__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Sun - Multiple Mozilla Vulnerabilities [Sun Alert ID: 57701] December 17, 2004 00:00 GMT Number P-069 [REVISDE 14 Jan 2005] [REVISED 27 Jan 2005] [REVISED 15 Aug 2005] [REVISED 17 Aug 2005] [REVISED 13 Sep 2005] ______________________________________________________________________________ PROBLEM: Sun has released a T-patch for 17 security issues in Mozilla, such as: - buffer overflows - integer overflows - heap overflows - frame injections - redirect sequences - caching flaws - spoofing - access to sensitive information - execution of arbitrary code PLATFORM: SPARC Platform - Solaris 8 - Solaris 9 x86 Platform - Solaris 8 - Solaris 9 Linux - Sun Java Desktop System (JDS) 2003 - Sun Java Desktop System (JDS) Release 2 without the updated RPMs (patch-118492-02) Note: Solaris 7 is not affected by these issues. The described issues only occur with the following Mozilla versions: - mozilla-1.4.1-221 or earlier - mozilla-mail-1.4.1-223 or earlier Red Hat Enterprise Linux AS, ES, WS (v. 2.1) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor Debian GNU/Linux 3.1 (sarge) DAMAGE: Buffer overflows. Arbitrary code executions. Trusted web site certification spoofs. And other various issues. SOLUTION: Apply the T-patch for Solaris 9, or the patch for the Sun Java Desktop System (JDS) Release 2. Sun's final resolution is pending completion. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. This rating is based on the security issue ASSESSMENT: of most concern: buffer overflows that could allow execution of arbitrary code as the user running the browser. There are several more issues that are fixed in the patch releases. Details can be found on the Sun Alert #57701. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/p-069.shtml ORIGINAL BULLETIN: http://sunsolve.sun.com/search/document.do?assetkey= 1-26-57701-1&searchclause=security ADDITIONAL LINKS: Also see CIAC BULLETINS O-195, O-222, and P-001. Red Hat RHSA-2005:004-12 https://rhn.redhat.com/errata/RHSA-2005-004.html Debian Security Advisory http://www.debian.org/security/2005/dsa-775 Debian Security Advisory http://www.debian.org/security/2005/dsa-775 Debian Security Advisory DSA-810 http://www.debian.org/security/2005/dsa-810 CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2004-0687 CAN-2004-0718 CAN-2004-0722 CAN-2004-0757 CAN-2004-0758 CAN-2004-0760 CAN-2004-0761 CAN-2004-0762 CAN-2004-0763 CAN-2004-0764 CAN-2004-0765 ______________________________________________________________________________ REVISION HISTORY: 01/14/2005 - added a ink to Red Hat RHSA-2005:004-12 for Red Hat Enterprise Linux AS, ES, WS (v. 2.1) and Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor. 01/27/2005 - revised to reflect changes Sun has made to Sun Alert ID: 57701 in the State Section and Contributing Factors and Resolution sections of their bulletin. 08/15/2005 - added link to Debian Security Advisory DSA-775 that provides updated packages for Debian GNU/Linux 3.1 (sarge). 08/17/2005 - added link to Debian Security Advisory DSA-777 that provides updated packages for Debian GNU/Linux 3.1 (sarge). 09/13/2005 - added link to Debian Security Advisory DSA-810 that provides updated packages for Debian GNU/Linux 3.1 (sarge). [***** Start Sun Alert ID: 57701 *****] Document Audience: PUBLIC Document ID: 57701 Title: Document ID 57701 Synopsis: Multiple Security Vulnerabilities in Mozilla Update Date: 2005-01-26 ----------------------------------------------------------------------------- Description Top Sun(sm) Alert Notification Sun Alert ID: 57701 Synopsis: Multiple Security Vulnerabilities in Mozilla Category: Security Product: Solaris, Java Desktop System (JDS) BugIDs: 5090528, 5090529, 5090530, 5090583, 5091014, 5091109, 5091115, 5091116, 5091120, 5091123, 5091146, 5108583, 5108586, 5108587, 5108590, 5108591, 5108588 Avoidance: Patch State: Resolved. Date Released: 14-Dec-2004, 23-Dec-2004 Date Closed: 14-Jan-2005 Date Modified: 23-Dec-2004, 14-Jan-2005 1. Impact Multiple security vulnerabilities in Mozilla may result in one or more of the following issues: 1. A buffer overflow exists that may allow a a remote unprivileged user the ability to execute arbitrary code with the privileges of a local user when that local user has loaded a Portable Network Graphics (PNG) format image file supplied by an untrusted remote user. This issue is described in the following document: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0687 2. An integer overflow and a heap corruption exists in JavaScript that may allow an unprivileged user the ability to execute arbitrary code with the privileges of a local user running Mozilla. This issue is described in the following document: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0722 3. A heap overflow exists that could allow a malicious POP3 server to send a carefully crafted response that may allow a remote unprivileged user the ability to execute arbitrary code with the privileges of a local user running Mozilla. This issue is described in the following document: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0757 4. Additional heap overflows and double frees exist that could allow a malicious POP3 server to send a carefully crafted response that may cause a Denial of Service (DOS) attack for the client or may allow a remote unprivileged user the ability to execute arbitrary code with the privileges of the local user running Mozilla. This issue is described in the following document: https://bugzilla.mozilla.org/show_bug.cgi?id=245066 5. It may be possible to import an invalid CA certificate with a Domain Name the same as that of the built-in CA root certificates. This could cause a denial of service (DOS) to SSL pages. This issue is described in the following document: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0758 6. By using a NULL character (%00) in a FTP URL, Mozilla can be confused into opening a resource as a different MIME type. This may allow an unprivileged user to gain the privileges of a local user running Mozilla. This issue is described in the following document: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0760 7. Mozilla may allow a malicious website to inject content into a frame. This