Untrusted search path vulnerability in Updater.exe in the Windows Updater Service in Mozilla Firefox 12.0, Thunderbird 12.0, and SeaMonkey 2.9 on Windows allows local users to gain privileges via a Trojan horse wsock32.dll file in an application directory.

Mozilla Firefox has been updated to 10.0.5ESR fixing various bugs and security issues.

  - Mozilla developers identified and fixed several memory     safety bugs in the browser engine used in Firefox and     other Mozilla-based products. Some of these bugs showed     evidence of memory corruption under certain     circumstances, and we presume that with enough effort at     least some of these could be exploited to run arbitrary     code. (MFSA 2012-34)

    In general these flaws cannot be exploited through email     in the Thunderbird and SeaMonkey products because     scripting is disabled, but are potentially a risk in     browser or browser-like contexts in those products.
    References

    Jesse Ruderman, Igor Bukanov, Bill McCloskey, Christian     Holler, Andrew McCreight, and Brian Bondy reported     memory safety problems and crashes that affect Firefox     12. (CVE-2012-1938)

    Christian Holler reported a memory safety problem that     affects Firefox ESR. (CVE-2012-1939)

    Igor Bukanov, Olli Pettay, Boris Zbarsky, and Jesse     Ruderman reported memory safety problems and crashes     that affect Firefox ESR and Firefox 13. (CVE-2012-1937)

    Ken Russell of Google reported a bug in NVIDIA graphics     drivers that they needed to work around in the Chromium     WebGL implementation. Mozilla has done the same in     Firefox 13 and ESR 10.0.5. (CVE-2011-3101)

  - Security researcher James Forshaw of Context Information     Security found two issues with the Mozilla updater and     the Mozilla updater service introduced in Firefox 12 for     Windows. The first issue allows Mozilla's updater to     load a local DLL file in a privileged context. The     updater can be called by the Updater Service or     independently on systems that do not use the service.
    The second of these issues allows for the updater     service to load an arbitrary local DLL file, which can     then be run with the same system privileges used by the     service. Both of these issues require local file system     access to be exploitable. (MFSA 2012-35)

    Possible Arbitrary Code Execution by Update Service     (CVE-2012-1942) Updater.exe loads wsock32.dll from     application directory. (CVE-2012-1943)

  - Security researcher Adam Barth found that inline event     handlers, such as onclick, were no longer blocked by     Content Security Policy's (CSP) inline-script blocking     feature. Web applications relying on this feature of CSP     to protect against cross-site scripting (XSS) were not     fully protected. (CVE-2012-1944). (MFSA 2012-36)

  - Security researcher Paul Stone reported an attack where     an HTML page hosted on a Windows share and then loaded     could then load Windows shortcut files (.lnk) in the     same share. These shortcut files could then link to     arbitrary locations on the local file system of the     individual loading the HTML page. That page could show     the contents of these linked files or directories from     the local file system in an iframe, causing information     disclosure. (MFSA 2012-37)

    This issue could potentially affect Linux machines with     samba shares enabled. (CVE-2012-1945)

  - Security researcher Arthur Gerkis used the Address     Sanitizer tool to find a use-after-free while     replacing/inserting a node in a document. This     use-after-free could possibly allow for remote code     execution. (CVE-2012-1946). (MFSA 2012-38)

  - Security researcher Kaspar Brand found a flaw in how the     Network Security Services (NSS) ASN.1 decoder handles     zero length items. Effects of this issue depend on the     field. One known symptom is an unexploitable crash in     handling OCSP responses. NSS also mishandles zero-length     basic constraints, assuming default values for some     types that should be rejected as malformed. These issues     have been addressed in NSS 3.13.4, which is now being     used by Mozilla. (CVE-2012-0441). (MFSA 2012-39)

  - Security researcher Abhishek Arya of Google used the     Address Sanitizer tool to uncover several issues: two     heap buffer overflow bugs and a use-after-free problem.
    The first heap buffer overflow was found in conversion     from unicode to native character sets when the function     fails. The use-after-free occurs in nsFrameList when     working with column layout with absolute positioning in     a container that changes size. The second buffer     overflow occurs in nsHTMLReflowState when a window is     resized on a page with nested columns and a combination     of absolute and relative positioning. All three of these     issues are potentially exploitable. (MFSA 2012-40)

