__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Firefox Security Update [RHSA-2006:0675-5] September 15, 2006 18:00 GMT Number Q-317 [REVISED 20 Sep 2006] [REVISED 06 Oct 2006] [REVISED 14 Nov 2006] [REVISED 23 Jan 2007] [REVISED 5 Mar 2007] ______________________________________________________________________________ PROBLEM: Updated firefox packages that fix several security bugs are now available for Red Hat Enterprise Linux 4. PLATFORM: Red Hat Desktop (v. 4) Red Hat Enterprise Linux AS (v. 4) Red Hat Enterprise Linux ES (v. 4) Red Hat Enterprise Linux WS (v. 4) Firefox 1.5.0.7 Thunderbird 1.5.0.7 SeaMonkey 1.0.5 Debian GNU/Linux 3.1 alias sarge Mozilla 1.7 Solaris 8, 9, 10 Operating System Firefox prior to version 1.5.0.9 running on HP-UX B.11.11 and B.11.23 DAMAGE: A malicious web page could crash the browser or possibly execute arbitrary code as the user running Firefox. SOLUTION: Apply current patches. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. An attacker could execute arbitrary code as ASSESSMENT: the user running Firefox. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/q-317.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2006-0675.html ADDITIONAL LINKS: SeaMonkey Security Update https://rhn.redhat.com/errata/RHSA-2006-0676.html Thunderbird Security Update https://rhn.redhat.com/errata/RHSA-2006-0677.html Mozilla Foundation Security Advisory 2006-57 http://www.mozilla.org/security/announce/2006/mfsa2006-57.html Debian Security Advisory 1191-1 http://www.debian.org/security/2006/dsa-1191 Debian Security Advisory 1192-1 http://www.debian.org/security/2006/dsa-1192 Debian Security Advisory 1210-1 http://www.debian.org/security/2006/dsa-1210 Sun Alert ID: 102781 http://www.sunsolve.sun.com/search/document.do?assetkey= 1-26-102781-1 Visit Hewlett-Packard's Subscription Service for: HPSBUX02153 SSRT061181 rev. 3 CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2006-4253 CVE-2006-4340 CVE-2006-4565 CVE-2006-4566 CVE-2006-4567 CVE-2006-4568 CVE-2006-4569 CVE-2006-4571 ______________________________________________________________________________ REVISION HISTORY: 09/20/2006 - revised to add a link to Mozilla Foundation Security Advisory 2006-57 for Firefox 1.5.0.7, Thunderbird 1.5.0.7, and SeaMonkey 1.0.5 10/06/2006 - revised to add a link to Debian Security Advisories DSA-1191-1 & DSA-1192-1 for Debian GNU/Linux 3.1 alias sarge 11/14/2006 - added a link to Debian Security Advisory 1210-1 01/23/2007 - revised to add a link to Sun Alert ID: 102781 for Mozilla v1.7, Solaris 8, 9, 10 Operating System. 03/05/2007 - revised Q-317 to add a link to Hewlett-Packard HPSBUX02153 SSRT061181 rev. 3 for Firefox prior to version 1.5.0.9 running on HP-UX B.11.11 and B.11.23. [***** Start RHSA-2006:0675-5 *****] Critical: firefox security update Advisory: RHSA-2006:0675-5 Type: Security Advisory Issued on: 2006-09-15 Last updated on: 2006-09-15 Affected Products: Red Hat Desktop (v. 4) Red Hat Enterprise Linux AS (v. 4) Red Hat Enterprise Linux ES (v. 4) Red Hat Enterprise Linux WS (v. 4) CVEs (cve.mitre.org): CVE-2006-4253 CVE-2006-4340 CVE-2006-4565 CVE-2006-4566 CVE-2006-4567 CVE-2006-4568 CVE-2006-4569 CVE-2006-4571 Details Updated firefox packages that fix several security bugs are now available for Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. Mozilla Firefox is an open source Web browser. Two flaws were found in the way Firefox processed certain regular expressions. A malicious web page could crash the browser or possibly execute arbitrary code as the user running Firefox. (CVE-2006-4565, CVE-2006-4566) A number of flaws were found in Firefox. A malicious web page could crash the browser or possibly execute arbitrary code as the user running Firefox. (CVE-2006-4571) A flaw was found in the handling of Javascript timed events. A malicious web page could crash the browser or possibly execute arbitrary code as the user running Firefox. (CVE-2006-4253) Daniel Bleichenbacher recently described an implementation error in RSA signature