__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Multiple Security Vulnerabilities in Mozilla 1.4 and 1.7 [Sun Alert ID: 102550] August 23, 2006 18:00 GMT Number Q-294 [REVISED 27 Oct 2006] [REVISED 08 Dec 2006] [REVISED 04 Jan 2007] ______________________________________________________________________________ PROBLEM: There are multiple vulnerabilities presenst in Mozilla version 1.4 (Solaris 8 and 9), and Mozilla version 1.7 (Solaris 8, 9, 10) and under Sun Java Desktop System (JDS) for Linux. 1) CAN-2006-0884 - Mozilla Mail contains a flaw that may allow an attacker to execute arbitrary JavaScript when a mail message is forwarded as embedded text. 2) CAN-2006-0293 - Mozilla contains a flaw within the JavaScript engine which may cause a temporary variable to be freed during garbage collection. PLATFORM: Mozilla v1.7 Solaris 10 Operating System Sun Java Desktop System Release 2 Mozilla 1.4 for Solaris DAMAGE: 1) May allow an attacker to execute arbitrary JavaScript when a mail message is forwarded as embedded text. 2) This flaw may be used by a remote attacker to execute arbitrary code with the permissions of the local user. SOLUTION: Upgrade to the appriopriate version. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. May be used by a remote attacker to execute ASSESSMENT: arbitrary code with the permissions of the local user. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/q-294.shtml ORIGINAL BULLETIN: Sun Alert ID: 102550 http://www.sunsolve.sun.com/search/document.do?assetkey=1-26-102550-1&searchclause=%22category:security%22%2420%22availability,%2420security%22%2420category:security ADDITIONAL LINKS: Sun Alert ID: 102763 http://www.sunsolve.sun.com/search/document.do?assetkey=1-26-102763-1&searchclause=%22category:security%22%2420%22availability,%2420security%22%2420category:security CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2006-0884 CVE-2006-0293 ______________________________________________________________________________ REVISION HISTORY: 10/27/06 - Sun Alert ID: 102550 updated its Resolution section 12/08/06 - Sun Alert ID: 102550 updated its Contributing Factors and Resolution section 01/04/07 - Sun Alert ID: 102550 updated its Contributing Factors section, and added a link to Sun Alert ID: 102763 [***** Start Sun Alert ID: 102550 *****] Document Audience: PUBLIC Document ID: 102550 Title: Multiple Security Vulnerabilites in Mozilla 1.4 and 1.7 for Solaris and for Sun JDS for Linux Copyright Notice: Copyright © 2006 Sun Microsystems, Inc. All Rights Reserved Update Date: Thu Oct 26 00:00:00 MDT 2006 Status Issued Description Top Sun(sm) Alert Notification * Sun Alert ID: 102550 * Synopsis: Multiple Security Vulnerabilites in Mozilla 1.4 and 1.7 for Solaris and for Sun JDS for Linux * Category: Security * Product: Mozilla v1.7, Solaris 10 Operating System, Sun Java Desktop System Release 2, Mozilla 1.4 for Solaris * BugIDs: 6412730, 6415123, 6415128, 6415131, 6415133, 6415135, 6415138, 6415142, 6415143, 6424493, 6424545, 6424548, 6424551, 6424560, 6424563, 6424567, 6424568, 6424573, 6424574, 6424577, 6424579 * Avoidance: Upgrade, Workaround * State: Workaround * Date Released: 22-Aug-2006 * Date Closed: * Date Modified: 26-Oct-2006 1. Impact Multiple security vulnerabilities are present in Mozilla version 1.4 (Solaris 8 and 9) and Mozilla version 1.7 (Solaris 8, 9 and 10) and under Sun Java Desktop System (JDS) for Linux. (Mozilla can be used as a web browser and editor, an irc client, an email client, and a news client). These issues may allow a remote unprivileged user who controls a website that is visited by a local user using the Mozilla browser to execute code with elevated privileges, gain unauthorized access to data stored on the local machine, or cause a Denial of Service (DoS) to the Mozilla browser. Bug 6415123 - For Mozilla 1.4 and 1.7: Mozilla contains a flaw within the "crypto.generateCRMFRequest" method which may allow a remote user to execute arbitrary code with the privileges of the local user, including the installation of unknown software. This issue is described in the following documents: http://www.mozilla.org/security/announce/mfsa2006-24.html http://www.kb.cert.org/vuls/id/932734 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1728 Bug 6415128 - For Mozilla 1.4 and 1.7: Mozilla contains an integer overflow flaw within the CSS