November 25, 2014

Mozilla fixes 5 critical security vulnerabilities in FireFox

(LiveHacking.Com) – Mozilla has released Firefox 14 and in doing so it has patched five critical security vulnerabilities and added support for HTTPS when searching Google.

The first critical bug fixed was a problem with Javascript: URLS. Firefox’s Javascript engine allows add-ons to execute scripts  in a sandbox. In some cases, Javascript: URLs are executed without sufficient context which can allow those scripts to escape from the sandbox and execute arbitrary code.

The second critical vulnerability was with the JSDependentString::undepend function. The string conversion results in memory corruption where data is freed, leaving other dependent strings with dangling pointers. This can lead to a potentially exploitable crash.

Mozilla developer Bobby Holley found the third vulnerability. He discovered that the same-compartment security wrappers (SCSW) can be bypassed by passing them to another compartment. An exploit of the vulnerability would mean that untrusted content would have access to the XBL that implements browser functionality.

The fourth critical vulnerability is comprised of  four memory corruption issues:  two use-after-free problems, one out-of-bounds read bug, and a bad cast. All four of these issues are potentially exploitable, however there are no known exploits at the moment but it is presumed that with enough effort at least one of these could be exploited to run arbitrary code.

The fifth and final critical patches are again for memory corruption issues. Mozilla developers identified and fixed several memory safety bugs that showed evidence of memory corruption under certain circumstances. With effort, it is presumed that these could allow remote attackers to cause a denial of service or possibly execute arbitrary code.

Alongside these Critical fixes, Mozilla also fixed several other security vulnerabilities:

On the new features front, Firefox 14 now automatically encrypts (via HTTPS) all searches passed to Google’s search engine. The now by-default secure connection between the browser and Google’s search site encrypts the data sent to the search engine to keep it from being monitored especially when using public or shared WiFi networks.

Mozilla also released new versions of Thunderbird and SeaMonkey. Users should review the advisories  for Firefox ESR 10.0.6, Thunderbird 14, Thunderbird ESR 10.0.6, and SeaMonkey 2.11 and apply any updates.

Mozilla 13 Fixes Critical Security Vulnerabilities and Improves New Tab Page

(LiveHacking.Com) – The Mozilla foundation has released Mozilla 13 with some new features including redesigned Home and New Tab pages, the use of the SPDY by default and a series of performance improvements. The new release also fixes some Critical security vulnerabilities including two issues with the Mozilla updater and the Mozilla updater service which were introduced in Firefox 12 the Windows versions of the browser.

According to Mozilla Foundation Security Advisory 2012-35 Security researcher James Forshaw of Context Information Security discovered that Mozilla’s updater is able to load a local DLL file in a privileged context. He also discovered that the updater service is able to load an arbitrary local DLL file, which can then be run with the same system privileges used by the service. For a hacker to exploit these vulnerabilities they would need local file system access.

The other critical fixes were all memory related:

  • MFSA 2012-40 – Security researcher Abhishek Arya of Google used the Address Sanitizer tool to uncover two heap buffer overflow bugs and a use-after-free problem. Affected components include Mozilla’s Unicode conversion functions, the nsFrameList and the nsHTMLReflowState. All three of these issues are potentially exploitable.
  • MFSA 2012-38 – Security researcher Arthur Gerkis used the Address Sanitizer tool to find a use-after-free while replacing/inserting a node in a document. This use-after-free could possibly allow for remote code execution.
  • MFSA 2012-34 – Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and Mozilla presume that with enough effort at least some of these could be turned into a full exploit that allows arbitrary code execution.

SPDY

Along with the various UI changes, Firefox now supports SPDY by default to make browsing more secure. The SPDY, which is designed as a successor to HTTP, tried to reduces the amount of time it takes for web pages to load. The result is that when using services like Google and Twitter, users should notice faster page load times.

Mozilla Fixes Critical Security Vulnerabilities and Adds Silent Updating to Firefox

(LiveHacking.Com) – The Mozilla Foundation has released a new version of its popular web browser. Firefox 12 brings some new features including silent updates and fixes several critical security vulnerabilities. The biggest change for Windows Vista and Windows 7 users is the addition of silent updates which means that the UAC (User Account Control) pop-up won’t appear when Firefox upgrades from one release to another. To by-pass the UAC, which is first appeared in Windows Vista, Mozilla have added a standalone update service to apply the updates in the background. During the installation of Firefox 12 the user will be asked to give their explicit permission to install the update service, but they will not be prompted again for any subsequent releases.

Google’s Chrome also offers silent updates but rather than use a special Windows service, Chrome is installed in the user’s folder within Windows which doesn’t require UAC permission. However the downside to Google’s approach is that Chrome needs to be installed independently for every user on a PC which can be an administrative headache for those who have multiple user accounts for example on a shared family PC.

