Mozilla Closes Critical Holes

Wednesday, January 9, 2013 @ 04:01 PM gHale


With the release of Firefox ESR 17.0.2, Thunderbird 17.0.2 and Thunderbird ESR 17.0.2, Mozilla fixed 20 security holes, 12 of which rate as critical and the rest coming in as high impact.

Firefox 18 fixes an additional moderate security issue with touch events that caused a page in an iframe to see touch events occurring within other iframes. The W3C Touch events technology introduced with Firefox 18 and the issue therefore does not affect older versions of the browser or Thunderbird.

RELATED STORIES
Bogus SSL Certificates Issued
Chrome Wards Off BlackHole
Phishing Report: Comparing Browsers
Mozilla Fixes Firefox Holes

The critical issues include MFSA 2013-20 in which two SSL certificates accidentally issued by TURKTRUST and later misused to create bogus certificates for arbitrary domains; the two certificates are now gone from the trusted certificates list.

MFSA 2013-15 allowed attackers to open a privileged web page in Firefox and then perform a privilege escalation campaign through interaction with specifically crafted SVG elements. A buffer overflow in the HMTL5 Canvas that could lead to a potentially exploitable crash is MFSA 2013-03. Five user-after-free bugs in several components of Mozilla’s software also ended up fixed, as well as miscellaneous memory safety issues.

These issues are less of a problem in Thunderbird as the email client disables scripting by default, which limits the exploitability of these vulnerabilities in normal usage of the email client.

The security issues rated as high by Mozilla include memory corruption that can happen with SVG content and can lead to an exploitable crash, an issue where pages could spoof the URL they display in the address bar to mislead users, and problems with an XBL (XML Binding Language) function that leaked information about the address space layout of objects, causing ASLR (address space layout randomization) to be less effective. The Firefox installer on Windows could end up hijacked by placing a specifically named DLL in the default download directory alongside the installer binary which would then proceed to load the malicious DLL, leading to arbitrary code execution. On an account with administrator privileges, the system would execute the DLL with the same privileges.

To remedy the flaws, Mozilla recommends updating to Firefox 18, Firefox ESR 17.0.2 and Thunderbird ESR 17.0.2. Thunderbird 17.0.2 is the latest version of the email client as Mozilla has currently frozen its development of the product and is only doing maintenance releases on the code base.

The updates should automatically install by the applications, but can download by displaying the applications’ About dialog. It is, of course, also possible to download Firefox or Thunderbird from Mozilla’s download pages.

Mozilla also released Firefox ESR 10.0.12 and Thunderbird ESR 10.0.12, fixing a number of the security holes in these extended support versions as well. Both versions fix eight of the critical vulnerabilities fixed in their ESR 17.x versions.

Firefox ESR 10.0.12 also fixed four of the high-rated vulnerabilities fixed in Firefox 17.0.2 ESR, while Thunderbird ESR 10.0.12 fixed three high-rated holes fixed in Thunderbird ESR 17.0.2. This release is likely to be the last release of the Firefox and Thunderbird ESR 10.x branches.



Leave a Reply

You must be logged in to post a comment.