__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Firefox Security Updates [Security Vulnerabilities Fixed in Firefox 1.0.5] July 13, 2005 18:00 GMT Number P-252 [REVISED 22 Jul 2005] [REVISED 15 Aug 2005] [REVISED 17 Aug 2005] [REVISED 22 Aug 2005] [REVISED 24 Aug 2005] [REVISED 13 Sep 2005] ______________________________________________________________________________ PROBLEM: Mozilla has released a new version of Firefox, a popular web browser, and it addresses several security vulnerabilities. PLATFORM: Firefox versions prior to 1.0.5 Red Hat Desktop (v. 3, 4) Red Hat Enterprise AS, ES, WS (v.2.1, 3, 4) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor Debian GNU/Linux 3.1 (sarge) DAMAGE: The vulnerabilities may allow an attacker to elevate privileges, conduct cross-site scripting attacks, or execute arbitrary code on a victim’s machine. SOLUTION: Apply the security updates. Visit Mozilla's download site: http://www.mozilla.org/products/firefox/releases/1.0.5.html ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. If exploited, an attacker may execute ASSESSMENT: arbitary code on a victim’s machine with the privileges of the logged-in user. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/p-252.shtml ORIGINAL BULLETINS: http://www.mozilla.org/security/announce/mfsa2005-45.html http://www.mozilla.org/security/announce/mfsa2005-46.html http://www.mozilla.org/security/announce/mfsa2005-47.html http://www.mozilla.org/security/announce/mfsa2005-48.html http://www.mozilla.org/security/announce/mfsa2005-49.html http://www.mozilla.org/security/announce/mfsa2005-50.html http://www.mozilla.org/security/announce/mfsa2005-53.html http://www.mozilla.org/security/announce/mfsa2005-55.html http://www.mozilla.org/security/announce/mfsa2005-56.html ADDITIONAL LINKS: Secunia Advisory 16043 http://secunia.com/advisories/16043/ Red Hat RHSA-2005:586-11 https://rhn.redhat.com/errate/RHSA-2005-586.html Red Hat RHSA-2005:601-07 https://rhn.redhat.com/errate/RHSA-2005-601.html Red Hat RHSA-2005:587-11 SGI Advanced Linux Environment 3 Security Update #45 ftp://patches.sgi.com/support/free/security/advisories/20050802-01-U.asc Debian Security Advisory http://www.debian.org/security/2005/dsa-775 Debian Security Advisory http://www.debian.org/security/2005/dsa-777 Debian Security Advisory http://www.debian.org/security/2005/dsa-779 Debian Security Advisory http://www.debian.org/security/2005/dsa-781 Debian Security Advisory http://www.debian.org/security/2005/dsa-810 CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2005-1937, CAN-2005-2260, CAN-2005-2261, CAN-2005-2262, CAN-2005-2263, CAN-2005-2264, CAN-2005-2265, CAN-2005-2266, CAN-2005-2267, CAN-2005-2268, CAN-2005-2269, CAN-2005-2270 ______________________________________________________________________________ REVISION HISTORY: 07/22/2005 - revised to add a link to Red Hat RHSA-2005:586-11 for Red Hat Desktop (v. 4), Red Hat Enterprise Linux AS, ES, WS (v. 4), and to add CVE's/CAN numbers. 07/22/2005 - revised to add a link to Red Hat RHSA-2005:601-07 for Red Hat Desktop (v. 4), Red Hat Enterprise Linux AS, ES, WS (v. 4) and RHSA-2005:587-11 for Red Hat Desktop (v. 3), Red Hat Enterprise AS, ES, WS (v.2.1, 3, 4), and Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor. 08/15/2005 - revised to add a link to Red Hat RHSA-2005:587-11 for Red Hat Desktop (v. 3), Red Hat Enterprise Linux AS, ES, WS (v. 2.1 & 3), and Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor. Also a link is added to Debian Security Advisory DSA-771, providing updated packages for Debian GNU/Linux 3.1 (sarge). 08/17/2005 - added a link to Debian Security Advisory DSA-777, providing updated packages for Debian GNU/Linux 3.1 (sarge). 08/22/2005 - added a link to Debian Security Advisory DSA-779, providing updated packages for Debian GNU/Linux 3.1 (sarge). 08/24/2005 - added a link to Debian Security Advisory DSA-781, providing updated packages for Debian GNU/Linux 3.1 (sarge). 