Use-after-free vulnerability in Mozilla Firefox 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 on 32-bit Windows 7 platforms allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors involving use of the file-open dialog in a child window, related to the IUnknown_QueryService function in the Windows shlwapi.dll library.

Security issues were identified and fixed in mozilla firefox and thunderbird :

Security researchers Blair Strang and Scott Bell of Security Assessment found that when a parent window spawns and closes a child window that uses the file open dialog, a crash can be induced in shlwapi.dll on 32-bit Windows 7 systems. This crash may be potentially exploitable (CVE-2012-0454).

Firefox prevents the dropping of javascript: links onto a frame to prevent malicious sites from tricking users into performing a cross-site scripting (XSS) attacks on themselves. Security researcher Soroush Dalili reported a way to bypass this protection (CVE-2012-0455).

Security researcher Atte Kettunen from OUSPG found two issues with Firefox's handling of SVG using the Address Sanitizer tool. The first issue, critically rated, is a use-after-free in SVG animation that could potentially lead to arbitrary code execution. The second issue is rated moderate and is an out of bounds read in SVG Filters. This could potentially incorporate data from the user's memory, making it accessible to the page content (CVE-2012-0457, CVE-2012-0456).

Security Researcher Mike Brooks of Sitewatch reported that if multiple Content Security Policy (CSP) headers are present on a page, they have an additive effect page policy. Using carriage return line feed (CRLF) injection, a new CSP rule can be introduced which allows for cross-site scripting (XSS) on sites with a separate header injection vulnerability (CVE-2012-0451).

Security researcher Mariusz Mlynski reported that an attacker able to convince a potential victim to set a new home page by dragging a link to the home button can set that user's home page to a javascript: URL.
Once this is done the attacker's page can cause repeated crashes of the browser, eventually getting the script URL loaded in the privileged about:sessionrestore context (CVE-2012-0458).

Mozilla community member Daniel Glazman of Disruptive Innovations reported a crash when accessing a keyframe's cssText after dynamic modification. This crash may be potentially exploitable (CVE-2012-0459).

Mozilla developer Matt Brubeck reported that window.fullScreen is writeable by untrusted content now that the DOM fullscreen API is enabled. Because window.fullScreen does not include mozRequestFullscreen's security protections, it could be used for UI spoofing. This code change makes window.fullScreen read only by untrusted content, forcing the use of the DOM fullscreen API in normal usage (CVE-2012-0460).

Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products.
Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code (CVE-2012-0461, CVE-2012-0462, CVE-2012-0464).

The mozilla firefox and thunderbird packages has been upgraded to the latest respective versions which is unaffected by these security flaws.

Additionally the NSS and NSPR packages has been upgraded to the latest versions. The OpenJDK java plugin (icedtea-web) has been upgraded to the 1.1.5 version whish bas better support for firefox 10.x+.

Update :

Updated packages for 2010.2 is being provided, despite the Mandriva products lifetime policy dictates otherwise.

Mozilla Firefox was updated to 10.0.3 ESR to fix various bugs and security issues.

The following security issues have been fixed :

  - Mozilla developers identified and fixed several memory     safety bugs in the browser engine used in Firefox and     other Mozilla-based products. Some of these bugs showed     evidence of memory corruption under certain     circumstances, and we presume that with enough effort at     least some of these could be exploited to run arbitrary     code. (MFSA 2012-19)

    In general these flaws cannot be exploited through email     in the Thunderbird and SeaMonkey products because     scripting is disabled, but are potentially a risk in     browser or browser-like contexts in those products.

    References :

    Bob Clary reported two bugs that causes crashes that     affected Firefox 3.6, Firefox ESR, and Firefox 10.
    (CVE-2012-0461)

    Christian Holler, Jesse Ruderman, Nils, Michael     Bebenita, Dindog, and David Anderson reported memory     safety problems and crashes that affect Firefox ESR and     Firefox 10. (CVE-2012-0462)

    Jeff Walden reported a memory safety problem in the     array.join function. This bug was independently reported     by Vincenzo Iozzo via TippingPoint's Zero Day Initiative     Pwn2Own contest. (CVE-2012-0464)

    Masayuki Nakano reported a memory safety problem that     affected Mobile Firefox

  - CVE-2012-0463

  - Mozilla developer Matt Brubeck reported that     window.fullScreen is writeable by untrusted content now     that the DOM fullscreen API is enabled. Because     window.fullScreen does not include     mozRequestFullscreen's security protections, it could be     used for UI spoofing. This code change makes     window.fullScreen read only by untrusted content,     forcing the use of the DOM fullscreen API in normal     usage. (MFSA 2012-18 / CVE-2012-0460)

    Firefox 3.6 and Thunderbird 3.1 are not affected by this     vulnerability.