The functionality to relaunch and complete the update entirely in the background is scheduled for Firefox 13 or Firefox 14 this summer.

Mozilla 12 also fixes 7 Critical level security vulnerabilities, one of which only applies to Firefox Mobile.

  • MFSA 2012-31 Off-by-one error in OpenType Sanitizer
  • MFSA 2012-30 Crash with WebGL content using textImage2D
  • MFSA 2012-25 Potential memory corruption during font rendering using cairo-dwrite
  • MFSA 2012-23 Invalid frees causes heap corruption in gfxImageSurface
  • MFSA 2012-22 use-after-free in IDBKeyRange
  • MFSA 2012-21 Multiple security flaws fixed in FreeType v2.4.9 (Firefox Mobile only)
  • MFSA 2012-20 Miscellaneous memory safety hazards (rv:12.0/ rv:10.0.4)
Along with these seven Critical bugs, Mozilla also fixed four High level security vulnerabilities and three Moderate ones. In total three cross-site scripting (XSS) vulnerabilities were fixed, one of which only applied Windows Vista and Windows 7 with hardware acceleration disabled.
The FreeType vulnerabilities in Firefox mobile were discovered by the Google Security Team using the Address Sanitizer tool. Some of the bugs cause memory corruption and exploitable crashes with certain fonts and font parsing. Firefox Mobile has been upgraded to FreeType version 2.4.9 which addresses these issues. Desktop Firefox does not use Freetype for fonts and was not affected.
More details about the changes can be found in the release notes. Firefox 12 is available for Windows, Mac OS X and Linux from the Firefox home page.

Mozilla Releases Another New Version of Firefox to Fix Yet Another Critical Vulnerability

(LiveHacking.Com) – Less then 7 days after the release of Firefox 10.0.1, Mozilla has now released a new version of Firefox (10.0.2) and Thunderbird (also 10.0.2) to fix a Critical libpng integer overflow vulnerability. The bug, which affects Firefox, Thunderbird, SeaMonkey, is an integer overflow in the libpng library that can lead to a heap-buffer overflow when decompressing certain PNG images. This leads to a crash, which may be potentially exploitable.

The presence of the bug first came to light when Google released Chrome 17.0.963.56 to fix the integer overflow in libpng where it was noted that the bug allows remote attackers to cause a denial of service. According to the Chromium source code the fix includes a check for both truncation (64-bit platforms) and integer overflow.

Also fixed in 10.0.2 is a bug where Java applets sometimes caused text input to become unresponsive (bug 718939).

Mozilla Fixes Critical Vulnerability in Firefox and Thunderbird

(LiveHacking.Com) – Mozilla has released new versions of Firefox and Thunderbird to fix a “use after free” crash which is potentially exploitable. According to the security advisory Mozilla developers Andrew McCreight and Olli Pettay found that the ReadPrototypeBindings code leaves a XBL binding in a hash table even when the function fails. If this occurs, when the cycle collector reads this hash table and attempts to do a virtual method on this binding a crash will occur. This crash may be potentially exploitable.

The Mozilla Foundation said Firefox 9 and earlier browser versions are not affected by this vulnerability.

Mozilla Releases Firefox 10 and Firefox 3.6.26 to Address Multiple Vulnerabilities

(LiveHacking.Com) – The Mozilla Foundation has released Firefox 10 and Firefox 3.6.26 to address multiple security vulnerabilities. These vulnerabilities, if exploited, could allow an attacker to execute arbitrary code, cause a denial-of-service condition, obtain sensitive information, or perform a cross-site scripting attack.

Firefox 10 fixes 8 security issues of which 5 are rated as “Critical”. A “Critical” vulnerability can be exploited to run attacker code and install software, requiring no user interaction beyond normal browsing. These include fixes for a possible memory corruption during the decoding of Ogg Vorbis files that could cause a crash during decoding and has the potential for remote code execution. There are also several memory safety bugs in the browser engine. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code.

The full list of fixes is:

  • MFSA 2012-09 Firefox Recovery Key.html is saved with unsafe permission
  • MFSA 2012-08 Crash with malformed embedded XSLT stylesheets
  • MFSA 2012-07 Potential Memory Corruption When Decoding Ogg Vorbis files
  • MFSA 2012-06 Uninitialized memory appended when encoding icon images may cause information disclosure
  • MFSA 2012-05 Frame scripts calling into untrusted objects bypass security checks
  • MFSA 2012-04 Child nodes from nsDOMAttribute still accessible after removal of nodes
  • MFSA 2012-03 <iframe> element exposed across domains via name attribute
  • MFSA 2012-01 Miscellaneous memory safety hazards (rv:10.0/ rv:1.9.2.26)

New features in Firefox 10 include:

