ITS ADVISORY NUMBER:
Multiple Vulnerabilities in Mozilla Products Could Allow Remote Code Execution
Multiple vulnerabilities have been discovered in Mozilla Firefox, Thunderbird, and SeaMonkey applications, which could allow for remote code execution. Mozilla Firefox is a web browser used to access the Internet. Mozilla Thunderbird is an email client. Mozilla SeaMonkey is a cross platform Internet suite of tools ranging from a web browser to an email client.
Successful exploitation of these vulnerabilities could result in either an attacker gaining the same privileges as the logged on user or gaining session authentication credentials. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.
- Firefox versions prior to 20.0
- Firefox Extended Support Release (ESR) versions prior to 17.0.5
- Thunderbird versions prior to 17.0.5
- Thunderbird Extended Support Release (ESR) versions prior to 17.0.5
- SeaMonkey versions prior to 2.17
- Large and medium government entities: High
- Small government entities: High
- Large and medium business entities: High
- Small business entities: High
Home users: High
Multiple vulnerabilities have been discovered in Mozilla Firefox, Thunderbird, and SeaMonkey. The details of these vulnerabilities are as follows:
- Miscellaneous memory safety hazards (MFSA 2013-30) (CVE-2013-0788) (CVE-2013-0789) (CVE-2013-0790): Multiple memory corruption vulnerabilities exist in the browser engine that could lead to arbitrary code execution.
- Out-of-bounds write in Cairo library (MFSA 2013-31) (CVE-2013-0800): This issue is caused when performing an out-of-bounds write in Cairo graphics library, and could cause a potential exploitable crash.
- Privilege escalation through Mozilla Maintenance Service (MFSA 2013-32) (CVE-2013-0799): A privilege escalation vulnerability requiring local system access exists as a result of an error that occurs when using Mozilla Maintenance Service.
- World read and write access to app_tmp directory on Android (MFSA 2013-33) (CVE-2013-0798): The app_tmp directory for Firefox on Android is readable and writable, giving third parties the ability to alter and/or replace Firefox add-ons that are being stored temporarily in the app_tmp directory before installation.
- Privilege escalation through Mozilla Updater (MFSA 2013-34) (CVE-2013-0797): An error exists where the Mozilla Updater can be made to load a specially crafted local DLL file, resulting in privileged escalation procedure to occur. In order for this vulnerability to be exploited the specially crafted DLL must be placed in a specific location locally on a host prior to Mozilla Updater being run. Local file system access is necessary in order for this issue to be exploitable.
- WebGL crash with Mesa graphics driver on Linux (MFSA 2013-35) (CVE-2013-0796): A denial-of-service condition exists resulting in a possible exploitable condition. This issue occurs when the 'WebGL' library crashes and primarily affects the Linux users using a Mesa graphics driver.
- Bypass of SOW protections allows cloning of protected nodes (MFSA 2013-36) (CVE-2013-0795): A security bypass vulnerability affecting the System Only Wrappers (SOW) exists which if exploited could allow an attacker to clone a protected node, and possibly result in a privilege escalation condition and the execution of arbitrary code.
- Bypass of tab-modal dialog origin disclosure (MFSA 2013-37) (CVE-2013-0794): A method for removing the origin indication on tab-modal dialog boxes in combination with browser navigation exists. This could allow for attackers to overlay a page to show another sites content, and could possibly be used in phishing campaigns.
- Cross-site scripting (XSS) using timed history navigations (MFSA 2013-38) (CVE-2013-0793): A cross-site scripting vulnerability exists and can be exploited when an attacker uses timed history navigations to load an arbitrary website with that page's baseURI property pointing to another site instead of the seemingly loaded one.
- Memory corruption while rendering grayscale PNG images (MFSA 2013-39) (CVE-2013-0792): A memory corruption vulnerability exist that affects specially crafted grayscale PNG images. This issue occurs if the gfx.color_management.enablev4 preference is enabled in the about:config â€“ by default, this preference is not enabled.
- Out-of-bounds array read in CERT_DecodeCertPackage (MFSA 2013-40) (CVE-2013-0791): An out-of-bounds read issue exists affecting the 'CERT_DecodeCertPackage' function of the Network Security Services (NSS) library, and if exploited could result in a memory corruption and a non-exploitable crash.
Successful exploitation of these vulnerabilities could result in either an attacker gaining the same privileges as the logged on user, or gaining session authentication credentials. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.
We recommend the following actions be taken:
- Upgrade vulnerable Mozilla products immediately after appropriate testing.
- Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
- Do not open email attachments or click on URLs from unknown or untrusted sources.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
Acting Chief Information Security Officer
- Cyber Security Home
- Incident Reporting
- Breach Notification
- Cyber Advisories
- NYS Digital Forensics
- Cyber Tips Newsletter
- Keeping Kids Safe Online
- Local Government
- Policies and Resources
- NY-ISAC Secure Portal