  - Mozilla community member Daniel Glazman of Disruptive     Innovations reported a crash when accessing a keyframe's     cssText after dynamic modification. This crash may be     potentially exploitable. (MFSA 2012-17 / CVE-2012-0459)

    Firefox 3.6 and Thunderbird 3.1 are not affected by this     vulnerability.

  - Security researcher Mariusz Mlynski reported that an     attacker able to convince a potential victim to set a     new home page by dragging a link to the 'home' button     can set that user's home page to a javascript: URL. Once     this is done the attacker's page can cause repeated     crashes of the browser, eventually getting the script     URL loaded in the privileged about:sessionrestore     context. (MFSA 2012-16 / CVE-2012-0458)

  - Security Researcher Mike Brooks of Sitewatch reported     that if multiple Content Security Policy (CSP) headers     are present on a page, they have an additive effect page     policy. Using carriage return line feed (CRLF)     injection, a new CSP rule can be introduced which allows     for cross-site scripting (XSS) on sites with a separate     header injection vulnerability. (MFSA 2012-15 /     CVE-2012-0451)

    Firefox 3.6 and Thunderbird 3.1 are not affected by this     vulnerability.

  - Security researcher Atte Kettunen from OUSPG found two     issues with Firefox's handling of SVG using the Address     Sanitizer tool. The first issue, critically rated, is a     use-after-free in SVG animation that could potentially     lead to arbitrary code execution. The second issue is     rated moderate and is an out of bounds read in SVG     Filters. This could potentially incorporate data from     the user's memory, making it accessible to the page     content. (MFSA 2012-14 / CVE-2012-0457 / CVE-2012-0456)

  - Firefox prevents the dropping of javascript: links onto     a frame to prevent malicious sites from tricking users     into performing a cross-site scripting (XSS) attacks on     themselves. Security researcher Soroush Dalili reported     a way to bypass this protection. (MFSA 2012-13 /     CVE-2012-0455)

  - Security researchers Blair Strang and Scott Bell of     Security Assessment found that when a parent window     spawns and closes a child window that uses the file open     dialog, a crash can be induced in shlwapi.dll on 32-bit     Windows 7 systems. This crash may be potentially     exploitable. (MFSA 2012-12 / CVE-2012-0454)

    Firefox 3.6 and Thunderbird 3.1 are not affected by this     vulnerability.

  - Reworked the KDE4 integration. (bnc#745017)

Versions of Firefox 10.x earlier than 10.0.3 are potentially affected by the following security issues :

  - Multiple memory corruption issues.  By tricking a user into visiting a specially crafted page, these issues may allow an attacker to execute arbitrary code in the context of the affected application. (CVE-2012-0454, CVE-2012-0457, CVE-2012-0459, CVE-2012-0461, CVE-2012-0462, CVE-2012-0463, CVE-2012-0464)

  - Ah HTTP Header security bypass vulnerability that can be leveraged by attackers to bypass certain security restrictions and conduct cross-site scripting attacks. (CVE-2012-0451)

  - A security bypass vulnerability that can be exploited by an attacker if the victim can be tricked into setting a new home page by dragging a specially crafted link to the 'home' button URL, which will set the user's home page to a 'javascript:' URL. (CVE-2012-0458)

  - An information disclosure vulnerability due to an out of bounds read in SVG filters. (CVE-2012-0456)

  - A cross-site scripting vulnerability that can be triggered by dragging and dropping 'javascript:' links onto a frame. (CVE-2012-0455)

  - 'window.fullScreen' is writeable by untrusted content, allowing attackers to perform UI spoofing attacks. (CVE-2012-0460)

Versions of Firefox 10.x prior to 10.0.3 are affected by the following security issues :

 - Multiple memory corruption issues. By tricking a user into visiting a specially crafted page, these issues may allow an attacker to execute arbitrary code in the context of the affected application. (CVE-2012-0454, CVE-2012-0457, CVE-2012-0459, CVE-2012-0461, CVE-2012-0462, CVE-2012-0463, CVE-2012-0464)
 - An HTTP Header security bypass vulnerability that can be leveraged by attackers to bypass certain security restrictions and conduct cross-site scripting attacks. (CVE-2012-0451)
 - A security bypass vulnerability that can be exploited by an attacker if the victim can be tricked into setting a new home page by dragging a specially crafted link to the 'home' button URL, which will set the user's home page to a 'javascript:' URL. (CVE-2012-0458)
 - An information disclosure vulnerability due to an out of bounds read in SVG filters. (CVE-2012-0456)
 - A cross-site scripting vulnerability that can be triggered by dragging and dropping 'javascript:' links onto a frame. (CVE-2012-0455)
 - 'window.fullScreen' is writeable by untrusted content, allowing attackers to perform UI spoofing attacks. (CVE-2012-0460)