letter spacing property. This flaw may result in a remote user executing arbitrary code with the privileges of the local user when an affected site is visited. This issue is described in the following documents: http://www.mozilla.org/security/announce/mfsa2006-22.html http://www.kb.cert.org/vuls/id/179014 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1730 Bug 6415131 - For Mozilla 1.4 and 1.7: Mozilla contains a flaw within the XBL bindings which may allow a remote user the ability to execute JavaScript code within the XBL bindings with the privileges of the local user when an affected site is visited. This issue is described in the following documents: http://www.mozilla.org/security/announce/mfsa2006-16.html http://www.kb.cert.org/vuls/id/488774 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1733 Bug 6415133 - For Mozilla 1.4 and 1.7: Mozilla contains a flaw within the "Object.watch" method which may allow a remote user the ability to execute arbitrary JavaScript code with the privileges of the local user when an affected site is visited. This issue is described in the following documents: http://www.mozilla.org/security/announce/mfsa2006-15.html http://www.kb.cert.org/vuls/id/842094 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1734 Bug 6415135 - For Mozilla 1.4 and 1.7: Mozilla contains a flaw within the "eval" method of the XBL bindings which may allow a remote user the ability to execute arbitrary JavaScript code with the privileges of the local user when an affected site is visited. This issue is described in the following documents: http://www.mozilla.org/security/announce/mfsa2006-14.html http://www.kb.cert.org/vuls/id/813230 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1735 Bug 6415138 - For Mozilla 1.4 and 1.7: Mozilla contains a flaw within the processing of HTML tags that may allow a remote user the ability to execute arbitrary code with the privileges of the local user when an affected site is visited. This issue is described in the following documents: http://www.mozilla.org/security/announce/mfsa2006-18.html http://www.kb.cert.org/vuls/id/736934 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-0749 Bug 6412730 - For Mozilla 1.4 and 1.7: Mozilla contains a flaw within the "XULDocument.presist" method which may allow a remote attacker to inject XML into the localstore (localstore.rdf) when an affected site is visited. The injected XML might be acted upon at startup thus executing arbitrary code. This issue is described in the following documents: http://www.mozilla.org/security/announce/mfsa2006-05.html http://www.kb.cert.org/vuls/id/592425 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-0296 Bug 6424493 - For Mozilla 1.4 and 1.7: Mozilla contains a flaw that may allow a remote attacker to execute arbitrary code with the privileges of the local user when a site is viewed with an invalid order for the table related tags. This issue is described in the following documents: http://www.mozilla.org/security/announce/mfsa2006-27.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-0748 Bug 6424545 - For Mozilla 1.4 and 1.7: Mozilla contains a flaw that may allow a remote attacker to gain "chrome" privilege when using the print preview feature of the browser. This issue is described in the following documents: http://www.mozilla.org/security/announce/mfsa2006-25.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1727 Bug 6424548 - For Mozilla 1.4 and 1.7: Mozilla contains a flaw that may allow a remote attacker the ability to read any local file when a site is viewed. This issue is described in the following documents: http://www.mozilla.org/security/announce/mfsa2006-23.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1729 Bug 6424551 - For Mozilla 1.4 and 1.7: Mozilla Mail contains a flaw that may allow an attacker to execute arbitrary JavaScript when a mail message is forwarded as embedded text. This issue is described in the following documents: http://www.mozilla.org/security/announce/mfsa2006-21.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-0884 Bug 6424560 - For Mozilla 1.4 and 1.7: Mozilla contains a flaw within ".valueOf.call()" and ".valueOf.apply()" that may allow a remote attacker to inject script into another window. This issue is described in the following documents: http://www.mozilla.org/security/announce/mfsa2006-19.