INFORMATION BULLETIN
INFORMATION BULLETIN
| PROBLEM: | Mozilla has released a new version of Firefox, a popular web browser, and it addresses several security vulnerabilities. |
| PLATFORM: | Firefox versions prior to 1.0.5 Red Hat Desktop (v.3, 4) Red Hat Enterprise AS, ES, WS (v.2.1, 3, 4) Debian GNU/Linux 3.1 (sarge) |
| DAMAGE: | The vulnerabilities may allow an attacker to elevate privileges, conduct cross-site scripting attacks, or execute arbitrary code on a victim’s machine. |
| SOLUTION: | Apply the security updates. Visit Mozilla's download site: http://www.mozilla.org/products/firefox/releases/1.0.5.html |
| VULNERABILITY ASSESSMENT: |
The risk is MEDIUM. If exploited, an attacker may execute arbitary code on a victim’s machine with the privileges of the logged-in user. |
REVISION HISTORY:
07/22/2005 - revised to add a link to Red Hat RHSA-2005:586-11 for Red Hat
Desktop (v. 4), Red Hat Enterprise Linux AS, ES, WS (v. 4), and to
add CVE's/CAN numbers.
07/22/2005 - revised to add a link to Red Hat RHSA-2005:601-07 for Red Hat
Desktop (v. 4), Red Hat Enterprise Linux AS, ES, WS (v. 4) and
RHSA-2005:587-11 for Red Hat Desktop (v. 3), Red Hat Enterprise AS,
ES, WS (v.2.1, 3, 4), and Red Hat Linux Advanced Workstation 2.1
for the Itanium Processor.
08/15/2005 - revised to add a link to Red Hat RHSA-2005:587-11 for Red Hat
Desktop (v. 3), Red Hat Enterprise Linux AS, ES, WS (v. 2.1 & 3), and Red Hat
Linux Advanced Workstation 2.1 for the Itanium Processor. Also a link is
added to Debian Security Advisory DSA-771, providing updated packages for Debian
GNU/Linux 3.1 (sarge).
08/17/2005 - added a link to Debian Security Advisory DSA-777, providing updated packages for
Debian GNU/Linux 3.1 (sarge).
08/22/2005 - added a link to Debian Security Advisory DSA-779, providing updated packages for
Debian GNU/Linux 3.1 (sarge).
08/24/2005 - added a link to Debian Security Advisory DSA-781, providing updated packages for
Debian GNU/Linux 3.1 (sarge).
09/13/2005 - added a link to Debian Security Advisory DSA-810, providing updated packages for
Debian GNU/Linux 3.1 (sarge).
[***** Start Security Vulnerabilities Fixed in Firefox 1.0.5 *****]
Mozilla Foundation Security Advisory 2005-45
Title: Content-generated event vulnerabilities
Severity: High
Reporter: Omar Khan, Jochen, shutdown, Matthew Mastracci
Products: Firefox, Mozilla Suite
Fixed in: Firefox 1.0.5
Mozilla Suite 1.7.9
Description
In several places the browser UI did not correctly distinguish between true
user events, such as mouse clicks or keystrokes, and synthetic events
genenerated by web content. The problems ranged from minor annoyances like
switching tabs or entering full-screen mode, to a variant on MFSA 2005-34
Synthetic events are now prevented from reaching the browser UI entirely
rather than depend on each potentially spoofed function to protect
itself from untrusted events.
Workaround
References
https://bugzilla.mozilla.org/show_bug.cgi?id=289940
Mozilla Foundation Security Advisory 2005-46
Title: XBL scripts ran even when Javascript disabled
Severity: Low
Reporter: moz_bug_r_a4
Products: Firefox, Thunderbird, Mozilla Suite
Fixed in: Firefox 1.0.5
Thunderbird 1.0.5
Mozilla Suite 1.7.9
Description
Scripts in XBL controls from web content continued to be run even when
Javascript was disabled. By itself this causes no harm, but it could be
combined with most script-based exploits to attack people running
vulnerable versions who thought disabling javascript would protect them.
In the Thunderbird and Mozilla Suite mail clients Javascript is disabled by
default for protection against denial-of-service attacks and worms; this
vulnerability could be used to bypass that protection.
Workaround
Upgrade to a fixed version
References
https://bugzilla.mozilla.org/show_bug.cgi?id=292591
https://bugzilla.mozilla.org/show_bug.cgi?id=292589
Mozilla Foundation Security Advisory 2005-47
Title: Code execution via "Set as Wallpaper"
Severity: High
Reporter: Michael Krax
Products: Firefox 1.0.3
Fixed in: Firefox 1.0.5
Description
If an attacker can convince a victim to use the "Set As Wallpaper" context
menu item on a specially crafted image then they can run arbitary code on the
user's computer. The image "source" must be a javascript: url containing an
eval() statement and such an image would get the "broken image" icon, but with
CSS it could be made transparent and placed on top of a real image.
