[Full-disclosure] [USN-149-1] Firefox vulnerabilities

From: Martin Pitt (martin.pitt_at_canonical.com)
Date: 07/21/05

  • Next message: Darren Reed: "[Full-disclosure] Re: (ICMP attacks against TCP) (was Re: HPSBUX01137 SSRT5954"
    Date: Thu, 21 Jul 2005 09:13:51 +0200
    To: ubuntu-security-announce@lists.ubuntu.com
    
    
    
    

    ===========================================================
    Ubuntu Security Notice USN-149-1 July 21, 2005
    mozilla-firefox vulnerabilities
    CAN-2005-1937, CAN-2005-2260, CAN-2005-2261, CAN-2005-2263,
    CAN-2005-2264, CAN-2005-2265, CAN-2005-2266, CAN-2005-2267,
    CAN-2005-2268, CAN-2005-2269, CAN-2005-2270
    ===========================================================

    A security issue affects the following Ubuntu releases:

    Ubuntu 5.04 (Hoary Hedgehog)

    The following packages are affected:

    mozilla-firefox

    The problem can be corrected by upgrading the affected package to
    version 1.0.2-0ubuntu5.4. After a standard system upgrade you need to
    restart Firefox to effect the necessary changes.

    Please note that the Ubuntu 4.10 version is also affected; an upgrade
    is in preparation.

    Details follow:

    Secunia.com reported that one of the recent security patches in
    Firefox reintroduced the frame injection patch that was originally
    known as CAN-2004-0718. This allowed a malicious web site to spoof the
    contents of other web sites. (CAN-2005-1937)

    In several places the browser user interface did not correctly
    distinguish between true user events, such as mouse clicks or
    keystrokes, and synthetic events genenerated by web content. This
    could be exploited by malicious web sites to generate e. g. mouse
    clicks that install malicious plugins. Synthetic events are now
    prevented from reaching the browser UI entirely. (CAN-2005-2260)

    Scripts in XBL controls from web content continued to be run even when
    Javascript was disabled. This could be combined with most script-based
    exploits to attack people running vulnerable versions who thought
    disabling Javascript would protect them. (CAN-2005-2261)

    Matthew Mastracci discovered a flaw in the addons installation
    launcher. By forcing a page navigation immediately after calling the
    install method a callback function could end up running in the context
    of the new page selected by the attacker. This callback script could
    steal data from the new page such as cookies or passwords, or perform
    actions on the user's behalf such as make a purchase if the user is
    already logged into the target site. However, the default settings
    allow only http://addons.mozilla.org to bring up this install dialog.
    This could only be exploited if users have added untrustworthy sites
    to the installation whitelist, and if a malicious site can convince
    you to install from their site. (CAN-2005-2263)

    Kohei Yoshino discovered a Javascript injection vulnerability in the
    sidebar. Sites can use the _search target to open links in the Firefox
    sidebar. A missing security check allowed the sidebar to inject
    "data:" URLs containing scripts into any page open in the browser.
    This could be used to steal cookies, passwords or other sensitive
    data. (CAN-2005-2264)

    The function for version comparison in the addons installer did not
    properly verify the type of its argument. By passing specially crafted
    Javascript objects to it, a malicious web site could crash the browser
    and possibly even execute arbitrary code with the privilege of the
    user account Firefox runs in. (CAN-2005-2265)

    A child frame can call top.focus() even if the framing page comes from
    a different origin and has overridden the focus() routine. Andreas
    Sandblad discovered that the call is made in the context of the child
    frame. This could be exploited to steal cookies and passwords from the
    framed page, or take actions on behalf of a signed-in user. However,
    web sites with above properties are not very common. (CAN-2005-2266)

    Several media players, for example Flash and QuickTime, support
    scripted content with the ability to open URLs in the default browser.
    The default behavior for Firefox was to replace the currently open
    browser window's content with the externally opened content. Michael
    Krax discovered that if the external URL was a javascript: URL it
    would run as if it came from the site that served the previous
    content, which could be used to steal sensitive information such as
    login cookies or passwords. If the media player content first caused a
    privileged chrome: url to load then the subsequent javascript: url
    could execute arbitrary code. (CAN-2005-2267)

    Alerts and prompts created by scripts in web pages were presented with
    the generic title [JavaScript Application] which sometimes made it
    difficult to know which site created them. A malicious page could
    exploit this by causing a prompt to appear in front of a trusted site
    in an attempt to extract information such as passwords from the user.
    In the fixed version these prompts contain the hostname of the page
    which created it. (CAN-2005-2268)