09/13/2005 - added a link to Debian Security Advisory DSA-810, providing updated packages for Debian GNU/Linux 3.1 (sarge). [***** Start Security Vulnerabilities Fixed in Firefox 1.0.5 *****] Mozilla Foundation Security Advisory 2005-56 Title: Code execution through shared function objects Severity: Critical Reporter: moz_bug_r_a4, shutdown Products: Firefox, Mozilla Suite Fixed in: Firefox 1.0.5 Mozilla Suite 1.7.9 Description Improper cloning of base objects allowed web content scripts to walk up the prototype chain to get to a privileged object. This could be used to execute code with enhanced privileges. Workaround Upgrade to a version containing the fix. References Bug details embargoed until July 20, 2005 https://bugzilla.mozilla.org/show_bug.cgi?id=294795 https://bugzilla.mozilla.org/show_bug.cgi?id=294799 https://bugzilla.mozilla.org/show_bug.cgi?id=295011 https://bugzilla.mozilla.org/show_bug.cgi?id=296397 Mozilla Foundation Security Advisory 2005-55 Title: XHTML node spoofing Severity: High Reporter: moz_bug_r_a4 Products: Firefox, Mozilla Suite Fixed in: Firefox 1.0.5 Mozilla Suite 1.7.9 Description Parts of the browser UI relied too much on DOM node names without taking different namespaces into account and verifying that nodes really were of the expected type. An XHTML document could be used to create fake elements, for example, with content-defined properties that the browser would access as if they were the trusted built-in properties of the expected HTML elements. The severity of the vulnerability would depend on what the attacker could convince the victim to do, but could result in executing user-supplied script with elevated "chrome" privileges. This could be used to install malicious software on the victim's machine. Workaround References https://bugzilla.mozilla.org/show_bug.cgi?id=298892 Mozilla Foundation Security Advisory 2005-54 Title: Javascript prompt origin spoofing Severity: Low Reporter: Secunia.com Products: Firefox, Mozilla Suite Fixed in: Firefox 1.0.5 Mozilla Suite 1.7.9 Description Alerts and prompts created by scripts in web pages are presented with the generic title [JavaScript Application] which sometimes makes it difficult to know which site created them. A malicious page could attempt to cause a prompt to appear in front of a trusted site in an attempt to extract information such as passwords from the user. In the fixed version these prompts will contain the hostname from the page which created it. Workaround Do not enter sensitive information into a "JavaScript Application" prompt, they are almost never used for this purpose. If you must, first drag the prompt on the desktop and make sure there is not a tiny window hiding behind it. References https://secunia.com/advisories/15489/ https://bugzilla.mozilla.org/show_bug.cgi?id=298934 Mozilla Foundation Security Advisory 2005-53 Title: Standalone applications can run arbitrary code through the browser Severity: Critical Reporter: Michael Krax Products: Firefox Fixed in: Firefox 1.0.5 Description Several media players, for example Flash and QuickTime, support scripted content with the ability to open URLs in the default browser. The default behavior for Firefox was to replace the currently open browser window's content with the externally opened content. If the external URL was a javascript: url it would run as if it came from the site that served the previous content, which could be used to steal sensitive information such as login cookies or passwords. If the media player content first caused a privileged chrome: url to load then the subsequent javascript: url could execute arbitrary code. External javascript: urls will now run in a blank context regardless of what content it's replacing, and external apps will no longer be able to load privileged chrome: urls in a browser window. The -chrome command line option to load chrome applications is still supported. Workaround Set the browser to open external links in a new tab or new window. 