Versions of SeaMonkey 2.x earlier than 2.8 are potentially affected by the following security issues :

  - Multiple memory corruption issues.  By tricking a user into visiting a specially crafted page, these issues may allow an attacker to execute arbitrary code in the context of the affected application. (CVE-2012-0454, CVE-2012-0457, CVE-2012-0459, CVE-2012-0461, CVE-2012-0462, CVE-2012-0463, CVE-2012-0464)

  - Ah HTTP Header security bypass vulnerability that can be leveraged by attackers to bypass certain security restrictions and conduct cross-site scripting attacks. (CVE-2012-0451)

  - A security bypass vulnerability that can be exploited by an attacker if the victim can be tricked into setting a new home page by dragging a specially crafted link to the 'home' button URL, which will set the user's home page to a 'javascript:' URL. (CVE-2012-0458)

  - An information disclosure vulnerability due to an out of bounds read in SVG filters. (CVE-2012-0456)

  - A cross-site scripting vulnerability that can be triggered by dragging and dropping 'javascript:' links onto a frame. (CVE-2012-0455)

  - 'window.fullScreen' is writeable by untrusted content, allowing attackers to perform UI spoofing attacks. (CVE-2012-0460)

Versions of Firefox ESR 10.x prior to 10.0.3 are affected by the following security issues :

 - Multiple memory corruption issues.  By tricking a user into visiting a specially crafted page, these issues may allow an attacker to execute arbitrary code in the context of the affected application. (CVE-2012-0454, CVE-2012-0457, CVE-2012-0459, CVE-2012-0461, CVE-2012-0462, CVE-2012-0463, CVE-2012-0464)
 - An HTTP Header security bypass vulnerability that can be leveraged by attackers to bypass certain security restrictions and conduct cross-site scripting attacks. (CVE-2012-0451)
 - A security bypass vulnerability that can be exploited by an attacker if the victim can be tricked into setting a new home page by dragging a specially crafted link to the 'home' button URL, which will set the user's home page to a 'javascript:' URL. (CVE-2012-0458)
 - An information disclosure vulnerability due to an out of bounds read in SVG filters. (CVE-2012-0456)
 - A cross-site scripting vulnerability that can be triggered by dragging and dropping 'javascript:' links onto a frame. (CVE-2012-0455)
 - 'window.fullScreen' is writeable by untrusted content, allowing attackers to perform UI spoofing attacks. (CVE-2012-0460)

The installed version of Thunderbird 10.0.x is potentially affected by the following security issues :
  - Multiple memory corruption issues. By tricking a user     into visiting a specially crafted page, these issues may     allow an attacker to execute arbitrary code in the     context of the affected application. (CVE-2012-0454,     CVE-2012-0457, CVE-2012-0459, CVE-2012-0461,     CVE-2012-0462, CVE-2012-0463, CVE-2012-0464)

  - An HTTP Header security bypass vulnerability exists that     can be leveraged by attackers to bypass certain security     restrictions and conduct cross-site scripting attacks.     (CVE-2012-0451).

  - A security bypass vulnerability exists that can be     exploited by an attacker if the victim can be tricked     into setting a new home page by dragging a specially     crafted link to the 'home' button URL, which will set     the user's home page to a 'javascript:' URL.     (CVE-2012-0458) 

  - An information disclosure vulnerability exists due to an     out-of-bounds read in SVG filters. (CVE-2012-0456)

  - A cross-site scripting vulnerability exists that can be     triggered by dragging and dropping 'javascript:' links     onto a frame. (CVE-2012-0455)

  - 'window.fullScreen' is writeable by untrusted content,     allowing attackers to perform UI spoofing attacks.     (CVE-2012-0460)

The installed version of Firefox is earlier than 10.0.3 and thus, is potentially affected by the following security issues :
  - Multiple memory corruption issues. By tricking a user     into visiting a specially crafted page, these issues may     allow an attacker to execute arbitrary code in the     context of the affected application. (CVE-2012-0454,     CVE-2012-0457, CVE-2012-0459, CVE-2012-0461,     CVE-2012-0462, CVE-2012-0463, CVE-2012-0464)

  - An HTTP Header security bypass vulnerability exists that     can be leveraged by attackers to bypass certain security     restrictions and conduct cross-site scripting attacks.     (CVE-2012-0451).