flaw is also known as the "frame injection" vulnerability. This issue is described in the following document: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0718 8. Mozilla may allow a malicious webpage to use a redirect sequence to spoof the security lock icon thus causing the webpage to appear to be encrypted. This issue is described in the following document: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0761 9. Mozilla may allow malicious websites to install arbitrary extensions by using interactive events to manipulate the "XP Install Security" dialog box. This issue is described in the following document: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0762 10. Mozilla contains a caching flaw which may allow malicious websites to spoof certificates of trusted websites via redirects and Javascript that uses the "onunload" method. This issue is described in the following document: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0763 11. Mozilla contains a flaw that allows malicious websites to hijack the user interface via the "chrome" flag and XML User Interface Language (XUL) files. This issue is described in the following document: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0764 12. Mozilla may allow a malicious website to spoof Mozilla into thinking it was accessing a trusted host. This is due to a flaw when verifying a certificate where as the hostname checked is not the fully qualified domain name (FQDN). This issue is described in the following document: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0765 13. Mozilla contains a flaw that could allow malicious javascript to obtain or modify sensitive information from secure sites by dragging links onto other frames or pages. This issue is described in the following document: https://bugzilla.mozilla.org/show_bug.cgi?id=250862 14. An integer overflow exists that may allow a remote unprivileged user to execute arbitrary code with the privileges of a local user when that local user has loaded an extremely wide Bitmap (.bmp) format image file supplied by an untrusted user. This issue is described in the following document: https://bugzilla.mozilla.org/show_bug.cgi?id=255067 15. Mozilla contains a flaw that could allow malicious javascript code to read and write sensitive data that the user might have copied into the clipboard. This issue is described in the following document: https://bugzilla.mozilla.org/show_bug.cgi?id=257523 16. A heap overflow exists in the "send page" function that may allow a remote unprivileged user the ability to execute arbitrary code with the privileges of a local user when that user attempts to forward content to others. This issue is described in the following document: https://bugzilla.mozilla.org/show_bug.cgi?id=258005 17. A buffer overflow exists when displaying VCards that may allow a remote unprivileged user the ability to execute arbitrary code with the privileges of a local user. This issue is described in the following document: https://bugzilla.mozilla.org/show_bug.cgi?id=257314 2. Contributing Factors These issues can occur on the following platforms: SPARC Platform Solaris 8 without patch 117765-02 Solaris 9 without patch 117767-02 x86 Platform Solaris 8 without patch 117766-02 Solaris 9 without patch 117768-02 Linux Sun Java Desktop System (JDS) 2003 without patch 118937-01 Sun Java Desktop System (JDS) Release 2 without the updated RPMs (patch-118492-02) Note: Solaris 7 is not affected by these issues. The described issues only occur with the following Mozilla versions: mozilla-1.4.1-221 or earlier mozilla-mail-1.4.1-223 or earlier To determine the version of Mozilla installed on a system, the following command can be used: % /usr/sfw/bin/mozilla -version Mozilla 1.4, (Sun Java Desktop System; Solaris), build 2004041404 To determine the release of JDS for Linux installed on a system, the following command can be used: % cat /etc/sun-release Sun Java Desktop System, Release 2 -build 10b (GA) Assembled 30 March 2004 To determine the version of Mozilla for Linux, run the following command on JDS: % rpm -qf /usr/bin/mozilla /usr/lib/mozilla-1.4/components/libmsgnews.so mozilla-1.4.1-221 mozilla-mail-1.4.1-223 3. Symptoms There are no predictable symptoms that would indicate the described issues have been exploited. Solution Summary 4. Relief/Workaround There is no workaround. Please see the "Resolution" section below. 5. Resolution These issues are addressed in the following release: SPARC Platform * Solaris 8 with patch 117765-02 or later * Solaris 9 with patch 117767-02 or later x86 Platform * Solaris 8 with patch 117766-02 or later * Solaris 9 with patch 117768-02 or later Linux * Sun Java Desktop System (JDS) 2003 with patach 118937-01 or later * Sun Java Desktop System (JDS) Release 2 with the updated RPMs (patch-118492-02) To download and install the updated RPMs from the update servers select the following from the launch bar: Launch >> Applications >> System Tools >> Online Update For more information on obtaining updates see: http://wwws.sun.com/software/javadesktopsystem/faq.html#5q5 http://wwws.sun.com/software/javadesktopsystem/faq.html#5q7 A final resolution is pending completion for Sun Java Desktop System (JDS) 2003 Change History 23-Dec-2004: * Updated Contributing Factors and Resolution sections 14-Jan-2005: * State: Resolved * Updated Contributing Factors and Resolution sections This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements. Copyright 2000-2004 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved. [***** End Sun Alert ID: 57701 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Sun Microsystems for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) P-059: Sendmail(1) Security Vulnerability P-060: Cisco Unity with Exchange Default Passwords Vulnerability P-061: Ethereal Multiple Vulnerabilities P-062: Updated ncompress Package Fix Security Issue and Bug P-063: Adobe Reader Security Vulnerabilities P-064: Adobe Reader 5.0.9 for UNIX "mailListIsPdf" function Vulnerability P-065: Cisco Default Administrative Password in Cisco Guard and Traffic Anomaly Detector P-066: Veritas Backup Exec Buffer Overflow Vulnerability P-067: PHP Multiple Vulnerabilities P-068: Sun Webmail Vulnerability