__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Firefox 1.0.7 Security Update [RHSA-2005:785-9] September 22, 2005 22:00 GMT Number P-310 [REVISED 23 Sep 2005] [REVISED 03 Oct 2005] [REVISED 20 Oct 2005] ______________________________________________________________________________ PROBLEM: An updated firefox package that fixes several security bugs is now available for Red Hat Enterprise Linux 4. PLATFORM: Firefox versions prior to 1.0.7 Mozilla Suite versions prior to 1.7.12 Thunderbird versions prior to 1.0.7 Red Hat Desktop (v. 4) Red Hat Enterprise Linux AS (v. 4) Red Hat Enterprise Linux ES (v. 4) Red Hat Enterprise Linux WS (v. 4) Debian GNU/Linux 3.1 (sarge) DAMAGE: The vulnerabilities may allow an attacker to execute arbitrary code on a victim’s machine. SOLUTION: Apply security updates. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. Some of the vulnerabilities will allow the ASSESSMENT: attacker to execute code as the user running Firefox if the user visits a malicious web site, clicks on a malicious link, or processes a malicious file. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/p-310.shtml ORIGINAL BULLETIN: http://rhn.redhat.com/errata/RHSA-2005-785.html ADDITIONAL LINKS: Mozilla Security Advisory MFSA 2005-59 http://www.mozilla.org/security/announce/mfsa2005-59.html Debian Security Advisory DSA-838 http://www.debian.org/security/2005/dsa-838 Debian Security Advisory DSA-868-1 http://www.debian.org/security/2005/dsa-868 Debian Security Advisory DSA-866-1 http://www.debian.org/security/2005/dsa-866 CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2005-2701 CAN-2005-2702 CAN-2005-2703 CAN-2005-2704 CAN-2005-2705 CAN-2005-2706 CAN-2005-2707 CAN-2005-2968 ______________________________________________________________________________ REVISION HISTORY: 09/23/05 - added a link to Mozilla Security Advisory MFSA 2005-59. 10/03/05 - added a link to to Debian Security Advisory DSA-838 that provides updated mozilla-firefox packages addressing this vulnerability. Also, Mozilla advises Thunderbird users to update to Thunderbird 1.0.7. 10/20/05 - added a link to Debian Security Advisories DSA-868-1 and DSA-866-1 for Debian GNU/Linux 3.1 sarge. [***** Start RHSA-2005:785-9 *****] Critical: firefox security update Advisory:RHSA-2005:785-9 Type:Security Advisory Issued on:2005-09-22 Last updated on:2005-09-22 Affected Products: Red Hat Desktop (v. 4) Red Hat Enterprise Linux AS (v. 4) Red Hat Enterprise Linux ES (v. 4) Red Hat Enterprise Linux WS (v. 4) CVEs (cve.mitre.org): CAN-2005-2701 CAN-2005-2702 CAN-2005-2703 CAN-2005-2704 CAN-2005-2705 CAN-2005-2706 CAN-2005-2707 CAN-2005-2968Details An updated firefox package that fixes several security bugs is now available for Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. Mozilla Firefox is an open source Web browser. A bug was found in the way Firefox processes XBM image files. If a user views a specially crafted XBM file, it becomes possible to execute arbitrary code as the user running Firefox. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2701 to this issue. A bug was found in the way Firefox processes certain Unicode sequences. It may be possible to execute arbitrary code as the user running Firefox if the user views a specially crafted Unicode sequence. (CAN-2005-2702) A bug was found in the way Firefox makes XMLHttp requests. It is possible that a malicious web page could leverage this flaw to exploit other proxy or server flaws from the victim's machine. It is also possible that this flaw could be leveraged to send XMLHttp requests to hosts other than the originator; the default behavior of the browser is to disallow this. (CAN-2005-2703) A bug was found in the way Firefox implemented its XBL interface. It may be possible for a malicious web page to create an XBL binding in such a way that would allow arbitrary JavaScript execution with chrome permissions. Please note that in Firefox 1.0.6 this issue is not directly exploitable and will need to leverage other unknown exploits. (CAN-2005-2704) An integer overflow bug was found in Firefox's JavaScript engine. Under favorable conditions, it may be possible for a malicious