The following cyber advisory was issued by the New York State Office of Information Technology Services and is intended for State government entities. The information may or may not be applicable to the general public and, accordingly, the State does not warrant its use for any specific purposes.

ITS ADVISORY NUMBER:
2013-051

DATE(S) ISSUED:
5/15/2013

SUBJECT:
Multiple Vulnerabilities in Mozilla Products Could Allow Remote Code Execution

OVERVIEW:

Multiple vulnerabilities have been discovered in Mozilla Firefox and Thunderbird applications, which could allow for remote code execution, information leakage, escalation of privileges and cross-site scripting (XSS). Mozilla Firefox is a web browser used to access the Internet. Mozilla Thunderbird is an email client.

Successful exploitation of these vulnerabilities could result in either an attacker gaining the same privileges as the logged on user or gaining session authentication credentials. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.


SYSTEMS AFFECTED:

  • Firefox versions prior to 21.0
  • Firefox Extended Support Release (ESR) versions prior to 17.0.6
  • Thunderbird versions prior to 17.0.6
  • Thunderbird Extended Support Release (ESR) prior to 17.0.6

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: High

DESCRIPTION:
Multiple vulnerabilities have been discovered in Mozilla Firefox and Thunderbird. The details of these vulnerabilities are as follows;

  • Miscellaneous memory safety hazards (rv:21.0 / rv:17.0.6) (MFSA 2013-41)

    Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some bugs showed evidence of memory corruption under certain circumstances which could then potentially be used to run arbitrary code. (CVE-2013-0801) (CVE-2013-1669)

  • Privileged access for content level constructor (MFSA 2013-42)

    A vulnerability has been found within both Firefox and Thunderbird that could call a content level constructor to have chrome privileged access. This affects chrome object wrappers (COW) and allows for write actions on objects when only read actions should be allowed. This then can lead to potential cross-site scripting (XSS) attacks. (CVE-2013-1670)

  • File input control has access to full path (MFSA 2013-43)

    A vulnerability has been found within Firefox that can exploit the <input> control when set to the 'file' type in order to get the full path. This can lead to information leakage and could be combined with other exploits to target attacks on the local file system. (CVE-2013-1671)

  • Local privilege escalation through Mozilla Maintenance Service (MFSA 2013-44)

    A vulnerability has been found that allows unprivileged users local privilege escalation through the system privileges used by Mozilla Maintenance Service in Windows. This service then interacts with local specially crafted software which allows the user to bypass integrity checks leading to local privilege escalation. Local file system access is necessary in order for this issue to be exploitable and it cannot be triggered through web content. (CVE-2013-1672)

  • Mozilla Updater fails to update some Windows Registry entries (MFSA 2013-45)

    An exploit has been discovered that in some instances the Mozilla Maintenance Service on Windows will be vulnerable to some previously fixed privilege escalation attacks that allowed for local privilege escalation. This was caused by the Mozilla Updater not updating Windows Registry entries for the Mozilla Maintenance Service, which fixed the earlier issues present if Firefox 12 had been installed. New installations of Firefox after version 12 are not affected by this issue. Local file system access is necessary in order for this issue to be exploitable and it cannot be triggered through web content. (CVE-2013-1673) (CVE-2012-1942)

  • Use-after-free with video and onresize event (MFSA 2013-46)

    A vulnerability has been reported when resizing a video while playing. This could cause a memory corruption flaw that could then be used for arbitrary code execution. (CVE-2013-1674)

  • Uninitialized functions in DOMSVGZoomEvent (MFSA 2013-47)

    A vulnerability has been discovered that some DOMSVGZoomEvent functions are being used without being properly initialized. This causes uninitialized memory to be used when they are called by web content. The exploit could lead to an information leakage to sites depending on the contents of this uninitialized memory. (CVE-2013-1675)

  • Memory corruption found using Address Sanitizer (MFSA 2013-48)

    A vulnerability has been used with the Address Sanitizer tool to discover a series of use-after-free, out of bounds read, and invalid write problems rated as moderate to critical as security issues in shipped software. Some of these issues are potentially exploitable, allowing for remote code execution. These were fixed before general release. (CVE-2013-1676, 1677, 1678, 1679, 1680, 1681)

Successful exploitation of these vulnerabilities could result in either an attacker gaining the same privileges as the logged on user or gaining session authentication credentials. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Upgrade vulnerable Mozilla products immediately after appropriate testing
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to open email attachments from unknown users or suspicious emails from trusted sources.

REFERENCES:
Mozilla:
http://www.mozilla.org/security/announce/2013/mfsa2013-41.html
http://www.mozilla.org/security/announce/2013/mfsa2013-42.html
http://www.mozilla.org/security/announce/2013/mfsa2013-43.html
http://www.mozilla.org/security/announce/2013/mfsa2013-44.html
http://www.mozilla.org/security/announce/2013/mfsa2013-45.html
http://www.mozilla.org/security/announce/2013/mfsa2013-46.html
http://www.mozilla.org/security/announce/2013/mfsa2013-47.html
http://www.mozilla.org/security/announce/2013/mfsa2013-48.html

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1942
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0801
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1669
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1670
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1671
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1672
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1673
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1674
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1675
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1676
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1677
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1678
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1679
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1680
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1681

Deborah A. Snyder

Acting Chief Information Security Officer


 

Cyber Security

GIS