The attacker would have to convince the user to change their desktop background
to the exploit image, and to do so by using the Firefox context menu rather than
first saving the image locally and using the normal mechanism provided by their
operating system.
This affects only Firefox 1.0.3 and 1.0.4; earlier versions are unaffected.
The implementation of this feature in the Mozilla Suite is also unaffected.
Workaround
To use an image as your desktop background save it as a file first and then
use the operating system's features to make the image your desktop wallpaper.
References
http://www.mikx.de/firewalling/
https://bugzilla.mozilla.org/show_bug.cgi?id=292737
Mozilla Foundation Security Advisory 2005-48
Title: Same-origin violation with InstallTrigger callback
Severity: Low (High for Mozilla Suite)
Reporter: Matthew Mastracci
Products: Firefox, Mozilla Suite
Fixed in: Firefox 1.0.5
Mozilla Suite 1.7.9
Description
The InstallTrigger.install() method for launching an install accepts a
callback function that will be called with the final success or error status.
By forcing a page navigation immediately after calling the install method
this callback function can end up running in the context of the new page
selected by the attacker. This is true even if the user cancels the unwanted
install dialog: cancel is an error status. This callback script can steal
data from the new page such as cookies or passwords, or perform actions on
the user's behalf such as make a purchase if the user is already logged
into the target site.
In Firefox the default settings allow only http://addons.mozilla.org to
bring up this install dialog. This could only be exploited if users have
added questionable sites to the install whitelist, and if a malicious site
can convince you to install from their site that's a much more powerful
attack vector.
In the Mozilla Suite the whitelist feature is turned off by default, any site
can prompt the user to install software and exploit this vulnerability.
The browser has been fixed to clear any pending callback function when switching
to a new site.
Workaround
Firefox: Remove untrustworthy sites from the list of those allowed to install,
or turn off software installation entirely.
- Open the Options dialog from the Tools menu
- Select the Web Features icon in the left panel
- Uncheck the "Allow web sites to install software" box, or click the
"allowed sites" button on that line to remove untrusted sites.
Mozilla Suite: Turn off the software installation feature.
- Open the Preferences dialog from the Edit menu
- Select "Software Installation" in the "Advanced" group in
the left panel.
- Uncheck the "Enable software installation" checkbox.
References
https://bugzilla.mozilla.org/show_bug.cgi?id=293331
Mozilla Foundation Security Advisory 2005-49
Title: Script injection from Firefox sidebar panel using data:
Severity: High
Reporter: Kohei Yoshino
Products: Firefox
Fixed in: Firefox 1.0.5
Description
Sites can use the _search target to open links in the Firefox sidebar. A
missing security check allows the sidebar to inject data: urls containing
scripts into any page open in the browser. This could be used to steal
cookies, passwords or other sensitive data.
Workaround
References
https://bugzilla.mozilla.org/show_bug.cgi?id=294074
Mozilla Foundation Security Advisory 2005-50
Title: Possibly exploitable crash in InstallVersion.compareTo
Severity: Moderate
Reporter: shutdown
Products: Firefox, Mozilla Suite
Fixed in: Firefox 1.0.5
Mozilla Suite 1.7.9
Description
When InstallVersion.compareTo() is passed an object rather than a string
it assumed the object was another InstallVersion without verifying it.
When passed a different kind of object the browser would generally
crash with an access violation.
shutdown has demonstrated that different javascript objects can be
passed on some OS versions to get control over the instruction pointer.
We assume this could be developed further to run arbitrary machine code
if the attacker can get exploit code loaded at a predictable address.
Workaround
References
https://bugzilla.mozilla.org/show_bug.cgi?id=295854
Mozilla Foundation Security Advisory 2005-51
Title: The return of frame-injection spoofing
Severity: Moderate
Reporter: Secunia.com
Products: Firefox 1.0.3, Mozilla Suite 1.7.7
Fixed in: Firefox 1.0.5
Mozilla Suite 1.7.9
Description
The original frame-injection spoofing bug was fixed in the Mozilla Suite 1.7
and Firefox 0.9 releases. This protection was accidentally bypassed by one
of the fixes in the Firefox 1.0.3 and Mozilla Suite 1.7.7 releases.