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1731 Bug 6424563 - For Mozilla 1.4 and 1.7: Mozilla contains a flaw within the "window.controllers" array that may allow a malicious site to inject script into content from another site. This issue is described in the following documents: http://www.mozilla.org/security/announce/mfsa2006-17.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1732 Bug 6424567 - For Mozilla 1.4 and 1.7: Mozilla contains a flaw with the handling of layered transparent images that may allow a malicious site to convince visitors to save the image and then fool them by uploading an executable instead. Should the user later double-click the saved "image" within a file manager, it would be executing with the privileges of the local user. This issue is described in the following documents: http://www.mozilla.org/security/announce/mfsa2006-13.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1736 Bug 6424568 - For Mozilla 1.4 and 1.7: Mozilla contains a flaw in the browser's secure-site indicators that may allow a malicious site to spoof a local user into thinking they are still at a secure site. This issue is described in the following documents: http://www.mozilla.org/security/announce/mfsa2006-12.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1740 Bug 6415143 - For Mozilla 1.4 and 1.7: Mozilla contains a flaw within DHTML which may allow a remote user the ability to execute arbitrary code with the privileges of the local user when an affected site is visited. This issue is described in the following documents: http://www.mozilla.org/security/announce/mfsa2006-20.html http://www.kb.cert.org/vuls/id/350262 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1724 Bug 6415142 - For Mozilla 1.4 and 1.7: Mozilla contains several flaws that may allow a remote attacker to execute arbitrary code. There exists a buffer overflow within the CSS border-rendering code that may allow the remote attacker to execute arbitrary code. There exists a 16-bit integer overflow that may allow a remote attacker to execute the supplied data as JavaScript bytecode. When programmatically changing the "-moz-grid" and "-moz-grid-group" display styles, a remote attacker may be able to execute arbitrary code. There exists a buffer overflow within the "InstallTrigger.install()" method that was introduced by the fix for mfsa2005-58. This issue is described in the following documents: http://www.mozilla.org/security/announce/mfsa2006-11.html http://www.kb.cert.org/vuls/id/329500 http://www.kb.cert.org/vuls/id/252324 http://www.kb.cert.org/vuls/id/935556 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1737 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1738 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1739 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1790 Bug 6424573 - For Mozilla 1.4 and 1.7: Mozilla contains a flaw within the JavaScript engine for routines that use temporary variables. This flaw may allow a malicious site to execute arbitrary code including installing software as the local user. This issue is described in the following documents: http://www.mozilla.org/security/announce/mfsa2006-10.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1742 Bug 6424574 - For Mozilla 1.4 and 1.7: Mozilla contains a flaw that may allow a malicious site to inject JavaScript code into a new site using a modal alert. This vulnerability may allow an attacker to steal confidential information that the new site might contain. This issue is described in the following documents: http://www.mozilla.org/security/announce/mfsa2006-09.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1741 Bug 6424577 - For Mozilla 1.4 and 1.7: Mozilla contains a flaw which may allow a Denial of Service (DOS) to occur when the browser displays a very long title. This issue is described in the following documents: http://www.mozilla.org/security/announce/mfsa2006-03.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4134 Bug 6424579 - For Mozilla 1.4 and 1.7: Mozilla contains a flaw within the JavaScript engine which may cause a temporary variable to be freed during garbage collection. This flaw may be used by a remote attacker to execute arbitrary code with the permissions of the local user. This issue is described in the following documents: http://www.mozilla.org/security/announce/mfsa2006-01.