Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 4.x before 4.0.1 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to gfx/layers/d3d10/ReadbackManagerD3D10.cpp and unknown other vectors.

Mozilla Firefox was updated to the 4.0.1 security release.

MFSA 2011-12: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. Credits

Mozilla developers Boris Zbarsky, Gary Kwong, Jesse Ruderman, Michael Wu, Nils, Scoobidiver, and Ted Mielczarek reported memory safety issues which affected Firefox 4. (CVE-2011-0079)

Mozilla developer Scoobidiver reported a memory safety issue which affected Firefox 4 and Firefox 3.6 (CVE-2011-0081)

Ian Beer reported a crash that affected Firefox 4, Firefox 3.6 and Firefox 3.5. (CVE-2011-0070)

MFSA 2011-17 / CVE-2011-0068: Two crashes that could potentially be exploited to run malicious code were found in the WebGL feature and fixed in Firefox 4.0.1. In addition the WebGLES libraries could potentially be used to bypass a security feature of recent Windows versions. The WebGL feature was introduced in Firefox 4; older versions are not affected by these issues.

Nils reported that the WebGLES libraries in the Windows version of Firefox were compiled without ASLR protection. An attacker who found an exploitable memory corruption flaw could then use these libraries to bypass ASLR on Windows Vista and Windows 7, making the flaw as exploitable on those platforms as it would be on Windows XP or other platforms.

Mozilla researcher Christoph Diehl reported a potentially exploitable buffer overflow in the WebGLES library

Yuri Ko reported a potentially exploitable overwrite in the WebGLES library to the Chrome Secuity Team. We thank them for coordinating with us on this fix.

MFSA 2011-18 / CVE-2011-1202: Chris Evans of the Chrome Security Team reported that the XSLT generate-id() function returned a string that revealed a specific valid address of an object on the memory heap. It is possible that in some cases this address would be valuable information that could be used by an attacker while exploiting a different memory corruption but, in order to make an exploit more reliable or work around mitigation features in the browser or operating system.

The remote host is affected by the vulnerability described in GLSA-201301-01 (Mozilla Products: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Mozilla Firefox,       Thunderbird, SeaMonkey, NSS, GNU IceCat, and XULRunner. Please review the       CVE identifiers referenced below for details.
  Impact :

    A remote attacker could entice a user to view a specially crafted web       page or email, possibly resulting in execution of arbitrary code or a       Denial of Service condition. Furthermore, a remote attacker may be able       to perform Man-in-the-Middle attacks, obtain sensitive information,       bypass restrictions and protection mechanisms, force file downloads,       conduct XML injection attacks, conduct XSS attacks, bypass the Same       Origin Policy, spoof URL&rsquo;s for phishing attacks, trigger a vertical       scroll, spoof the location bar, spoof an SSL indicator, modify the       browser&rsquo;s font, conduct clickjacking attacks, or have other unspecified       impact.
    A local attacker could gain escalated privileges, obtain sensitive       information, or replace an arbitrary downloaded file.
  Workaround :

    There is no known workaround at this time.

Boris Zbarsky, Gary Kwong, Jesse Ruderman, Michael Wu, and Ted Mielczarek discovered multiple memory vulnerabilities. An attacker could exploit these to possibly run arbitrary code as the user running Firefox. (CVE-2011-0079)

It was discovered that there was a vulnerability in the memory handling of certain types of content. An attacker could exploit this to possibly run arbitrary code as the user running Firefox.
(CVE-2011-0081)

It was discovered that Firefox incorrectly handled certain JavaScript requests. An attacker could exploit this to possibly run arbitrary code as the user running Firefox. (CVE-2011-0069)

Ian Beer discovered a vulnerability in the memory handling of a certain types of documents. An attacker could exploit this to possibly run arbitrary code as the user running Firefox. (CVE-2011-0070)

Chris Evans discovered a vulnerability in Firefox's XSLT generate-id() function. An attacker could possibly use this vulnerability to make other attacks more reliable. (CVE-2011-1202).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Versions of Thunderbird 3.1.x earlier than 3.1.10 are potentially affected by multiple vulnerabilities :

  - Multiple memory corruption issues could lead to arbitrary code execution. (MFSA2011-12)

  - The 'resource:' protocol could be exploited to allow directory traversal on Windows and the potential loading of resources from non-permitted locations. (MFSA2011-16)

Versions of Firefox 4.0.x earlier than 4.0.1 are potentially affected by multiple vulnerabilities : 

Multiple memory corruption issues could lead to arbitrary code execution. (MFSA2011-12)

  - Multiple vulnerabilities in the WebGL feature and WebGLES could be exploited to execute arbitrary code or bypass ASLR protection on Windows. (MFSA2011-17) - The XSLT 'generate-id()' function returned a string that revealed a specific valid address of an object on the memory heap. (MFSA2011-18)

Versions of Mozilla Thunderbird 3.1.x prior to 3.1.10 are affected by the following vulnerabilities :

 - Multiple memory corruption issues could lead to arbitrary code execution. (MFSA2011-12)
 - The 'resource:' protocol could be exploited to allow directory traversal on Windows and the potential loading of resources from non-permitted locations. (MFSA2011-16)

Versions of Firefox 4.0.x earlier than 4.0.1 are potentially affected by multiple vulnerabilities : 

Multiple memory corruption issues could lead to arbitrary code execution. (MFSA2011-12)
 - Multiple vulnerabilities in the WebGL feature and WebGLES could be exploited to execute arbitrary code or bypass ASLR protection on Windows. (MFSA2011-17) - The XSLT 'generate-id()' function returned a string that revealed a specific valid address of an object on the memory heap. (MFSA2011-18)

The installed version of Firefox 4.0 is earlier than 4.0.1.  As such, it is potentially affected by the following security issues :

  - A buffer overflow exists in the WebGLES library.
    Additionally, the Windows version was not compiled     with ASLR enabled. (CVE-2011-0068)

  - Multiple memory safety issues can lead to application     crashes and possibly remote code execution.
    (CVE-2011-0069, CVE-2011-0070, CVE-2011-0079,     CVE-2011-0081)

  - An information disclosure vulnerability exists in the     'xsltGenerateIdFunction' function in the included     libxslt library. (CVE-2011-1202)

ID	Name	Product	Family	Severity
75944	openSUSE Security Update : MozillaFirefox (MozillaFirefox-4457)	Nessus	SuSE Local Security Checks	critical
63402	GLSA-201301-01 : Mozilla Products: Multiple vulnerabilities (BEAST)	Nessus	Gentoo Local Security Checks	critical
55079	Ubuntu 11.04 : Firefox vulnerabilities (USN-1121-1)	Nessus	Ubuntu Local Security Checks	critical
801271	Mozilla Thunderbird 3.1.x < 3.1.10 Multiple Vulnerabilities	Log Correlation Engine	SMTP Clients	high
801264	Mozilla Firefox 4.0.x < 4.0.1 Multiple Vulnerabilities	Log Correlation Engine	Web Clients	high
5903	Mozilla Thunderbird 3.1.x < 3.1.10 Multiple Vulnerabilities	Nessus Network Monitor	SMTP Clients	high
5902	Mozilla Firefox 4.0.x < 4.0.1 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	high
53595	Firefox 4.0 < 4.0.1 Multiple Vulnerabilities	Nessus	Windows	high

Detections

Analytics

CVE-2011-0079

high

Tenable Plugins

critical

critical

critical

high

high

high

high

high