The following cyber advisory was issued by the New York State Office of Information Technology Services and is intended for State government entities. The information may or may not be applicable to the general public and, accordingly, the State does not warrant its use for any specific purposes.

ITS ADVISORY NUMBER:
2014-007

DATE(S) ISSUED:
2/4/2014

SUBJECT:
Multiple Vulnerabilities in Mozilla Products Could Allow Remote Code Execution

OVERVIEW:

Multiple vulnerabilities have been discovered in Mozilla Firefox, Thunderbird, and SeaMonkey applications, which could allow remote code execution. Mozilla Firefox is a web browser used to access the Internet. Mozilla Thunderbird is an email client. Mozilla SeaMonkey is a cross platform Internet suite of tools ranging from a web browser to an email client.  Successful exploitation could result in the attacker gaining the same user rights as the current user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

SYSTEMS AFFECTED:

  • Firefox versions prior to 27.0
  • Firefox Extended Support Release (ESR) versions prior to 24.3
  • Thunderbird versions prior to 24.3
  • SeaMonkey versions prior to 2.24

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: High

DESCRIPTION:
Multiple vulnerabilities have been reported for various Mozilla products. Details of the vulnerabilities are as follows:

  • Several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances., [MFSA 2014-01] [CVE-2014-1477] [CVE-2014-1478]
  • A method to bypass System Only Wrappers (SOW) by using XML Binding Language (XBL) content scopes to clone protected XUL elements. [MFSA 2014-02] [CVE-2014-1479]
  • Reported that the dialog for saving downloaded files did not implement a security timeout before button selections were processed. [MFSA 2014-03] [CVE-2014-1480]
  • Reported issue with image decoding in RasterImage caused by continued use of discarded images. [MFSA 2014-04] [CVE-2014-1482]
  • Reported an information leak where document.caretPositionFromPoint and document.elementFromPoint functions could be used on a cross-origin iframe to gain information on the iframe's DOM and other attributes through a timing attack, violating same-origin policy. [MFSA 2014-05] [CVE-2014-1483]
  • Profile path leaks to Android system [MFSA 2014-06] [CVE-2014-1484]
  • Content Security Policy (CSP) is not in compliance with the specification. [MFSA 2014-07] [CVE-2014-1485]
  • Reported a use-after-free during image processing from sites with specific content types. [MFSA 2014-08] [CVE-2014-1486]
  • Reported a cross-origin information leak through web workers' error messages. [MFSA 2014-09] [CVE-2014-1487]
  • Reported flaw that once users have viewed the default Firefox start page (about:home), subsequent pages they navigate to in that same tab could use script to activate the buttons that were on the about:home page. [MFSA 2014-10] [CVE-2014-1489]
  • Reported a crash when terminating a web worker running asm.js code after passing an object between threads. This crash is potentially exploitable. [MFSA 2014-11] [CVE-2014-1488]
  • Reported issues with ticket handling in the Network Security Services (NSS) libraries [MFSA 2014-12] [CVE-2014-1490] [CVE-2014-1491]
  • Inconsistency with the different JavaScript engines in how JavaScript native getters on window objects are handled by these engines. [MFSA 2014-13] [CVE-2014-1481]

Successful exploitation of these vulnerabilities could result in either an attacker gaining the same privileges as the logged on user, or gaining session authentication credentials. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. 

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Upgrade vulnerable Mozilla products immediately after appropriate testing.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Remind users not to open email attachments from unknown users or suspicious emails from trusted sources.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. 

REFERENCES:
Mozilla:
http://www.mozilla.org/security/announce/2014/mfsa2014-01.html
http://www.mozilla.org/security/announce/2014/mfsa2014-02.html
http://www.mozilla.org/security/announce/2014/mfsa2014-03.html
http://www.mozilla.org/security/announce/2014/mfsa2014-04.html
http://www.mozilla.org/security/announce/2014/mfsa2014-05.html
http://www.mozilla.org/security/announce/2014/mfsa2014-06.html
http://www.mozilla.org/security/announce/2014/mfsa2014-07.html
http://www.mozilla.org/security/announce/2014/mfsa2014-08.html
http://www.mozilla.org/security/announce/2014/mfsa2014-09.html
http://www.mozilla.org/security/announce/2014/mfsa2014-10.html
http://www.mozilla.org/security/announce/2014/mfsa2014-11.html
http://www.mozilla.org/security/announce/2014/mfsa2014-12.html
http://www.mozilla.org/security/announce/2014/mfsa2014-13.html

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1477
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1478
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1479
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1480
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1481
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1482
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1483
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1484
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1485
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1486
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1487
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1488
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1489
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1490
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1491

SecurityFocus:
http://www.securityfocus.com/bid/65316
http://www.securityfocus.com/bid/65317
http://www.securityfocus.com/bid/65320
http://www.securityfocus.com/bid/65321
http://www.securityfocus.com/bid/65322
http://www.securityfocus.com/bid/65323
http://www.securityfocus.com/bid/65324
http://www.securityfocus.com/bid/65326
http://www.securityfocus.com/bid/65328
http://www.securityfocus.com/bid/65329
http://www.securityfocus.com/bid/65330
http://www.securityfocus.com/bid/65331
http://www.securityfocus.com/bid/65332
http://www.securityfocus.com/bid/65334
http://www.securityfocus.com/bid/65335

Deborah A. Snyder

Acting Chief Information Security Officer


 

Cyber Security

GIS