  • The forward button is now hidden until you navigate back
  • Most add-ons are now compatible with new versions of Firefox by default
  • Anti-Aliasing for WebGL is now implemented (see bug 615976)
  • CSS3 3D-Transforms are now supported (see bug 505115)
  • New <bdi> element for bi-directional text isolation, along with supporting CSS properties (see bugs 613149 and 662288)
  • Full Screen APIs allow you to build a web application that runs full screen (see the feature page)

The fixes for 3.6.26 are backports of fixes applied to Firefox 10 including:

  • MFSA 2012-08 Crash with malformed embedded XSLT stylesheets
  • MFSA 2012-07 Potential Memory Corruption When Decoding Ogg Vorbis files
  • MFSA 2012-04 Child nodes from nsDOMAttribute still accessible after removal of nodes
  • MFSA 2012-01 Miscellaneous memory safety hazards (rv:10.0/ rv:1.9.2.26)

The only unique fix to the 3.6 series is MFSA 2012-02 Overly permissive IPv6 literal syntax. This was fixed previously for Firefox 7.0 but only fixed in Firefox 3.6.26 now.

Mozilla Releases Firefox 6, Patches Critical Vulnerabilities

(LiveHacking.Com) – Mozilla has shipped a new version of its Firefox web browser with increased support for HTML5, faster startup times and improved per-site permission management. But most importantly it fixes a number of critical vulnerabilities, some serious enough to expose web surfers to drive-by download attacks.

The Critical and High impact bugs include:

  • Mozilla identified and fixed several memory safety bugs in the browser engine used in Firefox 4, Firefox 5 and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code.
  • Rafael Gieschke reported that unsigned JavaScript could call into script inside a signed JAR thereby inheriting the identity of the site that signed the JAR as well as any permissions that a user had granted the signed JAR.
  • Michael Jordon of Context IS reported that an overly long shader program could cause a buffer overrun and crash in a string class used to store the shader source code.
  • Michael Jordon of Context IS reported a potentially exploitable heap overflow in the ANGLE library used by Mozilla’s WebGL implementation.
  • Security researcher regenrecht reported via TippingPoint’s Zero Day Initiative that a SVG text manipulation routine contained a dangling pointer vulnerability.
  • Mike Cardwell reported that Content Security Policy violation reports failed to strip out proxy authorization credentials from the list of request headers. Daniel Veditz reported that redirecting to a website with Content Security Policy resulted in the incorrect resolution of hosts in the constructed policy.
  • nasalislarvatus3000 reported that when using Windows D2D hardware acceleration, image data from one domain could be inserted into a canvas and read by a different domain.

Mozilla Updates Firefox 3.5, 3.6 and 4.0

Mozilla has released a series of security updates for all currently supported versions of Firefox. Firefox 4.0.1, 3.6.17 and 3.5.19 are now available for Windows, Mac, and Linux. Mozilla is recommending that users update to the latest versions but also encourage all users to upgrade to Firefox 4 as this is the last planned security and stability release for Firefox 3.5.

The first fixes are for several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and Mozilla presume that with enough effort at least some of these could be exploited to run arbitrary code.

A minor security vulnerability was fixed in the XSLT generate-id() function as it was revealing a specific valid address of an object on the memory heap. It is theoretical that this information could have been used in combination with other heap corruption exploits.

There is also a fix for a vulnerability in the Java Embedding Plugin (JEP) shipped with the Mac OS X versions of Firefox 3.5 and 3.6 that if exploited could allow an attacker to obtain elevated access to resources on a user’s system.

Specific to Firefox 4 is an additional fix to its WebGL feature. Two crashes that could potentially be exploited to run malicious code were found in the WebGL feature. Also there is a fix for a vulnerability that could potentially be used to bypass a security feature of recent Windows versions.

Mozilla has also released Thunderbird 3.1.10. The release notes are available here.

Multiple Unspecified Vulnerabilities in Mozilla Firefox, Thunderbird and SeaMonkey

Mozilla Firefox, Thunderbird and SeaMonkey are vulnerable to multiple unspecified security issues. The vulnerabilities occur in the operating system (OS) font code. No further information is available about these issues.

New versions of Firefox, Thunderbird and SeaMonkey are available to address these issues.

These issues are fixed in the following versions:

  • Firefox 3.6.13
  • Firefox 3.5.16
  • Thunderbird 3.0.11
  • Thunderbird 3.1.7
  • SeaMonkey 2.0.11

WebSockets disabled in Firefox 4

Due to a vulnerability in the design of the WebSocket protocol, the Mozilla Foundation has decided to disable support for this protocol in the forthcoming Firefox 4 Beta 8 release. The vulnerability in the code for transparent proxies can potentially be exploited to poison the proxy cache and inject manipulated pages.

Read the full story here.

Source:[TheHSecurity]