The following cyber advisory was issued by the New York State Office of Information Technology Services and is intended for State government entities. The information may or may not be applicable to the general public and, accordingly, the State does not warrant its use for any specific purposes.

ITS ADVISORY NUMBER:
2013-035

DATE(S) ISSUED:
4/03/2013

SUBJECT:
Multiple Vulnerabilities in Mozilla Products Could Allow Remote Code Execution

OVERVIEW:

Multiple vulnerabilities have been discovered in Mozilla Firefox, Thunderbird, and SeaMonkey applications, which could allow for remote code execution. Mozilla Firefox is a web browser used to access the Internet. Mozilla Thunderbird is an email client. Mozilla SeaMonkey is a cross platform Internet suite of tools ranging from a web browser to an email client.

Successful exploitation of these vulnerabilities could result in either an attacker gaining the same privileges as the logged on user or gaining session authentication credentials. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

SYSTEMS AFFECTED:

  • Firefox versions prior to 20.0
  • Firefox Extended Support Release (ESR) versions prior to 17.0.5
  • Thunderbird versions prior to 17.0.5
  • Thunderbird Extended Support Release (ESR) versions prior to 17.0.5
  • SeaMonkey versions prior to 2.17

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: High

DESCRIPTION:
Multiple vulnerabilities have been discovered in Mozilla Firefox, Thunderbird, and SeaMonkey. The details of these vulnerabilities are as follows:

  • Miscellaneous memory safety hazards (MFSA 2013-30) (CVE-2013-0788) (CVE-2013-0789) (CVE-2013-0790): Multiple memory corruption vulnerabilities exist in the browser engine that could lead to arbitrary code execution.
  • Out-of-bounds write in Cairo library (MFSA 2013-31) (CVE-2013-0800): This issue is caused when performing an out-of-bounds write in Cairo graphics library, and could cause a potential exploitable crash.
  • Privilege escalation through Mozilla Maintenance Service (MFSA 2013-32) (CVE-2013-0799): A privilege escalation vulnerability requiring local system access exists as a result of an error that occurs when using Mozilla Maintenance Service.
  • World read and write access to app_tmp directory on Android (MFSA 2013-33) (CVE-2013-0798): The app_tmp directory for Firefox on Android is readable and writable, giving third parties the ability to alter and/or replace Firefox add-ons that are being stored temporarily in the app_tmp directory before installation.
  • Privilege escalation through Mozilla Updater (MFSA 2013-34) (CVE-2013-0797): An error exists where the Mozilla Updater can be made to load a specially crafted local DLL file, resulting in privileged escalation procedure to occur. In order for this vulnerability to be exploited the specially crafted DLL must be placed in a specific location locally on a host prior to Mozilla Updater being run. Local file system access is necessary in order for this issue to be exploitable.
  • WebGL crash with Mesa graphics driver on Linux (MFSA 2013-35) (CVE-2013-0796): A denial-of-service condition exists resulting in a possible exploitable condition. This issue occurs when the 'WebGL' library crashes and primarily affects the Linux users using a Mesa graphics driver.
  • Bypass of SOW protections allows cloning of protected nodes (MFSA 2013-36) (CVE-2013-0795): A security bypass vulnerability affecting the System Only Wrappers (SOW) exists which if exploited could allow an attacker to clone a protected node, and possibly result in a privilege escalation condition and  the execution of arbitrary code.
  • Bypass of tab-modal dialog origin disclosure (MFSA 2013-37) (CVE-2013-0794): A method for removing the origin indication on tab-modal dialog boxes in combination with browser navigation exists. This could allow for attackers to overlay a page to show another sites content, and could possibly be used in phishing campaigns.
  • Cross-site scripting (XSS) using timed history navigations (MFSA 2013-38) (CVE-2013-0793): A cross-site scripting vulnerability exists and can be exploited when an attacker uses timed history navigations to load an arbitrary website with that page's baseURI property pointing to another site instead of the seemingly loaded one.
  • Memory corruption while rendering grayscale PNG images (MFSA 2013-39) (CVE-2013-0792): A memory corruption vulnerability exist that affects specially crafted grayscale PNG images. This issue occurs if the gfx.color_management.enablev4 preference is enabled in the about:config â€“ by default, this preference is not enabled.
  • Out-of-bounds array read in CERT_DecodeCertPackage (MFSA 2013-40) (CVE-2013-0791): An out-of-bounds read issue exists affecting the 'CERT_DecodeCertPackage' function of the Network Security Services (NSS) library, and if exploited could result in a memory corruption and a non-exploitable crash.

Successful exploitation of these vulnerabilities could result in either an attacker gaining the same privileges as the logged on user, or gaining session authentication credentials. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Upgrade vulnerable Mozilla products immediately after appropriate testing.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Do not open email attachments or click on URLs from unknown or untrusted sources.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

REFERENCES:
Mozilla:
http://www.mozilla.org/security/announce/
http://www.mozilla.org/security/announce/2013/mfsa2013-30.html
http://www.mozilla.org/security/announce/2013/mfsa2013-31.html
http://www.mozilla.org/security/announce/2013/mfsa2013-32.html
http://www.mozilla.org/security/announce/2013/mfsa2013-33.html
http://www.mozilla.org/security/announce/2013/mfsa2013-34.html
http://www.mozilla.org/security/announce/2013/mfsa2013-35.html
http://www.mozilla.org/security/announce/2013/mfsa2013-36.html
http://www.mozilla.org/security/announce/2013/mfsa2013-37.html
http://www.mozilla.org/security/announce/2013/mfsa2013-38.html
http://www.mozilla.org/security/announce/2013/mfsa2013-39.html
http://www.mozilla.org/security/announce/2013/mfsa2013-40.html

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0788
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0789
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0790
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0792
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0793
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0794
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0795
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0796
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0797
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0798
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0799
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0800

SecurityFocus:
http://www.securityfocus.com/bid/58818

Deborah A. Snyder

Acting Chief Information Security Officer


 

Cyber Security

GIS