Workaround
References
http://secunia.com/advisories/15601/
https://bugzilla.mozilla.org/show_bug.cgi?id=296850
Mozilla Foundation Security Advisory 2005-52
Title: Same origin violation: frame calling top.focus()
Severity: Moderate
Reporter: Andreas Sandblad (Secunia)
Products: Firefox, Mozilla Suite
Fixed in: Firefox 1.0.5
Mozilla Suite 1.7.9
Description
A child frame can call top.focus() even if the framing page comes from a different
origin and has overridden the focus() routine. The call is made in the context
of the child frame. The attacker would look for a target site with a framed
page that makes this call but doesn't verify that its parent comes from the same
site. The attacker could steal cookies and passwords from the framed page, or
take actions on behalf of a signed-in user. This attack would work only against
sites that use frames in this manner.
Workaround
Upgrade to a version containing the fix. As a website author verify that a parent
frame is from the expected site before calling methods on it.
References
http://secunia.com/advisories/15549/
https://bugzilla.mozilla.org/show_bug.cgi?id=296830
Mozilla Foundation Security Advisory 2005-53
Title: Standalone applications can run arbitrary code through the browser
Severity: Critical
Reporter: Michael Krax
Products: Firefox
Fixed in: Firefox 1.0.5
Description
Several media players, for example Flash and QuickTime, support scripted content
with the ability to open URLs in the default browser. The default behavior for
Firefox was to replace the currently open browser window's
content with the externally opened content. If the external URL was a javascript:
url it would run as if it came from the site that served the previous content, which
could be used to steal sensitive information such as login cookies or passwords.
If the media player content first caused a privileged chrome: url to load then
the subsequent javascript: url could execute arbitrary code.
External javascript: urls will now run in a blank context regardless of what
content it's replacing, and external apps will no longer be able to load
privileged chrome: urls in a browser window. The -chrome command line option
to load chrome applications is still supported.
Workaround
Set the browser to open external links in a new tab or new window.
- Open the Options dialog from the Tools menu
- Select the Advanced icon in the left panel
- Open the "Tabbed Browsing" group
- Set "Open links from other applications in:" to either new tab or new window
References
Bug details embargoed until July 20, 2005
https://bugzilla.mozilla.org/show_bug.cgi?id=298255
Mozilla Foundation Security Advisory 2005-54
Title: Javascript prompt origin spoofing
Severity: Low
Reporter: Secunia.com
Products: Firefox, Mozilla Suite
Fixed in: Firefox 1.0.5
Mozilla Suite 1.7.9
Description
Alerts and prompts created by scripts in web pages are presented with the
generic title [JavaScript Application] which sometimes makes it difficult to know
which site created them. A malicious page could attempt to cause a prompt
to appear in front of a trusted site in an attempt to extract information
such as passwords from the user.
In the fixed version these prompts will contain the hostname from the
page which created it.
Workaround
Do not enter sensitive information into a "JavaScript Application" prompt,
they are almost never used for this purpose. If you must, first drag the
prompt on the desktop and make sure there is not a tiny window hiding
behind it.
References
https://secunia.com/advisories/15489/
https://bugzilla.mozilla.org/show_bug.cgi?id=298934
Mozilla Foundation Security Advisory 2005-55
Title: XHTML node spoofing
Severity: High
Reporter: moz_bug_r_a4
Products: Firefox, Mozilla Suite
Fixed in: Firefox 1.0.5
Mozilla Suite 1.7.9
Description
Parts of the browser UI relied too much on DOM node names without taking
different namespaces into account and verifying that nodes really were
of the expected type. An XHTML document could be used to create fake
<IMG> elements, for example, with content-defined properties that the
browser would access as if they were the trusted built-in properties of the
expected HTML elements.
The severity of the vulnerability would depend on what the attacker could
convince the victim to do, but could result in executing user-supplied
script with elevated "chrome" privileges. This could be used to install
malicious software on the victim's machine.
Workaround
References
https://bugzilla.mozilla.org/show_bug.cgi?id=298892
Mozilla Foundation Security Advisory 2005-56
Title: Code execution through shared function objects
Severity: Critical
Reporter: moz_bug_r_a4, shutdown
Products: Firefox, Mozilla Suite
Fixed in: Firefox 1.0.5
Mozilla Suite 1.7.9
Description
Improper cloning of base objects allowed web content scripts to
walk up the prototype chain to get to a privileged object.
This could be used to execute code with enhanced privileges.
Workaround
Upgrade to a version containing the fix.
References
Bug details embargoed until July 20, 2005
https://bugzilla.mozilla.org/show_bug.cgi?id=294795
https://bugzilla.mozilla.org/show_bug.cgi?id=294799
https://bugzilla.mozilla.org/show_bug.cgi?id=295011
https://bugzilla.mozilla.org/show_bug.cgi?id=296397
[***** End Security Vulnerabilities Fixed in Firefox 1.0.5 *****]
Voice: +1 866-941-2472 (7 x 24)
E-mail: doecirc@doecirc.energy.gov
World Wide Web: http://www.doecirc.energy.gov/