Multiple vulnerabilities in Mozilla Firefox, Thunderbird, and SeaMonkey (PC1-2008-0113)

===========================================================================

A  U  S  C  E  R  T                                           A  L  E  R  T



                       AL-2008.0014 -- AUSCERT ALERT

                             [Win][UNIX/Linux]

  Multiple vulnerabilities in Mozilla Firefox, Thunderbird, and SeaMonkey

                              8 February 2008



===========================================================================



        AusCERT Alert Summary

        ---------------------



Product:              Mozilla Firefox 2.0.0.11 and prior

                      Mozilla Thunderbird 2.0.0.10 and prior

                      Mozilla SeaMonkey 1.1.7 and prior

Operating System:     UNIX variants (UNIX, Linux, OSX)

                      Windows

Impact:               Execute Arbitrary Code/Commands

                      Access Confidential Data

                      Read-only Data Access

                      Cross-site Scripting

                      Denial of Service

                      Inappropriate Access

                      Provide Misleading Information

Access:               Remote/Unauthenticated

CVE Names:            CVE-2008-0412 CVE-2008-0413 CVE-2008-0414

                      CVE-2008-0415 CVE-2008-0417 CVE-2008-0418

                      CVE-2008-0419 CVE-2008-0591 CVE-2008-0592

                      CVE-2008-0593 CVE-2008-0594

Member content until: Friday, March 07 2008



Original Bulletin:  

  http://www.mozilla.org/security/announce/2008/mfsa2008-01.html

  http://www.mozilla.org/security/announce/2008/mfsa2008-02.html

  http://www.mozilla.org/security/announce/2008/mfsa2008-03.html

  http://www.mozilla.org/security/announce/2008/mfsa2008-04.html

  http://www.mozilla.org/security/announce/2008/mfsa2008-05.html

  http://www.mozilla.org/security/announce/2008/mfsa2008-06.html

  http://www.mozilla.org/security/announce/2008/mfsa2008-08.html

  http://www.mozilla.org/security/announce/2008/mfsa2008-09.html

  http://www.mozilla.org/security/announce/2008/mfsa2008-10.html

  http://www.mozilla.org/security/announce/2008/mfsa2008-11.html



Comment: MFSA-2008-07 does not appear to exist.





OVERVIEW:



        Information has been released regarding multiple vulnerabilities in 

        various Mozilla products, the most serious of which allows the 

        remote execution of arbitrary code.





IMPACT: 



        The following vulnerabilities exist in Mozilla Firefox, Thunderbird

        and/or SeaMonkey:



          o MFSA-2007-01 (CVE-2008-0412, CVE-2008-0413) A vulnerability

            in the browser JavaScript engine could allow arbitrary code

            execution by a remote attacker.



          o MFSA-2007-02 (CVE-2008-0414) A variant of the input focus

            bugs reported previously, this vulnerability could allow an

            attacker to obtain arbitrary user files.



          o MFSA-2007-03 (CVE-2008-0415) This vulnerability could allow

            a specially crafted script to break out of the sandbox

            environment and inject a script into another site.



          o MFSA-2008-04 (CVE-2008-0417) When a user saves their password

            for a malicious site in the password store, the other passwords

            can become corrupted.



          o MFSA-2007-05 (CVE-2008-0418) Plugins that use "flat" packaging

            are vulnerable to a directory traversal attack that could allow

            loading of JavaScript, images and stylesheets.



          o MFSA-2007-06 (CVE-2008-0419) Pages that use "designMode" frames

            could change the history, crash the browser, and possibly

            execute arbitrary code.



          o MFSA-2008-08 (CVE-2008-0591) Timer-enables security dialogs

            can be subverted by changing focus. The user could then be

            tricked into clicking the dialog by bringing it back into

            focus.



          o MFSA-2007-09 (CVE-2008-0592) When a file with

            "Content-Disposition: attachment" and "Content-Type: plain/text"

            set is saved, text files will prompt the user to save rather

            than displaying the file.



          o MFSA-2007-10 (CVE-2008-0593) The "href" property on DOM nodes

            is updated to the final URI when following a 302 redirect.

            This could reveal sensitive information.



          o MFSA-2008-11 (CVE-2008-0594) If a page is contained in "div"

            tags with absolute positioning, a user will not see a forgery

            warning until switching off that tab and then back to it.





MITIGATION:



        The above mentioned vulnerabilities have been corrected by new 

        releases of Mozilla Firefox 2.0.0.12 [1], and SeaMonkey 1.1.8 [2].

        Users of these products are encouraged to upgrade to these new

        releases, which are available from the Mozilla web site. 



        Thunderbird 2.0.0.12 is referenced as having corrected the problems

        however currently only version 2.0.0.9 is available for download [3].



        Mitigation strategies have been identified for some, but not all 

        vulnerabilities.





REFERENCES:



        [1] Firefox web browser | Faster, more secure, & customizable

            http://www.mozilla.com/en-US/firefox/



        [2] The SeaMonkey Project

            http://www.seamonkey-project.org/



        [3] Thunderbird - Reclaim your inbox

            http://www.mozilla.com/en-US/thunderbird/





AusCERT has made every effort to ensure that the information contained

in this document is accurate.  However, the decision to use the information

described is the responsibility of each user or organisation. The decision to

follow or act on information or advice contained in this security bulletin is

the responsibility of each user or organisation, and should be considered in

accordance with your organisation's site policies and procedures. AusCERT

takes no responsibility for consequences which may arise from following or

acting on information or advice contained in this security bulletin.



If you believe that your computer system has been compromised or attacked in 

any way, we encourage you to let us know by completing the secure National IT 

Incident Reporting Form at:



        http://www.auscert.org.au/render.html?it=3192



===========================================================================

Australian Computer Emergency Response Team

The University of Queensland

Brisbane

Qld 4072



Internet Email: auscert@auscert.org.au

Facsimile:      (07) 3365 7031

Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)

                AusCERT personnel answer during Queensland business hours

                which are GMT+10:00 (AEST).

                On call after hours for member emergencies only.

===========================================================================