September 1, 2014

Firefox 17 fixes 19 Critical security vulnerabilities and drops support for OS X Leopard

(LiveHacking.Com) – Mozilla has released Firefox 17 and in the processes it has closed 19 Critical security vulnerabilities, fixed 2365 bugs and addressed 10 other sets of High or Moderate security risks. Quite impressive! Firefox 17 also includes the first revision of the Mozilla’s Social API, drops support for Mac OS X 10.5 and implements the sandbox attribute for iframes. The sandbox attribute brings better security as it enables extra restrictions on the content that can appear in the inline frame.

The Critical security vulnerabilities are divided into six bundles. First miaubiz, famous for his work on Google Chrome,  used the Address Sanitizer tool to discover a series of critically rated of use-after-free, buffer overflow, and memory corruption issues. The individual issues are use-after-free when loading html file on osx (CVE-2012-5830), Mesa crashes on certain texImage2D calls involving level>0 (CVE-2012-5833), integer overflow, invalid write w/webgl bufferdata (CVE-2012-5835) and crash in copyTexImage2D with image dimensions too large for given level (CVE-2012-5838).

Second, Abhishek Arya (Inferno) of the Google Chrome Security Team also used the Address Sanitizer tool to find a series of critically rated of use-after-free and buffer overflow issues. The full list of issues are: Heap-use-after-free in nsTextEditorState::PrepareEditor (CVE-2012-4214)Heap-use-after-free in nsPlaintextEditor::FireClipboardEvent (CVE-2012-4215), Heap-use-after-free in gfxFont::GetFontEntry (CVE-2012-4216), Heap-buffer-overflow in nsWindow::OnExposeEvent (CVE-2012-5829), heap-buffer-overflow in gfxShapedWord::CompressedGlyph::IsClusterStart CVE-2012-5839Heap-use-after-free in nsTextEditorState::PrepareEditor (CVE-2012-5840), Heap-use-after-free in XPCWrappedNative::Mark (CVE-2012-4212), Heap-use-after-free in nsEditor::FindNextLeafNode (CVE-2012-4213), Heap-use-after-free in nsViewManager::ProcessPendingUpdates (CVE-2012-4217) and Heap-use-after-free BuildTextRunsScanner::BreakSink::SetBreaks (CVE-2012-4218).

Next, security researcher Mariusz Mlynski reported that when a maliciously crafted stylesheet is inspected in the Style Inspector, HTML and CSS can run in a chrome privileged context without being properly sanitized first. The references for his discoveries are Arbitrary code execution from Style Inspector and CVE-2012-4210.

Following on from this, Jonathan Stephens discovered that combining SVG text on a path with the setting of CSS properties could lead to a potentially exploitable crash. See SVG text on path + setting a style crashes Firefox and CVE-2012-5836.

Penultimately, Atte Kettunen from OUSPG used the Address Sanitizer tool to discover a buffer overflow while rendering GIF format images. This flaw is documented at ASAN: Heap-buffer-overflow at image::RasterImage::DrawFrameTo and CVE-2012-4202.

Finally, Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Gary Kwong, Jesse Ruderman, Christian Holler, Bob Clary, Kyle Huey, Ed Morley, Chris Lord, Boris Zbarsky, Julian Seward, and Bill McCloskey reported memory safety problems and crashes that affect Firefox 16: Memory safety bugs fixed in Firefox 17 and CVE-2012-5843. While Jesse Ruderman, Andrew McCreight, Bob Clary, and Kyle Huey reported memory safety problems and crashes that affect Firefox ESR 10 and Firefox 16: Memory safety bugs fixed in Firefox ESR 10.0.11 and Firefox 17 and CVE-2012-5842.

 

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks