Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-185: Two Remote Code Execution Vulnerabilities in Firefox

July 16, 2009 17:00 GMT
PROBLEM: Firefox has vulnerabilities in the Unicode Data and Tracemonkey components. Successful exploit of either could result in the attacker running code in the context of the logged in user.
PLATFORM: Firefox 3.5 running in Windows XP or Mac OSX.
ABSTRACT: The Firefox javascript engine has vulnerabilities in the Tracemonkey and Unicode Data components. Exploit of either could result in attacker being able to run arbitrary code.
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/bulletins/t-185.shtml
  OTHER LINKS: Security Focus
http://www.securityfocus.com/bid/35707/discuss
http://www.securityfocus.com/bid/35660/discuss
Internet Storm Center
http://isc.sans.org/diary.html?storyid=6796
US Cert
http://www.kb.cert.org/vuls/id/443060
Mozilla
https://bugzilla.mozilla.org/show_bug.cgi?id=503286#c14

IMPACT ASSESSMENT: This risk is high. Proof of concept code is available for these vulnerabilities. No patches are available, but a workaround is described in the discussion below. 
Discussion:
Work on both vulnerabilities is in the early stages. It is possible that other OS's (eg Windows Vista or Windows 7) may be vulnerable. 

These are excerpts from the bugzilla.mozilla.org:

This is a JS engine bug dealing with deep bailing not properly restoring the
return value from the result of the (fast native) escape function. We then try
to do something with the uninitialized memory and crash in the interpreter.  Since this bug is memory corruption and the 'escape' function is not exotic,
other crashes could be in fact this bug (this bug is pretty serious).  I suspect bug 503144 being a duplicate of this. And I have seen another crash
report, which could be a duplicate of this (I have to look that up).  Mozilla is working on a patch.

Solutions: 
No patch is known to be available at this time.

Workaround:
Option One - Disable the Just-in-time Java compiler:
Use the about:config interface to set javascript.options.jit.content and javascript.options.jit.chrome to false. This will still allow JavaScript to run, but it will disable the TraceMonkey performance enhancements.

Option Two Run Firefox in Safe Mode.On Windows machines, use the Start menu to navigate to the Mozilla Firefox folder and selectinf Firefox, Safe Mode.

Normally, an easy option would be to use an alternate browser. However, the most common alternate, IE, also has an unpatched and currently exploited vulnerability in the spreadsheet Activex control. Needless to say, administrators and security analysts should exercise extra vigilance at this time.
DOE-CIRC wishes to acknowledge the contributions of Andrew Haynes and Simon Berry-Byrne for the information contained in this bulletin.
DOE-CIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788