__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Multiple Security Vulnerabilities in Mozilla [Sun Alert ID: 101952] October 17, 2005 18:00 GMT Number Q-020 [REVISED 01 June 2006] [REVISED 09 June 2006] ______________________________________________________________________________ PROBLEM: There is a buffer overflow in certain versions of Mozilla. PLATFORM: Mozilla 1.4 downloaded from the Sun Download Center (SDC) (for Solaris 8 and Solaris 9) Solaris 10 without patch 119115-10 Solaris 10 without patch 119116-10 Sun Java Desktop System (JDS) Release 2 without patch 118492-04 Mozilla 1.7 bundled with Solaris 10 DAMAGE: May allow a remote unprivileged user the ability to execute arbitrary code with the privileges of a local user when that local user has loaded an X Bitmap (XBM) format image file supplied by an untrusted user or website. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. May allow a remote unprivileged user the ASSESSMENT: ability to execute arbitrary code with the privileges of a local user when that local user has loaded an X Bitmap (XBM) format image file supplied by an untrusted user or website. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/q-020.shtml ORIGINAL BULLETIN: Sun Alert ID: 101952 http://www.sunsolve.sun.com/search/document.do?assetkey=1-26-101952-1&searchclause=%22category:security%22%20%22availability,%20security%22%20category:security ______________________________________________________________________________ REVISION HISTORY: 06/01/2006 - revised to reflect the changes Sun has made to Sun Alert ID: 101952 where they have changed the State to Resolved and Update the Contributing Factors and Resolution Sections 06/09/2006 - revised to reflect the changes Sun has made to Sun Alert ID: 101952 where they updated the product field [***** Start Sun Alert ID: 101952 *****] Sun(sm) Alert Notification Sun Alert ID: 101952 Synopsis: Multiple Security Vulnerabilities in Mozilla Category: Security Product: Solaris 9 Operating System, Solaris 10 Operating System, Solaris 8 Operating System BugIDs: 6281360, 6282170, 6282190, 6284465 Avoidance: Patch, Workaround State: Resolved Date Released: 14-Oct-2005, 31-May-2006 Date Closed: 31-May-2006 Date Modified: 17-Oct-2005, 31-May-2006 1. Impact Multiple security vulnerabilities in certain versions of Mozilla (listed below), may result in one or more of the following issues: 1. A buffer overflow exists that may allow a remote unprivileged user the ability to execute arbitrary code with the privileges of a local user when that local user has loaded an X Bitmap (XBM) format image file supplied by an untrusted user or website. [Sun CR 6281360] This issue is described in the following documents: http://www.niscc.gov.uk/niscc/docs/al-20050614-00488.html?lang=en https://bugzilla.mozilla.org/show_bug.cgi?id=295457 https://bugzilla.mozilla.org/show_bug.cgi?id=2245631 2. A security vulnerability may allow a malicious website to crash the Mozilla browser when the user drags an image across multiple windows. [Sun CR 6282190] This issue is described in the following document: https://bugzilla.mozilla.org/show_bug.cgi?id=288006 3. A security vulnerability may allow a malicious website to inject content into a frame. This is known as the "frame injection vulnerability". [Sun CR 6282170] This issue is described in the following documents: https://bugzilla.mozilla.org/show_bug.cgi?id=296850 http://www.mozilla.org/security/announce/mfsa2005-51.html 4. A security vulnerability may allow a malicious website to hang the Mozilla web browser creating a Denial of Service (DoS) by providing a table with large rowspans or colspans. [Sun CR 6284465] This issue is described in the following document: https://bugzilla.mozilla.org/show_bug.cgi?id=141818 2. Contributing Factors These issue can occur in the following releases: SPARC Platform * Mozilla 1.4 downloaded from the Sun Download Center (SDC) (for Solaris 8 and Solaris 9) * Solaris 10 without patch 119115-10 x86 Platform * Mozilla 1.4 downloaded from the SUn Download Center (SDC) (for Solaris 8 and Solaris 9) * Solaris 10 without patch 119116-10 Linux * Sun Java Desktop System (JDS) Release 2 Note: Solaris 7 is not affected by these issues. The described issues only occur with the following Mozilla versions: * Mozilla 1.4 downloaded from the Sun Download Center (SDC) * Mozilla 1.7 Note: Mozilla 1.4 downloaded from the Sun Download Center (SDC) is affected by issues numbered 1, 2, and 4 (Sun CRs 6281360, 6282190, and 6284465) above. To determine the version of Mozilla installed on a system, the following command can be used: % /usr/sfw/bin/mozilla -version Mozilla 1.7, (Sun Java Desktop System), build 2005082415 To determine the release of JDS for Linux installed on a system, the following command can be used: % cat /etc/sun-release Sun Java Desktop System, Release 2 -build 10b (GA) Assembled 30 March 2004 To determine the version of Mozilla for Linux, run the following command on JDS: % rpm -qf /usr/bin/mozilla mozilla-1.4.1-226 3. Symptoms There are no predictable symptoms that would indicate the described arbitrary code execution issue (item #1 above) or the frame injection vulnerability (item #3 above) have been exploited. Solution Summary Top 4. Relief/Workaround To reduce the chances of some of the above issues from occurring, turn off "image display" by doing the following: 1. Select "Preferences" under the browser's "Edit" menu 2. In the "Preferences" window, select the "Privacy and Security" category 3. Click on "Images" 4. From the Images window, select "Do not load any images" 5. Click "ok" 5. Resolution This issue is addressed in the following releases: SPARC Platform * Mozilla 1.7 SDC (for Solaris 8 and Solaris 9) * Solaris 10 with patch 119115-10 or later x86 Platform * Mozilla 1.7 SDC (for Solaris 8 and Solaris 9) * Solaris 10 with patch 119116-10 or later Mozilla 1.7 for Solaris 8 and Solaris 9 is available for download at: http://www.sun.com/software/solaris/browser/getmozilla17.xml Change History 17-Oct-2005: * Updated Impact Section 31-May-2006 * State: Resolved * Updated Contributing Factors and Resolution sections This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements. Copyright 2000-2005 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved. [***** End Sun Alert ID: 101952 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Sun Microsystems for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) Q-010: Vulnerability in the Microsoft Collaboration Data Objects Q-011: Vulnerability in DirectShow Could Allow Remote Code Execution Q-012: Cumulative Security Update for Internet Explorer Q-013: Vulnerabilities in Windows Shell Could Allow Remote Code Execution Q-014: Client Service for NetWare Could Allow Remote Code Execution Q-015: Vulnerability in Plug and Play Q-016: Ruby Q-017: Sun Java System Application Server May Disclose Source Code of Java Server Pages Q-018: VERITAS NetBackup Java User Interface Format String Vulnerability Q-019: Lynx Security Update