    The XHTML DOM node handler did not take namespaces into account when
    verifying node types based on their names. For example, an XHTML
    document could contain an <IMG> tag with malicious contents, which
    would then be processed as the standard trusted HTML <img> tag. By
    tricking an user to view malicious web sites, this could be exploited
    to execute attacker-specified code with the full privileges of the
    user. (CAN-2005-2269)

    It was discovered that some objects were not created appropriately.
    This allowed malicious web content scripts to trace back the creation
    chain until they found a privileged object and execute code with
    higher privileges than allowed by the current site. (CAN-2005-2270)

      Source archives:

        http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox_1.0.2-0ubuntu5.4.diff.gz
          Size/MD5: 901156 7d129844042561aec3373c338ae50da6
        http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox_1.0.2-0ubuntu5.4.dsc
          Size/MD5: 1058 91c2a87189e22af2dcc03e5e2cfc69db
        http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox_1.0.2.orig.tar.gz
          Size/MD5: 41023585 7e98ce4aefc5ea9b5f1f35b7a0c58f60

      amd64 architecture (Athlon64, Opteron, EM64T Xeon)

        http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox-dev_1.0.2-0ubuntu5.4_amd64.deb
          Size/MD5: 2631798 331c9f3d9ae8a842130f889423cbae07
        http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.2-0ubuntu5.4_amd64.deb
          Size/MD5: 157476 1984a251769899721cb3524b4e7d34cf
        http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.2-0ubuntu5.4_amd64.deb
          Size/MD5: 56730 4f6ebca89f5b503c3678354938b28d63
        http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox_1.0.2-0ubuntu5.4_amd64.deb
          Size/MD5: 9764306 ce853daaf0039025b5a911345c519e87

      i386 architecture (x86 compatible Intel/AMD)

        http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox-dev_1.0.2-0ubuntu5.4_i386.deb
          Size/MD5: 2631766 1fd464e44cc272526ac48634e7fd2b08
        http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.2-0ubuntu5.4_i386.deb
          Size/MD5: 152370 585a235429807cd05b0b0621fc3e9db3
        http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.2-0ubuntu5.4_i386.deb
          Size/MD5: 53344 21da121beb266f5f99973e7f7f9e327e
        http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox_1.0.2-0ubuntu5.4_i386.deb
          Size/MD5: 8793476 83ed14939ec232417f80a14165ec2261

      powerpc architecture (Apple Macintosh G3/G4/G5)

        http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox-dev_1.0.2-0ubuntu5.4_powerpc.deb
          Size/MD5: 2631838 d4197428d1b5a923cb0855896740d2c2
        http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.2-0ubuntu5.4_powerpc.deb
          Size/MD5: 151184 06ce5e6001caf2f419edd4c99d4c434c
        http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.2-0ubuntu5.4_powerpc.deb
          Size/MD5: 55982 ae0309f3ef3d5440716e58f9b722b2b7
        http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox_1.0.2-0ubuntu5.4_powerpc.deb
          Size/MD5: 8455944 02e721acebbcb9106b4a806baf4e53be

    
    

    
    

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/



  • Next message: Darren Reed: "[Full-disclosure] Re: (ICMP attacks against TCP) (was Re: HPSBUX01137 SSRT5954"

    Relevant Pages

    • [USN-149-1] Firefox vulnerabilities
      ... could be exploited by malicious web sites to generate e. ... disabling Javascript would protect them. ... "data:" URLs containing scripts into any page open in the browser. ... a malicious web site could crash the browser ...
      (Bugtraq)
    • Re: Success With Windows98 BUT
      ... Most scripts appear to be nothing more than advert and tracking related rubbish which is of no use to the visitor. ... There are some fantastic free calculators out there for e.g. obscure engineering problems that are totally written in JavaScript. ... This would involve web sites ensuring that all browsers, including special disability related software, can access the site. ... The one glaring hole in security is the file download function. ...
      (uk.telecom.broadband)
    • Re: Jailing Firefox
      ... web sites out there won't work properly. ... There are options to switch off the malicious facilities in Javascript, ... Edit, preferences, advanced, scripts & plugins, allow scripts to ...
      (comp.os.linux.misc)
    • Re: End of .html parsing ?
      ... JavaScript and about browser and user behavior? ... You may be messily underestimating the true number of then entities that could be called "web sites". ... It is even possible that not having javascript support on the browser is the reason it is not available, and so enabling it is not even an option for them. ... Which should remind you that if someone proposes statistics that purport to relate to web sites requiring javascript you need to see considerably more than just the numbers in order to decide whether they mean anything at all. ...
      (comp.lang.javascript)
    • Javascript problem continues!!
      ... they all state that I have got Javascript turned off. ... active scripting,. ... work and the web sites still say that I have got Javascript turned off! ... I am using Internet Explorer 7, does anyone have any idea why this might be ...
      (microsoft.public.windowsxp.general)