web page to execute arbitrary code as the user running Firefox. (CAN-2005-2705) A bug was found in the way Firefox displays about: pages. It is possible for a malicious web page to open an about: page, such as about:mozilla, in such a way that it becomes possible to execute JavaScript with chrome privileges. (CAN-2005-2706) A bug was found in the way Firefox opens new windows. It is possible for a malicious web site to construct a new window without any user interface components, such as the address bar and the status bar. This window could then be used to mislead the user for malicious purposes. (CAN-2005-2707) A bug was found in the way Firefox processes URLs passed to it on the command line. If a user passes a malformed URL to Firefox, such as clicking on a link in an instant messaging program, it is possible to execute arbitrary commands as the user running Firefox. (CAN-2005-2968) Users of Firefox are advised to upgrade to this updated package that contains Firefox version 1.0.7 and is not vulnerable to these issues. Solution Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via Red Hat Network. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2701 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2702 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2703 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2704 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2705 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2706 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2707 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2968 These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/ Updated packages Red Hat Desktop (v. 4) -------------------------------------------------------------------------------- SRPMS: firefox-1.0.7-1.4.1.src.rpm b94b77b06cbb9a21eef92abc886b13ff IA-32: firefox-1.0.7-1.4.1.i386.rpm a8421837182e4ef34df5957de617ce72 x86_64: firefox-1.0.7-1.4.1.x86_64.rpm d3cb63f6cd8593497a926414c874960e Red Hat Enterprise Linux AS (v. 4) -------------------------------------------------------------------------------- SRPMS: firefox-1.0.7-1.4.1.src.rpm b94b77b06cbb9a21eef92abc886b13ff IA-32: firefox-1.0.7-1.4.1.i386.rpm a8421837182e4ef34df5957de617ce72 IA-64: firefox-1.0.7-1.4.1.ia64.rpm 278ea87e1c4988a37317c720e962b48c PPC: firefox-1.0.7-1.4.1.ppc.rpm 2ec5c55552e66596fd316f70b1f53167 s390: firefox-1.0.7-1.4.1.s390.rpm 7a1668a6316e7c6dff35c7bc5e26bdc1 s390x: firefox-1.0.7-1.4.1.s390x.rpm 479aba05e955742bab19dc510c3eae84 x86_64: firefox-1.0.7-1.4.1.x86_64.rpm d3cb63f6cd8593497a926414c874960e Red Hat Enterprise Linux ES (v. 4) -------------------------------------------------------------------------------- SRPMS: firefox-1.0.7-1.4.1.src.rpm b94b77b06cbb9a21eef92abc886b13ff IA-32: firefox-1.0.7-1.4.1.i386.rpm a8421837182e4ef34df5957de617ce72 IA-64: firefox-1.0.7-1.4.1.ia64.rpm 278ea87e1c4988a37317c720e962b48c x86_64: firefox-1.0.7-1.4.1.x86_64.rpm d3cb63f6cd8593497a926414c874960e Red Hat Enterprise Linux WS (v. 4) -------------------------------------------------------------------------------- SRPMS: firefox-1.0.7-1.4.1.src.rpm b94b77b06cbb9a21eef92abc886b13ff IA-32: firefox-1.0.7-1.4.1.i386.rpm a8421837182e4ef34df5957de617ce72 IA-64: firefox-1.0.7-1.4.1.ia64.rpm 278ea87e1c4988a37317c720e962b48c x86_64: firefox-1.0.7-1.4.1.x86_64.rpm d3cb63f6cd8593497a926414c874960e (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 168527 - CAN-2005-2701 Multiple Firefox issues (CAN-2005-2702, CAN-2005-2703, CAN-2005-2704, CAN-2005-2705, CAN-2005-2706, CAN-2005-2707) 168740 - CAN-2005-2968 Firefox improper command line URL sanitization [***** End RHSA-2005:785-9 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) P-300: Cisco IOS Firewall Authentication Proxy for FTP and Telnet Sessions Vulnerability P-301: httpd Security Update P-302: Cisco CSS SSL Authentication Bypass Security Notice P-303: Firefox and Mozilla Buffer Overflow Vulnerability P-304: XFree86 Security Update P-305: Sun JAR File Contents Disclosure P-306: Apple Java Security Updates P-307: TWiki History Function Vulnerability P-308: 'kcheckpass' Vulnerability P-309: VERITAS Storage Exec DCOM Server Buffer Overflows