1. Open the Options dialog from the Tools menu 2. Select the Advanced icon in the left panel 3. Open the "Tabbed Browsing" group 4. Set "Open links from other applications in:" to either new tab or new window References Bug details embargoed until July 20, 2005 https://bugzilla.mozilla.org/show_bug.cgi?id=298255 Mozilla Foundation Security Advisory 2005-52 Title: Same origin violation: frame calling top.focus() Severity: Moderate Reporter: Andreas Sandblad (Secunia) Products: Firefox, Mozilla Suite Fixed in: Firefox 1.0.5 Mozilla Suite 1.7.9 Description A child frame can call top.focus() even if the framing page comes from a different origin and has overridden the focus() routine. The call is made in the context of the child frame. The attacker would look for a target site with a framed page that makes this call but doesn't verify that its parent comes from the same site. The attacker could steal cookies and passwords from the framed page, or take actions on behalf of a signed-in user. This attack would work only against sites that use frames in this manner. Workaround Upgrade to a version containing the fix. As a website author verify that a parent frame is from the expected site before calling methods on it. References http://secunia.com/advisories/15549/ https://bugzilla.mozilla.org/show_bug.cgi?id=296830 Mozilla Foundation Security Advisory 2005-51 Title: The return of frame-injection spoofing Severity: Moderate Reporter: Secunia.com Products: Firefox 1.0.3, Mozilla Suite 1.7.7 Fixed in: Firefox 1.0.5 Mozilla Suite 1.7.9 Description The original frame-injection spoofing bug was fixed in the Mozilla Suite 1.7 and Firefox 0.9 releases. This protection was accidentally bypassed by one of the fixes in the Firefox 1.0.3 and Mozilla Suite 1.7.7 releases. Workaround References http://secunia.com/advisories/15601/ https://bugzilla.mozilla.org/show_bug.cgi?id=296850 Mozilla Foundation Security Advisory 2005-50 Title: Possibly exploitable crash in InstallVersion.compareTo Severity: Moderate Reporter: shutdown Products: Firefox, Mozilla Suite Fixed in: Firefox 1.0.5 Mozilla Suite 1.7.9 Description When InstallVersion.compareTo() is passed an object rather than a string it assumed the object was another InstallVersion without verifying it. When passed a different kind of object the browser would generally crash with an access violation. shutdown has demonstrated that different javascript objects can be passed on some OS versions to get control over the instruction pointer. We assume this could be developed further to run arbitrary machine code if the attacker can get exploit code loaded at a predictable address. Workaround References https://bugzilla.mozilla.org/show_bug.cgi?id=295854 Mozilla Foundation Security Advisory 2005-49 Title: Script injection from Firefox sidebar panel using data: Severity: High Reporter: Kohei Yoshino Products: Firefox Fixed in: Firefox 1.0.5 Description Sites can use the _search target to open links in the Firefox sidebar. A missing security check allows the sidebar to inject data: urls containing scripts into any page open in the browser. This could be used to steal cookies, passwords or other sensitive data. Workaround References https://bugzilla.mozilla.org/show_bug.cgi?id=294074 Mozilla Foundation Security Advisory 2005-48 Title: Same-origin violation with InstallTrigger callback Severity: Low (High for Mozilla Suite) Reporter: Matthew Mastracci Products: Firefox, Mozilla Suite Fixed in: Firefox 1.0.5 Mozilla Suite 1.7.9 Description The InstallTrigger.install() method for launching an install accepts a callback function that will be called with the final success or error status. By forcing a page navigation immediately after calling the install method this callback function can end up running in the context of the new page selected by the attacker. This is true even if the user cancels the unwanted install dialog: cancel is an error status. This callback script can steal data from the new page such as cookies or passwords, or perform actions on the user's behalf such as make a purchase if the user is already logged into the target site. In Firefox the default settings allow only http://addons.mozilla.org to bring up this install dialog. This could only be exploited if users have added questionable sites to the install whitelist, and if a malicious site can convince you to install from their site that's a much more powerful attack vector. In the Mozilla Suite the whitelist feature is turned off by default, any site can prompt the user to install software and exploit this vulnerability. The browser has been fixed to clear any pending callback function when switching to a new site. Workaround Firefox: Remove untrustworthy sites from the list of those allowed to install, or turn off software installation entirely. 