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0292 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0293 2. Contributing Factors This issue can occur in the following releases: SPARC Platform * Mozilla 1.4 (for Solaris 8) * Mozilla 1.7 (for Solaris 8) * Mozilla 1.4 (for Solaris 9) * Mozilla 1.7 (for Solaris 9) * Mozilla 1.7 (for Solaris 10) without patch 119115-19 * Solaris 10 x86 Platform * Mozilla 1.4 (for Solaris 8) * Mozilla 1.7 (for Solaris 8) * Mozilla 1.4 (for Solaris 9) * Mozilla 1.7 (for Solaris 9) * Mozilla 1.7 (for Solaris 10) without patch 119116-19 Linux Platform * Sun Java Desktop System (JDS) Release 2 without the updated RPMs Note: These issues (for Mozilla 1.4) only occur with Mozilla versions "mozilla-1.4.1-224b" or earlier. To determine the version of Mozilla on a Solaris system, the following command can be run: % /usr/sfw/bin/mozilla -version Mozilla 1.7, (Sun Java Desktop System), build 2005031721 To determine the release of JDS for Linux installed on a system, the following command can be run: % cat /etc/sun-release Sun Java Desktop System, Release 2 -build 10b (GA) Assembled 30 March 2004 To determine the version of Mozilla on a Linux system, the following command (on JDS for Linux) can be run: % rpm -qf /usr/bin/mozilla mozilla-1.4.1-224b 3. Symptoms There are no predictable symptoms that would indicate the described issues have been exploited. Solution Summary Top 4. Relief/Workaround Different issues will require different workarounds, as described in the following options/examples: A) Disable JavaScript. To do this in Mozilla: 1. Open the Preferences dialog from the Edit menu 2. Select the Advanced tree 3. Select the Scripts & Plug-ins leaf 4. Uncheck the Navigator and Mail & Newsgroups check boxes 5. Click the OK button Or: 1. Enter "about:config" in the location field 2. Enter "javascript.enabled" in the search field 3. Double click on the value and change it to false 4. Click the OK button B) Visit only trusted web sites. C) Use the default mail message embedding when forwarding a mail message. This can be done by setting the forwarding preference: 1. Open the Preferences dialog from the Edit menu 2. Select the Mail & Newsgroups tree 3. Select the Composition leaf 4. Set the Forward messages list to "As Attachment" 5. Click the OK button D) Only download images from trusted web sites. E) Turn off the "Entering encrypted site" warning dialog. To do this in Mozilla: 1. Enter "about:config" in the location field 2. Enter "security.warn" in the search field 3. Double click on each "security.warn" and change the value to false 4. click the OK button F) Turn off the browser history. To do this in Mozilla: 1. Open the Preferences dialog from the Edit menu 2. Select the Navigator tree 3. On the History leaf, set the "remember duration" to 0 days Or: 1. Enter "about:config" in the location field 2. Enter "browser.history_expires_day" in the search field 3. Double click on the value and change it to 0 4. Click the OK button G) Remove the "history.dat" file. This can be done by running the following commands: % cd $HOME/.mozilla//* % rm history.dat All of these issues can be resolved by downloading and installing/upgrading to the latest Mozilla version from the Mozilla community website at http://www.mozilla.org/releases/#1.7.13 5. Resolution This issue is addressed in the following releases: SPARC Platform * Mozilla 1.7 for (Solaris 10) with patch 119115-19 or later x86 Platform * Mozilla 1.7 for (Solaris 10) with patch 119116-19 or later Note: For additional issues regarding patch 119116-19, please see Sun Alert 102612 at http://sunsolve.sun.com/search/document.do?assetkey=1-26-102612-1 A final resolution is pending completion. Change History 26-Oct-2006: * Updated Resolution section [***** End Sun Alert ID: 102550 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Sun Microsystems for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) Q-284: Security Vulnerability in the Sun Ray Utility utxconfig(1) Q-285: ncompress Q-286: RPC Interface Heap Overflow Q-287: Shadow Programming Error Q-288: ClamAV Buffer Overflow Q-289: Vulnerability May Allow Users With the "File System Management" RBAC Profile to Gain Elevated Privileges Q-290: Xsan Filesystem 1.4 Q-291: Buffer Overflow in the format(1M) Command Q-292: XFree86 Security Update Q-293: Kernel Security Update