Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-161: Mozilla Firefox/Thunderbird/SeaMonkey MFSA 2009-24 through -32 Multiple Remote Vulnerabilities

[CVE-2009-1832 through CVE-2009-1841, CVE-2009-1392]

June 15, 2009 19:00 GMT
PROBLEM: Mozilla Firefox/Thunderbird/SeaMonkey MFSA 2009-24 through -32 Multiple Remote Vulnerabilities.
PLATFORM: Ubuntu Ubuntu Linux 9.04 sparc Ubuntu Ubuntu Linux 9.04 powerpc Ubuntu Ubuntu Linux 9.04 lpia Ubuntu Ubuntu Linux 9.04 i386 Ubuntu Ubuntu Linux 9.04 amd64 Ubuntu Ubuntu Linux 8.10 sparc Ubuntu Ubuntu Linux 8.10 powerpc Ubuntu Ubuntu Linux 8.10 lpia Ubuntu Ubuntu Linux 8.10 i386 Ubuntu Ubuntu Linux 8.10 amd64 Ubuntu Ubuntu Linux 8.04 LTS sparc Ubuntu Ubuntu Linux 8.04 LTS powerpc Ubuntu Ubuntu Linux 8.04 LTS lpia Ubuntu Ubuntu Linux 8.04 LTS i386 Ubuntu Ubuntu Linux 8.04 LTS amd64 RedHat Enterprise Linux WS 4 RedHat Enterprise Linux WS 3 RedHat Enterprise Linux EUS 5.3.z server RedHat Enterprise Linux ES 4.8.z RedHat Enterprise Linux ES 4 RedHat Enterprise Linux ES 3 RedHat Enterprise Linux Desktop Workstation 5 client RedHat Enterprise Linux AS 4.8.z RedHat Enterprise Linux AS 4 RedHat Enterprise Linux AS 3 RedHat Desktop 4.0 RedHat Desktop 3.0 Mozilla Thunderbird 0.6 through 1.0.8 Mozilla Thunderbird 1.5 Mozilla Thunderbird 1.5.0.8 Mozilla Thunderbird 1.5.0.7 Mozilla Thunderbird 1.5.0.5 Mozilla Thunderbird 1.5.0.4 Mozilla Thunderbird 1.5.0.2 Mozilla Thunderbird 1.5.0.10 Mozilla Thunderbird 1.5.0.1 Mozilla Thunderbird 1.5 beta 2 Mozilla Thunderbird 1.5.14 Mozilla Thunderbird 1.5.12 Mozilla Thunderbird 1.5.9 Mozilla Thunderbird 1.5.13 Mozilla Thunderbird 2.0 through 2.0.17 Mozilla Thunderbird 2.0.0.21 Mozilla Thunderbird 2.0.0.18 Mozilla Seamonkey 1.0 Mozilla SeaMonkey 1.0 dev Mozilla Seamonkey 1.0.1 through 1.1.16 Mozilla Firefox .8 through 3.0.10 Mozilla Firefox 1.0.2 + MandrakeSoft Linux Mandrake 10.2 x86_64 + MandrakeSoft Linux Mandrake 10.2 + MandrakeSoft Linux Mandrake 10.2 + RedHat Desktop 4.0 + RedHat Desktop 4.0 + RedHat Enterprise Linux AS 4 + RedHat Enterprise Linux AS 4 + RedHat Enterprise Linux ES 4 + RedHat Enterprise Linux ES 4 + RedHat Enterprise Linux WS 4 + RedHat Enterprise Linux WS 4
ABSTRACT: The Mozilla Foundation has released multiple security advisories specifying various vulnerabilities in Firefox, Thunderbird, and SeaMonkey. Attackers can exploit these issues to bypass same-origin restrictions, obtain potentially sensitive information, and execute arbitrary script code with elevated privileges; other attacks are also possible.
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/bulletins/t-161.shtml
  OTHER LINKS: Security Focus
http://www.securityfocus.com/bid/35326/info
CVE-2009-1841
http://web.nvd.nist.gov/view/vuln/detail?execution=e1s1
CVE-2009-1840
http://web.nvd.nist.gov/view/vuln/detail?execution=e3s1
CVE-2009-1839
http://web.nvd.nist.gov/view/vuln/detail?execution=e7s1
CVE-2009-1838
http://web.nvd.nist.gov/view/vuln/detail?execution=e5s1
CVE-2009-1837
http://web.nvd.nist.gov/view/vuln/detail?execution=e9s1
CVE-2009-1836
http://web.nvd.nist.gov/view/vuln/detail?execution=e11s1
CVE-2009-1835
http://web.nvd.nist.gov/view/vuln/detail?execution=e13s1
CVE-2009-1834
http://web.nvd.nist.gov/view/vuln/detail?execution=e15s1
CVE-2009-1833
http://web.nvd.nist.gov/view/vuln/detail?execution=e17s1
CVE-2009-1832
http://web.nvd.nist.gov/view/vuln/detail?execution=e19s1
CVE-2009-1392
http://web.nvd.nist.gov/view/vuln/detail?execution=e21s1
IMPACT ASSESSMENT: This risk is rated high. Exploitation allows a remote attacker to execute arbitrary code with system-level privileges. 
[***** Start CVE-2009-1832 through CVE-2009-1841, CVE-2009-1392 *****]
Solution:
Updates are available. See References section.

References:
Mozilla Homepage (Mozilla Foundation)
http://www.mozilla.org/

Mozilla Firefox Java Applet Loading Vulnerability (Secunia Research )
http://www.securityfocus.com/archive/1/504260

MFSA 2009-24: Crashes with evidence of memory corruption (rv:1.9.0.11) (Mozilla)
http://www.mozilla.org/security/announce/2009/mfsa2009-24.html

MFSA 2009-25: URL spoofing with invalid unicode characters (Mozilla)
http://www.mozilla.org/security/announce/2009/mfsa2009-25.html

MFSA 2009-26: Arbitrary domain cookie access by local file: resources (Mozilla)
http://www.mozilla.org/security/announce/2009/mfsa2009-26.html

MFSA 2009-27: SSL tampering via non-200 responses to proxy CONNECT requests (Mozilla)
http://www.mozilla.org/security/announce/2009/mfsa2009-27.html

MFSA 2009-28: Race condition while accessing the private data of a NPObject JS w (Mozilla)
http://www.mozilla.org/security/announce/2009/mfsa2009-28.html

MFSA 2009-29: Arbitrary code execution using event listeners attached to an elem (Mozilla)
http://www.mozilla.org/security/announce/2009/mfsa2009-29.html

MFSA 2009-30: Incorrect principal set for file: resources loaded via location ba (Mozilla)
http://www.mozilla.org/security/announce/2009/mfsa2009-30.html

MFSA 2009-31: XUL scripts bypass content-policy checks (Mozilla)
http://www.mozilla.org/security/announce/2009/mfsa2009-31.html

MFSA 2009-32: JavaScript chrome privilege escalation (Mozilla)
http://www.mozilla.org/security/announce/2009/mfsa2009-32.html
[***** End CVE-2009-1832 through CVE-2009-1841, CVE-2009-1392 *****]
DOE-CIRC wishes to acknowledge the contributions of Bob Clary, Jesse Ruderman, Alexander Sack, Bret McMillan, Tomeo Vizoso, Matt McCutchen, Martijn Warger, Jesse Ruderman, for the information contained in this bulletin.
DOECIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788