TECHNICAL BULLETIN
TECHNICAL BULLETIN
| PROBLEM: | The Mozilla Foundation has released multiple advisories to address vulnerabilities in Firefox. |
| PLATFORM: | Mozilla Firefox Prior to 3.0.14 Mozilla Firefox Prior to 3.5.3 |
| ABSTRACT: | Multiple vulnerabilities have been addressed in Firefox prior to 3.0.14 and 3.5.3. These vulnerabilities could result in either a denial of service or the execution of arbitrary code. |
| LINKS: | |
| DOE-CIRC BULLETIN: | http://www.doecirc.energy.gov/bulletins/t-229.shtml |
| OTHER LINKS: |
Mozilla Security Advisories http://www.mozilla.org/security/announce/ Security Focus http://www.securityfocus.com/bid/36343/info |
| CVE: |
CVE-2009-3069 CVE-2009-3070 CVE-2009-3071 CVE-2009-3072 CVE-2009-3073 CVE-2009-3074 CVE-2009-3075 CVE-2009-3076 CVE-2009-3077 CVE-2009-3078 CVE-2009-3079 |
| IMPACT ASSESSMENT: | This risk is high. An attacker can exploit these issues to obtain potentially sensitive information, execute arbitrary code, elevate privileges, and cause denial-of-service conditions. |
[***** Start CVE-2009-3069 Thru CVE-2009-3079 *****] Discussion: The Mozilla Foundation has released multiple advisories to address vulnerabilities in Firefox. Each vulnerability is described below: -Mozilla Foundation Security Advisory 2009-47- Mozilla developers and community members identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code. -Workaround- Disable JavaScript until a version containing these fixes can be installed. -Mozilla Foundation Security Advisory 2009-48- Mozilla security researcher reported that when security modules were added or removed via pkcs11.addmodule or pkcs11.deletemodule, the resulting dialog was not sufficiently informative. Without sufficient warning, an attacker could entice a victim to install a malicious PKCS11 module and affect the cryptographic integrity of the victim's browser -Mozilla Foundation Security Advisory 2009-49- An anonymous security researcher, via TippingPoint's Zero Day Initiative, reported that the columns of a XUL tree element could be manipulated in a particular way which would leave a pointer owned by the column pointing to freed memory. An attacker could potentially use this vulnerability to crash a victim's browser and run arbitrary code on the victim's computer. -Mozilla Foundation Security Advisory 2009-50- Security researcher reported that the default Windows font used to render the locationbar and other text fields was improperly displaying certain Unicode characters with tall line-height. In such cases the tall line-height would cause the rest of the text in the input field to be scrolled vertically out of view. An attacker could use this vulnerability to prevent a user from seeing the URL of a malicious site. -Mozilla Foundation Security Advisory 2009-51- Mozilla security researcher reported that the BrowserFeedWriter could be leveraged to run JavaScript code from web content with elevated privileges. Using this vulnerability, an attacker could construct an object containing malicious JavaScript and cause the FeedWriter to process the object, running the malicious code with chrome privileges. Solution: Updates are available. Firefox should be updated to version 3.0.14 or 3.5.3 [***** End CVE-2009-3069 Thru CVE-2009-3079 *****]
Voice: 866-941-2472
E-mail: doecirc@doecirc.energy.gov
World Wide Web: http://www.doecirc.energy.gov