Malaysian Computer Emergency Response Team

Services

Advisories Cyber999 Help Centre Malware Research Centre Incident Statistics

MyCERT Statistic

Reported Incidents based on General Incident Classification Statistics 2013

Help Centre

Reporting Channels

Definitions of Incidents

Cyber999 - Service Level Agreement

MyCERT Advisories

MyCERT Advisories, Alerts and Summaries for the year 2011

MA-282.062011 : MyCERT Alert - Mozilla Firefox and Thunderbird - Multiple Critical Vulnerabilities

Date of publication: 2011-06-22

1.0 Introduction

A few vulnerabilities have been reported in Mozilla Foundation products and the vulnerabilities are as below:

Miscellaneous memory safety hazards (rv:3.0/1.9.2.18)
Use-after-free vulnerability when viewing XUL document with script disabled
Memory corruption due to multipart/x-mixed-replace images
Integer overflow and arbitrary code execution in Array.reduceRight()
Multiple dangling pointer vulnerabilities
Multiple WebGL crashes

2.0 Impact

An attacker who successfully exploits these vulnerabilities can bypass same-origin restrictions, obtain potentially sensitive information, and execute arbitrary script code with elevated privileges. Other attacks are also possible.

3.0 Affected Products

The detail list of the vulnerable products and versions are as below:

Mozilla Firefox 4.1 and below
Mozilla Firefox 3.6.17 and below
Mozilla Thunderbird 3.1.10 and below

4.0 Recommendation

MyCERT highly recommends users of these applications to upgrade to the latest version the affected products. The current latest versions are as below:

Mozilla Firefox 5.0
Can be downloaded at : http://www.mozilla.com/firefox/
Mozilla Firefox 3.6.18
Can be downloaded at: http://www.mozilla.com/en-US/firefox/all-older.html
Mozilla Thunderbird 3.1.11
Can be downloaded at: http://www.mozillamessaging.com/thunderbird/

MyCERT advises users of the products mentioned in this advisory to keep themselves updated with the latest security announcements from the products’ vendor. MyCERT can be reached through the following channels:

E-mail : mycert@mycert.org.my
Phone : 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : CYBER999 REPORT <EMAIL> <COMPLAINT> to 15888
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web: http://www.mycert.org.my

5.0 References

i. https://www.mozilla.org/security/announce/
ii. https://www.mozilla.org/security/announce/2011/mfsa2011-19.html
iii. https://www.mozilla.org/security/announce/2011/mfsa2011-20.html
iv. https://www.mozilla.org/security/announce/2011/mfsa2011-21.html
v. https://www.mozilla.org/security/announce/2011/mfsa2011-22.html
vi. https://www.mozilla.org/security/announce/2011/mfsa2011-23.html
vii. https://www.mozilla.org/security/announce/2011/mfsa2011-26.html