NY.gov Portal State Agency Listing
The following cyber advisory was issued by the New York State Office of Cyber Security (OCS) and is
intended for State government entities. The information may or may not be applicable to the
general public and accordingly, the State does not warrant its use for any specific purposes.

OCS ADVISORY NUMBER:
2013-019

DATE(S) ISSUED:
2/20/2013

SUBJECT:
Multiple Vulnerabilities in Mozilla Products Could Allow Remote Code Execution

OVERVIEW:

Multiple vulnerabilities have been discovered in Mozilla Firefox, Thunderbird, and SeaMonkey applications, which could allow remote code execution. Mozilla Firefox is a web browser used to access the Internet. Mozilla Thunderbird is an e-mail client. Mozilla SeaMonkey is a cross platform Internet suite of tools ranging from a web browser to an e-mail client. Successful exploitation of these vulnerabilities could result in either an attacker gaining the same privileges as the logged on user, or gaining session authentication credentials. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

SYSTEMS AFFECTED:

  • Firefox versions prior to 19.0
  • Firefox Extended Support Release (ESR) versions prior to 17.0.3
  • Thunderbird versions prior to 17.0.3
  • Thunderbird Extended Support Release (ESR) versions prior to 17.0.3
  • SeaMonkey versions prior to 2.16

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: High

DESCRIPTION:
Multiple vulnerabilities have been discovered in Mozilla Firefox, Thunderbird, and SeaMonkey. The details of these vulnerabilities are as follows:

  • Miscellaneous memory safety hazards (MFSA 2013-21). Several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products have been identified. Some of these bugs showed evidence of memory corruption under certain circumstances, and some of these could be exploited to run arbitrary code.
  • Out-of-bounds read in image rendering (MFSA 2013-22). This issue is caused when performing an out-of-bounds read while rendering GIF format images. This could cause a non-exploitable crash and could also attempt to render normally inaccessible data as part of the image.
  • Wrapped Web IDL objects can be wrapped again (MFSA 2013-23). A wrapped Web IDL object can be wrapped multiple times, overwriting the existing wrapped state. This could lead to an exploitable condition in rare cases.
  • Web content bypass of COW and SOW security wrappers (MFSA 2013-24). It is possible to bypass some protections in Chrome Object Wrappers (COW) and System Only Wrappers (SOW), making their prototypes mutable by web content. This could be used leak information from chrome objects and possibly allow for arbitrary code execution.
  • Privacy leak in JavaScript Workers (MFSA 2013-25). The file system location of the active browser profile was available to JavaScript workers. While not dangerous by itself, this could potentially be combined with other vulnerabilities to target the profile in an attack.
  • Use-after-free in nsImage Loading Content (MFSA 2013-26). There is a use-after-free issue in nsImage Loading Content when content script is executed. This could allow for arbitrary code execution.
  • Phishing on HTTPS connection through malicious proxy (MFSA 2013-27).This issue allows for a spoofing of addresses that can be used for phishing attacks.
  • Use-after-free, out of bounds read, and buffer overflow issues found using Address Sanitizer (MFSA 2013-28).There is a series of use-after-free, out of bounds read, and buffer overflow problems rated as low to critical security issues in shipped software. Some of these issues are potentially exploitable, allowing for remote code execution.

Successful exploitation of these vulnerabilities could result in either an attacker gaining the same privileges as the logged on user, or gaining session authentication credentials. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Upgrade vulnerable Mozilla products immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Remind users not to open e-mail attachments from unknown users or suspicious e-mails from trusted sources.

REFERENCES:
Mozilla:
http://www.mozilla.org/security/announce/
http://www.mozilla.org/security/announce/2013/mfsa2013-21.html
http://www.mozilla.org/security/announce/2013/mfsa2013-22.html
http://www.mozilla.org/security/announce/2013/mfsa2013-23.html
http://www.mozilla.org/security/announce/2013/mfsa2013-24.html
http://www.mozilla.org/security/announce/2013/mfsa2013-25.html
http://www.mozilla.org/security/announce/2013/mfsa2013-26.html
http://www.mozilla.org/security/announce/2013/mfsa2013-27.html
http://www.mozilla.org/security/announce/2013/mfsa2013-28.html

SecurityFocus:
http://www.securityfocus.com/bid/58030

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0765
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0772
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0773
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0774
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0775
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0776
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0777
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0778
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0779
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0780
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0781
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0782
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0783
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0784