  - A security bypass vulnerability exists that can be     exploited by an attacker if the victim can be tricked     into setting a new home page by dragging a specially     crafted link to the 'home' button URL, which will set     the user's home page to a 'javascript:' URL.     (CVE-2012-0458) 

  - An information disclosure vulnerability exists due to an     out-of-bounds read in SVG filters. (CVE-2012-0456)

  - A cross-site scripting vulnerability exists that can be     triggered by dragging and dropping 'javascript:' links     onto a frame. (CVE-2012-0455)

  - 'window.fullScreen' is writeable by untrusted content,     allowing attackers to perform UI spoofing attacks.     (CVE-2012-0460)

The installed version of SeaMonkey is earlier than 2.8.0.  Such versions are potentially affected by the following security issues :
  - Multiple memory corruption issues. By tricking a user     into visiting a specially crafted page, these issues may     allow an attacker to execute arbitrary code in the     context of the affected application. (CVE-2012-0454,     CVE-2012-0457, CVE-2012-0459, CVE-2012-0461,     CVE-2012-0462, CVE-2012-0463, CVE-2012-0464)

  - An HTTP Header security bypass vulnerability that can be     leveraged by attackers to bypass certain security     restrictions and conduct cross-site scripting attacks.     (CVE-2012-0451).

  - A security bypass vulnerability that can be exploited by     an attacker if the victim can be tricked into setting a     new home page by dragging a specially crafted link to     the 'home' button URL, which will set the user's home     page to a 'javascript:' URL. (CVE-2012-0458) 

  - An information disclosure vulnerability due to an out of     bounds read in SVG filters. (CVE-2012-0456)

  - A cross-site scripting vulnerability that can be     triggered by dragging and dropping 'javascript:' links     onto a frame. (CVE-2012-0455)

  - 'window.fullScreen' is writeable by untrusted content,     allowing attackers to perform UI spoofing attacks.     (CVE-2012-0460)

The installed version of Firefox 10.0.x is potentially affected by the following security issues :
  - Multiple memory corruption issues. By tricking a user     into visiting a specially crafted page, these issues may     allow an attacker to execute arbitrary code in the     context of the affected application. (CVE-2012-0454,     CVE-2012-0457, CVE-2012-0459, CVE-2012-0461,     CVE-2012-0462, CVE-2012-0463, CVE-2012-0464)

  - An HTTP Header security bypass vulnerability exists that     can be leveraged by attackers to bypass certain security     restrictions and conduct cross-site scripting attacks.     (CVE-2012-0451).

  - A security bypass vulnerability exists that can be     exploited by an attacker if the victim can be tricked     into setting a new home page by dragging a specially     crafted link to the 'home' button URL, which will set     the user's home page to a 'javascript:' URL.     (CVE-2012-0458) 

  - An information disclosure vulnerability exists due to an     out-of-bounds read in SVG filters. (CVE-2012-0456)

  - A cross-site scripting vulnerability exists that can be     triggered by dragging and dropping 'javascript:' links     onto a frame. (CVE-2012-0455)

  - 'window.fullScreen' is writeable by untrusted content,     allowing attackers to perform UI spoofing attacks.     (CVE-2012-0460)

ID	Name	Product	Family	Severity
58771	Mandriva Linux Security Advisory : mozilla (MDVSA-2012:032-1)	Nessus	Mandriva Local Security Checks	high
58524	SuSE 11.1 Security Update : Mozilla Firefox (SAT Patch Number 6007)	Nessus	SuSE Local Security Checks	high
801370	Mozilla Thunderbird 10.x < 10.0.3 Multiple Vulnerabilities	Log Correlation Engine	Web Clients	high
6352	Mozilla Thunderbird 10.x < 10.0.3 Multiple Vulnerabilities	Nessus Network Monitor	SMTP Clients	high
801337	Mozilla SeaMonkey 2.x < 2.8 Multiple Vulnerabilities	Log Correlation Engine	Web Clients	high
801284	Mozilla Firefox 10.x < 10.0.3 Multiple Vulnerabilities	Log Correlation Engine	Web Clients	high
6354	SeaMonkey 2.x < 2.8 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	high
6350	Mozilla Firefox ESR 10.x < 10.0.3 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	high
58355	Thunderbird 10.0.x < 10.0.3 Multiple Vulnerabilities (Mac OS X)	Nessus	MacOS X Local Security Checks	high
58353	Firefox < 10.0.3 Multiple Vulnerabilities (Mac OS X)	Nessus	MacOS X Local Security Checks	high
58352	SeaMonkey < 2.8.0 Multiple Vulnerabilities	Nessus	Windows	high
58350	Mozilla Thunderbird 10.0.x < 10.0.3 Multiple Vulnerabilities	Nessus	Windows	high
58348	Firefox 10.0.x < 10.0.3 Multiple Vulnerabilities	Nessus	Windows	high

Detections

Analytics

CVE-2012-0454

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high