    Heap-buffer-overflow in utf16_to_isolatin1     (CVE-2012-1947) Heap-use-after-free in     nsFrameList::FirstChild. (CVE-2012-1940)

    Heap-buffer-overflow in     nsHTMLReflowState::CalculateHypotheticalBox, with nested     multi-column, relative position, and absolute position.
    (CVE-2012-1941)

More information on security issues can be found on:
http://www.mozilla.org/security/announce/

MozillaFirefox has been updated to 10.0.5ESR fixing various bugs and security issues.

  - Mozilla developers identified and fixed several memory     safety bugs in the browser engine used in Firefox and     other Mozilla-based products. Some of these bugs showed     evidence of memory corruption under certain     circumstances, and we presume that with enough effort at     least some of these could be exploited to run arbitrary     code. (MFSA 2012-34)

    In general these flaws cannot be exploited through email     in the Thunderbird and SeaMonkey products because     scripting is disabled, but are potentially a risk in     browser or browser-like contexts in those products.
    References

    Jesse Ruderman, Igor Bukanov, Bill McCloskey, Christian     Holler, Andrew McCreight, and Brian Bondy reported     memory safety problems and crashes that affect Firefox     12. (CVE-2012-1938)

    Christian Holler reported a memory safety problem that     affects Firefox ESR. (CVE-2012-1939)

    Igor Bukanov, Olli Pettay, Boris Zbarsky, and Jesse     Ruderman reported memory safety problems and crashes     that affect Firefox ESR and Firefox 13. (CVE-2012-1937)

    Ken Russell of Google reported a bug in NVIDIA graphics     drivers that they needed to work around in the Chromium     WebGL implementation. Mozilla has done the same in     Firefox 13 and ESR 10.0.5. (CVE-2011-3101)

  - Security researcher James Forshaw of Context Information     Security found two issues with the Mozilla updater and     the Mozilla updater service introduced in Firefox 12 for     Windows. The first issue allows Mozilla's updater to     load a local DLL file in a privileged context. The     updater can be called by the Updater Service or     independently on systems that do not use the service.
    The second of these issues allows for the updater     service to load an arbitrary local DLL file, which can     then be run with the same system privileges used by the     service. Both of these issues require local file system     access to be exploitable. (MFSA 2012-35)

    Possible Arbitrary Code Execution by Update Service     (CVE-2012-1942) Updater.exe loads wsock32.dll from     application directory. (CVE-2012-1943)

  - Security researcher Adam Barth found that inline event     handlers, such as onclick, were no longer blocked by     Content Security Policy's (CSP) inline-script blocking     feature. Web applications relying on this feature of CSP     to protect against cross-site scripting (XSS) were not     fully protected. (CVE-2012-1944). (MFSA 2012-36)

  - Security researcher Paul Stone reported an attack where     an HTML page hosted on a Windows share and then loaded     could then load Windows shortcut files (.lnk) in the     same share. These shortcut files could then link to     arbitrary locations on the local file system of the     individual loading the HTML page. That page could show     the contents of these linked files or directories from     the local file system in an iframe, causing information     disclosure. (MFSA 2012-37)

    This issue could potentially affect Linux machines with     samba shares enabled. (CVE-2012-1945)

  - Security researcher Arthur Gerkis used the Address     Sanitizer tool to find a use-after-free while     replacing/inserting a node in a document. This     use-after-free could possibly allow for remote code     execution. (CVE-2012-1946). (MFSA 2012-38)

  - Security researcher Kaspar Brand found a flaw in how the     Network Security Services (NSS) ASN.1 decoder handles     zero length items. Effects of this issue depend on the     field. One known symptom is an unexploitable crash in     handling OCSP responses. NSS also mishandles zero-length     basic constraints, assuming default values for some     types that should be rejected as malformed. These issues     have been addressed in NSS 3.13.4, which is now being     used by Mozilla. (CVE-2012-0441). (MFSA 2012-39)