verification. For RSA keys with exponent 3 it is possible for an attacker to forge a signature that would be incorrectly verified by the NSS library. Firefox as shipped trusts several root Certificate Authorities that use exponent 3. An attacker could have created a carefully crafted SSL certificate which be incorrectly trusted when their site was visited by a victim. (CVE-2006-4340) A flaw was found in the Firefox auto-update verification system. An attacker who has the ability to spoof a victim's DNS could get Firefox to download and install malicious code. In order to exploit this issue an attacker would also need to get a victim to previously accept an unverifiable certificate. (CVE-2006-4567) Firefox did not properly prevent a frame in one domain from injecting content into a sub-frame that belongs to another domain, which facilitates website spoofing and other attacks (CVE-2006-4568) Firefox did not load manually opened, blocked popups in the right domain context, which could lead to cross-site scripting attacks. In order to exploit this issue an attacker would need to find a site which would frame their malicious page and convince the user to manually open a blocked popup. (CVE-2006-4569) Users of Firefox are advised to upgrade to this update, which contains Firefox version 1.5.0.7 that corrects these issues. Solution Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via Red Hat Network. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. Updated packages Red Hat Desktop (v. 4) SRPMS: firefox-1.5.0.7-0.1.el4.src.rpm 241224d9bdd1a0528ae3f0d6f6c76706 IA-32: firefox-1.5.0.7-0.1.el4.i386.rpm 7b05eed2e30fcd2fa3817f2b9db31a1f x86_64: firefox-1.5.0.7-0.1.el4.x86_64.rpm df8f9637dea4578c0fa31b894b110fc8 Red Hat Enterprise Linux AS (v. 4) SRPMS: firefox-1.5.0.7-0.1.el4.src.rpm 241224d9bdd1a0528ae3f0d6f6c76706 IA-32: firefox-1.5.0.7-0.1.el4.i386.rpm 7b05eed2e30fcd2fa3817f2b9db31a1f IA-64: firefox-1.5.0.7-0.1.el4.ia64.rpm 4116039526212f6a3598d3a754afb5f8 PPC: firefox-1.5.0.7-0.1.el4.ppc.rpm cd54ba632b1a655b851e90b9605d544b s390: firefox-1.5.0.7-0.1.el4.s390.rpm 8fff914d6af6c6e11791858a2344ebb7 s390x: firefox-1.5.0.7-0.1.el4.s390x.rpm 1248aa27db49e2dad2243b63092a1afc x86_64: firefox-1.5.0.7-0.1.el4.x86_64.rpm df8f9637dea4578c0fa31b894b110fc8 Red Hat Enterprise Linux ES (v. 4) SRPMS: firefox-1.5.0.7-0.1.el4.src.rpm 241224d9bdd1a0528ae3f0d6f6c76706 IA-32: firefox-1.5.0.7-0.1.el4.i386.rpm 7b05eed2e30fcd2fa3817f2b9db31a1f IA-64: firefox-1.5.0.7-0.1.el4.ia64.rpm 4116039526212f6a3598d3a754afb5f8 x86_64: firefox-1.5.0.7-0.1.el4.x86_64.rpm df8f9637dea4578c0fa31b894b110fc8 Red Hat Enterprise Linux WS (v. 4) SRPMS: firefox-1.5.0.7-0.1.el4.src.rpm 241224d9bdd1a0528ae3f0d6f6c76706 IA-32: firefox-1.5.0.7-0.1.el4.i386.rpm 7b05eed2e30fcd2fa3817f2b9db31a1f IA-64: firefox-1.5.0.7-0.1.el4.ia64.rpm 4116039526212f6a3598d3a754afb5f8 x86_64: firefox-1.5.0.7-0.1.el4.x86_64.rpm df8f9637dea4578c0fa31b894b110fc8 (The unlinked packages above are only available from the Red Hat Network) References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4253 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4340 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4565 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4566 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4567 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4568 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4569 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4571 http://www.redhat.com/security/updates/classification/#critical These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/ [***** End RHSA-2006:0675-5 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) Q-307: Buffer Overflow Vulnerability in libX11 Q-308: gcc-3.4 Q-309: TikiWiki Q-310: Vulnerability in Microsoft Publisher Q-311: Vulnerability in Pragmatic General Multicast (PGM) Q-312: Vulnerability in Indexing Service Q-313: Flash-Plugin Security Update Q-314: QuickTime 7.1.3 Q-315: isakmpd - Programming Error Q-316: HP OpenView Operations