1. Open the Options dialog from the Tools menu 2. Select the Web Features icon in the left panel 3. Uncheck the "Allow web sites to install software" box, or click the "allowed sites" button on that line to remove untrusted sites. Mozilla Suite: Turn off the software installation feature. 1. Open the Preferences dialog from the Edit menu 2. Select "Software Installation" in the "Advanced" group in the left panel. 3. Uncheck the "Enable software installation" checkbox. References https://bugzilla.mozilla.org/show_bug.cgi?id=293331 Mozilla Foundation Security Advisory 2005-47 Title: Code execution via "Set as Wallpaper" Severity: High Reporter: Michael Krax Products: Firefox 1.0.3 Fixed in: Firefox 1.0.5 Description If an attacker can convince a victim to use the "Set As Wallpaper" context menu item on a specially crafted image then they can run arbitary code on the user's computer. The image "source" must be a javascript: url containing an eval() statement and such an image would get the "broken image" icon, but with CSS it could be made transparent and placed on top of a real image. The attacker would have to convince the user to change their desktop background to the exploit image, and to do so by using the Firefox context menu rather than first saving the image locally and using the normal mechanism provided by their operating system. This affects only Firefox 1.0.3 and 1.0.4; earlier versions are unaffected. The implementation of this feature in the Mozilla Suite is also unaffected. Workaround To use an image as your desktop background save it as a file first and then use the operating system's features to make the image your desktop wallpaper. References http://www.mikx.de/firewalling/ https://bugzilla.mozilla.org/show_bug.cgi?id=292737 Mozilla Foundation Security Advisory 2005-46 Title: XBL scripts ran even when Javascript disabled Severity: Low Reporter: moz_bug_r_a4 Products: Firefox, Thunderbird, Mozilla Suite Fixed in: Firefox 1.0.5 Thunderbird 1.0.5 Mozilla Suite 1.7.9 Description Scripts in XBL controls from web content continued to be run even when Javascript was disabled. By itself this causes no harm, but it could be combined with most script-based exploits to attack people running vulnerable versions who thought disabling javascript would protect them. In the Thunderbird and Mozilla Suite mail clients Javascript is disabled by default for protection against denial-of-service attacks and worms; this vulnerability could be used to bypass that protection. Workaround Upgrade to a fixed version References https://bugzilla.mozilla.org/show_bug.cgi?id=292591 https://bugzilla.mozilla.org/show_bug.cgi?id=292589 Mozilla Foundation Security Advisory 2005-45 Title: Content-generated event vulnerabilities Severity: High Reporter: Omar Khan, Jochen, shutdown, Matthew Mastracci Products: Firefox, Mozilla Suite Fixed in: Firefox 1.0.5 Mozilla Suite 1.7.9 Description In several places the browser UI did not correctly distinguish between true user events, such as mouse clicks or keystrokes, and synthetic events genenerated by web content. The problems ranged from minor annoyances like switching tabs or entering full-screen mode, to a variant on MFSA 2005-34 Synthetic events are now prevented from reaching the browser UI entirely rather than depend on each potentially spoofed function to protect itself from untrusted events. Workaround References https://bugzilla.mozilla.org/show_bug.cgi?id=289940 [***** End Security Vulnerabilities Fixed in Firefox 1.0.5 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Mozilla Foundation for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) P-241: PHP Security Update P-242: Adobe Reader Vulnerability P-243: 'ruby 1.8' Vulnerability P-244: 'arshell' Vulnerability in 'arrayd' P-245: Cisco CallManager Vulnerabilities P-246: Microsoft Word Font Parsing Vulnerability P-247: Microsoft Vulnerability in JView Profiler P-248: Microsoft Color Management Module Vulnerability P-249: krb5 Security Update P-250: Oracle Critical Patch Update - July 2005 P-251: Mozilla Security Updates