage2D()" function within WebGL when using JSVAL_TO_OBJECT.

11) An off-by-one error exists within the OpenType sanitizer when parsing certain data.

12) An error within the handling of javascript errors can be exploited to disclose the file names and location of javascript files on a server.

13) An error when handling RSS and Atom XML content loaded over HTTPS can be exploited to display arbitrary content while showing the URL of a trusted web site in the address bar.

Successful exploitation of vulnerabilities #1, #2, #3, #5, #10, and #11 may allow execution of arbitrary code.

Upgrade to Firefox version 12.0 and Thunderbird version 12.0

The vendor credits:
1) Christian Holler, Bob Clary, Christian Holler, Brian Hackett, Bobby Holley, Gary Kwong, Hilary Hall, Honza Bambas, Jesse Ruderman, Julian Seward, and Olli Pettay
2) Aki Helin, OUSPG
3) Atte Kettunen, OUSPG
4) Anne van Kesteren, Opera Software
5) wushi, team509 via iDefense
6) Matias Juntunen
7) Jordi Chancel, Eddy Bordi, and Chris McGowen
8) Simone Fabiano
9) Masato Kinugawa
10) Ms2ger
11) Mateusz Jurczyk, Google Security Team
12) Daniel Divricean
13) Jeroen van der Gun

http://www.mozilla.org/security/announce/2012/mfsa2012-20.html
http://www.mozilla.org/security/announce/2012/mfsa2012-22.html
http://www.mozilla.org/security/announce/2012/mfsa2012-23.html
http://www.mozilla.org/security/announce/2012/mfsa2012-24.html
http://www.mozilla.org/security/announce/2012/mfsa2012-25.html
http://www.mozilla.org/security/announce/2012/mfsa2012-26.html
http://www.mozilla.org/security/announce/2012/mfsa2012-27.html
http://www.mozilla.org/security/announce/2012/mfsa2012-28.html
http://www.mozilla.org/security/announce/2012/mfsa2012-29.html
http://www.mozilla.org/security/announce/2012/mfsa2012-30.html
http://www.mozilla.org/security/announce/2012/mfsa2012-31.html
http://www.mozilla.org/security/announce/2012/mfsa2012-32.html
http://www.mozilla.org/security/announce/2012/mfsa2012-33.html