VERIFY ADVISORY: Secunia.com: http://secunia.com/advisories/42517/
RELEASE DATE: 2010-12-11
CRITICALITY: Highly Critical
DESCRIPTION: A weakness and some vulnerabilities have been reported in Mozilla Firefox, which can be exploited by malicious people to conduct cross-site scripting and spoofing attacks, bypass certain security restrictions, and compromise a user's system. The weakness and the vulnerabilities are reported in versions prior to 3.6.13 and 3.5.16.
1) Multiple errors in the browser engine can be exploited to corrupt memory and potentially execute arbitrary code.
2) An error when handling line breaks in overly long strings passed to "document.write()" can be exploited to read data from out-of-bounds memory location and potentially execute arbitrary code.
3) An error when opening a new window using "window.open()" can be exploited to execute arbitrary JavaScript code with chrome privileges via the "
4) An error in the handling of "
" elements nested within "" elements in a XUL tree element can be exploited to corrupt memory and potentially execute arbitrary code.
5) An error in the Java LiveConnect script when loaded via a "data:" URL can be exploited to e.g. read arbitrary files, launch arbitrary processes, and establish arbitrary network connections.
6) A use-after-free error in the "NodeIterator API" when handling a "nsDOMAttribute" node can be exploited to corrupt memory and execute arbitrary code.
7) An integer overflow when creating arrays can be exploited to corrupt memory and potentially execute arbitrary code.
8) An error related to the XMLHttpRequestSpy object can be exploited to execute arbitrary JavaScript code. This is due to an incomplete fix for vulnerability #9 in: SA37242
9) An error exists in the handling of documents with no inherent origin associated. This can be exploited to bypass the same-origin policy and spoof the URL of a trusted site by tricking users into opening site which result in e.g. about:config or about:neterror pages.
10) An error exists in the rendering engine when handling certain Mac charset encodings. This can be exploited to potentially execute arbitrary JavaScript code in the context of the destination website.
SOLUTION: Update to version 3.6.13 or 3.5.16.
PROVIDED AND/OR DISCOVERED BY:
6, 7) regenrecht, reported via ZDI
9) Michal Zalewski
The vendor credits:
1) Jesee Ruderman, Andreas Gal, Nils, Brian Hackett, Igor Bukanov.
2) Dirk Heinrich
3) echo
4) wushi, team509
5) Gregory Fleischer
8) moz_bug_r_a4
10) Yosuke Hasegawa and Masatoshi Kimura
ORIGINAL ADVISORY:
http://www.mozilla.org/security/announce/2010/mfsa2010-74.html
http://www.mozilla.org/security/announce/2010/mfsa2010-75.html
http://www.mozilla.org/security/announce/2010/mfsa2010-76.html
http://www.mozilla.org/security/announce/2010/mfsa2010-77.html
http://www.mozilla.org/security/announce/2010/mfsa2010-78.html
http://www.mozilla.org/security/announce/2010/mfsa2010-79.html
http://www.mozilla.org/security/announce/2010/mfsa2010-80.html
http://www.mozilla.org/security/announce/2010/mfsa2010-81.html
http://www.mozilla.org/security/announce/2010/mfsa2010-82.html
http://www.mozilla.org/security/announce/2010/mfsa2010-83.html
http://www.mozilla.org/security/announce/2010/mfsa2010-84.html
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-264/
http://www.zerodayinitiative.com/advisories/ZDI-10-265/
Michal Zalewski: http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0144.html
5) An error in the Java LiveConnect script when loaded via a "data:" URL can be exploited to e.g. read arbitrary files, launch arbitrary processes, and establish arbitrary network connections.
6) A use-after-free error in the "NodeIterator API" when handling a "nsDOMAttribute" node can be exploited to corrupt memory and execute arbitrary code.
7) An integer overflow when creating arrays can be exploited to corrupt memory and potentially execute arbitrary code.
8) An error related to the XMLHttpRequestSpy object can be exploited to execute arbitrary JavaScript code. This is due to an incomplete fix for vulnerability #9 in: SA37242
9) An error exists in the handling of documents with no inherent origin associated. This can be exploited to bypass the same-origin policy and spoof the URL of a trusted site by tricking users into opening site which result in e.g. about:config or about:neterror pages.
10) An error exists in the rendering engine when handling certain Mac charset encodings. This can be exploited to potentially execute arbitrary JavaScript code in the context of the destination website.
SOLUTION: Update to version 3.6.13 or 3.5.16.
PROVIDED AND/OR DISCOVERED BY:
6, 7) regenrecht, reported via ZDI
9) Michal Zalewski
The vendor credits:
1) Jesee Ruderman, Andreas Gal, Nils, Brian Hackett, Igor Bukanov.
2) Dirk Heinrich
3) echo
4) wushi, team509
5) Gregory Fleischer
8) moz_bug_r_a4
10) Yosuke Hasegawa and Masatoshi Kimura
ORIGINAL ADVISORY:
http://www.mozilla.org/security/announce/2010/mfsa2010-74.html
http://www.mozilla.org/security/announce/2010/mfsa2010-75.html
http://www.mozilla.org/security/announce/2010/mfsa2010-76.html
http://www.mozilla.org/security/announce/2010/mfsa2010-77.html
http://www.mozilla.org/security/announce/2010/mfsa2010-78.html
http://www.mozilla.org/security/announce/2010/mfsa2010-79.html
http://www.mozilla.org/security/announce/2010/mfsa2010-80.html
http://www.mozilla.org/security/announce/2010/mfsa2010-81.html
http://www.mozilla.org/security/announce/2010/mfsa2010-82.html
http://www.mozilla.org/security/announce/2010/mfsa2010-83.html
http://www.mozilla.org/security/announce/2010/mfsa2010-84.html
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-264/
http://www.zerodayinitiative.com/advisories/ZDI-10-265/
Michal Zalewski: http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0144.html