  - Security researcher Abhishek Arya of Google used the     Address Sanitizer tool to uncover several issues: two     heap buffer overflow bugs and a use-after-free problem.
    The first heap buffer overflow was found in conversion     from unicode to native character sets when the function     fails. The use-after-free occurs in nsFrameList when     working with column layout with absolute positioning in     a container that changes size. The second buffer     overflow occurs in nsHTMLReflowState when a window is     resized on a page with nested columns and a combination     of absolute and relative positioning. All three of these     issues are potentially exploitable. (MFSA 2012-40)

    Heap-buffer-overflow in utf16_to_isolatin1     (CVE-2012-1947) Heap-use-after-free in     nsFrameList::FirstChild. (CVE-2012-1940)

    Heap-buffer-overflow in     nsHTMLReflowState::CalculateHypotheticalBox, with nested     multi-column, relative position, and absolute position.
    (CVE-2012-1941)

More information on security issues can be found on:
http://www.mozilla.org/security/announce/

Versions of SeaMonkey 2.x earlier than 2.10 are potentially affected by the following security issues :

  - An error exists in the ASN.1 decoder when handling zero length items that can lead to application crashes. (CVE-2012-0441)

  - Multiple memory corruption errors exist. (CVE-2012-1937, CVE-2012-1938)

  - Two heap-based buffer overflows and one heap-based use-after-free error exist and are potentially exploitable. (CVE-2012-1940, CVE-2012-1941, CVE-2012-1947)

  - Two arbitrary DLL load issues exist related to the application update and update service functionality. (CVE-2012-1942, CVE-2012-1943)

  - The inline-script blocking feature of the 'Content Security Policy' (CSP) does not properly block inline event handlers. This error allows remote attackers to more easily carry out cross-site scripting attacks. (CVE-2012-1944)

  -  A use-after-free error exists related to replacing or inserting a node into a web document. (CVE-2012-1946)


Versions of Mozilla Thunderbird prior to 13.0 are affected by the following security issues :

 - An error exists in the ASN.1 decoder when handling zero length items that can lead to application crashes. (CVE-2012-0441)
 - Multiple memory corruption errors exist. (CVE-2012-1937, CVE-2012-1038)
 - Two heap-based buffer overflows and one heap-based use-after-free error exist and are potentially exploitable. (CVE-2012-1940, CVE-2012-1941, CVE-2012-1947)
 - Two arbitrary DLL load issues exist related to the application update and update service functionality. (CVE-2012-1942, CVE-2012-1943)
 - The inline-script blocking feature of the 'Content Security Policy' (CSP) does not properly block inline event handlers. This error allows remote attackers to more easily carry out cross-site scripting attacks. (CVE-2012-1944)
 - A use-after-free error exists related to replacing or inserting a node into a web document. (CVE-2012-1946)

Versions of Firefox prior to 13.0 are potentially affected by the following security issues :

 - An error exists in the ASN.1 decoder when handling zero length items that can lead to application crashes. (CVE-2012-0441)
 - Multiple memory corruption errors exist. (CVE-2012-1937, CVE-2012-1038)
 - Two heap-based buffer overflows and one heap-based use-after-free error exist and are potentially exploitable. (CVE-2012-1940, CVE-2012-1941, CVE-2012-1947)
 - Two arbitrary DLL load issues exist related to the application update and update service functionality. (CVE-2012-1942, CVE-2012-1943)
 - The inline-script blocking feature of the 'Content Security Policy' (CSP) does not properly block inline event handlers. This error allows remote attackers to more easily carry out cross-site scripting attacks. (CVE-2012-1944)
 -  A use-after-free error exists related to replacing or inserting a node into a web document. (CVE-2012-1946)


The installed version of SeaMonkey is earlier than 2.10.0. Such versions are potentially affected by the following security issues :

  - An error exists in the ASN.1 decoder when handling zero     length items that can lead to application crashes.
    (CVE-2012-0441)

  - Multiple memory corruption errors exist. (CVE-2012-1937,     CVE-2012-1938)

  - Two heap-based buffer overflows and one heap-based use-     after-free error exist and are potentially exploitable.
    (CVE-2012-1940, CVE-2012-1941, CVE-2012-1947)

  - Two arbitrary DLL load issues exist related to the     application update and update service functionality.
    (CVE-2012-1942, CVE-2012-1943)

  - The inline-script blocking feature of the 'Content     Security Policy' (CSP) does not properly block inline     event handlers. This error allows remote attackers to     more easily carry out cross-site scripting attacks.
    (CVE-2012-1944)

  - A use-after-free error exists related to replacing or     inserting a node into a web document. (CVE-2012-1946)

  - An error exists related to the certificate warning page     that can allow 'clickjacking' thereby tricking a user     into accepting unintended certificates. (CVE-2012-1964)

The installed version of Thunderbird is earlier than 13.0 and thus, is potentially affected by the following security issues :

  - An error exists in the ASN.1 decoder when handling zero     length items that can lead to application crashes.
    (CVE-2012-0441)

  - Multiple memory corruption errors exist. (CVE-2012-1937,     CVE-2012-1938)

  - Two heap-based buffer overflows and one heap-based use-     after-free error exist and are potentially exploitable.
    (CVE-2012-1940, CVE-2012-1941, CVE-2012-1947)

  - Two arbitrary DLL load issues exist related to the     application update and update service functionality.
    (CVE-2012-1942, CVE-2012-1943)

  - The inline-script blocking feature of the 'Content     Security Policy' (CSP) does not properly block inline     event handlers. This error allows remote attackers to     more easily carry out cross-site scripting attacks.
    (CVE-2012-1944)

  - A use-after-free error exists related to replacing or     inserting a node into a web document. (CVE-2012-1946)

  - An error exists related to the certificate warning page     that can allow 'clickjacking' thereby tricking a user     into accepting unintended certificates. (CVE-2012-1964)

The installed version of Firefox is earlier than 13.0 and thus, is potentially affected by the following security issues :

  - An error exists in the ASN.1 decoder when handling zero     length items that can lead to application crashes.
    (CVE-2012-0441)

  - Multiple memory corruption errors exist. (CVE-2012-1937,     CVE-2012-1938)

  - Two heap-based buffer overflows and one heap-based use-     after-free error exist and are potentially exploitable.
    (CVE-2012-1940, CVE-2012-1941, CVE-2012-1947)

  - Two arbitrary DLL load issues exist related to the     application update and update service functionality.
    (CVE-2012-1942, CVE-2012-1943)

  - The inline-script blocking feature of the 'Content     Security Policy' (CSP) does not properly block inline     event handlers. This error allows remote attackers to     more easily carry out cross-site scripting attacks.
    (CVE-2012-1944)

  - A use-after-free error exists related to replacing or     inserting a node into a web document. (CVE-2012-1946)

  - An error exists related to the certificate warning page     that can allow 'clickjacking' thereby tricking a user     into accepting unintended certificates. (CVE-2012-1964)

ID	Name	Product	Family	Severity
64208	SuSE 11.1 Security Update : Mozilla Firefox (SAT Patch Number 6425)	Nessus	SuSE Local Security Checks	critical
59520	SuSE 10 Security Update : Mozilla Firefox (ZYPP Patch Number 8189)	Nessus	SuSE Local Security Checks	critical
6496	SeaMonkey 2.x < 2.10 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	high
6498	Mozilla Thunderbird < 13.0 Multiple Vulnerabilities	Nessus Network Monitor	SMTP Clients	high
6497	Mozilla Firefox < 13.0 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	high
59411	SeaMonkey < 2.10.0 Multiple Vulnerabilities	Nessus	Windows	high
59409	Mozilla Thunderbird < 13.0 Multiple Vulnerabilities	Nessus	Windows	high
59407	Firefox < 13.0 Multiple Vulnerabilities	Nessus	Windows	high

Detections

Analytics

CVE-2012-1943

high

Tenable Plugins

critical

critical

high

high

high

high

high

high