openSUSE Security Update : MozillaFirefox (openSUSE-SU-2012:0899-1)

This script is Copyright (C) 2014 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

MozillaFirefox was updated to 14.0.1 to fix various bugs and security
issues.

Following security issues were fixed: MFSA 2012-42: Mozilla developers
identified and fixed several memory safety bugs in the browser engine
used in Firefox and other Mozilla-based products. Some of these bugs
showed evidence of memory corruption under certain circumstances, and
we presume that with enough effort at least some of these could be
exploited to run arbitrary code.

CVE-2012-1949: Brian Smith, Gary Kwong, Christian Holler, Jesse
Ruderman, Christoph Diehl, Chris Jones, Brad Lassey, and Kyle Huey
reported memory safety problems and crashes that affect Firefox 13.

CVE-2012-1948: Benoit Jacob, Jesse Ruderman, Christian Holler, and
Bill McCloskey reported memory safety problems and crashes that affect
Firefox ESR 10 and Firefox 13.

MFSA 2012-43 / CVE-2012-1950: Security researcher Mario Gomes
andresearch firm Code Audit Labs reported a mechanism to short-circuit
page loads through drag and drop to the addressbar by canceling the
page load. This causes the address of the previously site entered to
be displayed in the addressbar instead of the currently loaded page.
This could lead to potential phishing attacks on users.

MFSA 2012-44 Google security researcher Abhishek Arya used the Address
Sanitizer tool to uncover four issues: two use-after-free problems,
one out of bounds read bug, and a bad cast. The first use-after-free
problem is caused when an array of nsSMILTimeValueSpec objects is
destroyed but attempts are made to call into objects in this array
later. The second use-after-free problem is in nsDocument::AdoptNode
when it adopts into an empty document and then adopts into another
document, emptying the first one. The heap buffer overflow is in
ElementAnimations when data is read off of end of an array and then
pointers are dereferenced. The bad cast happens when
nsTableFrame::InsertFrames is called with frames in aFrameList that
are a mix of row group frames and column group frames. AppendFrames is
not able to handle this mix.

All four of these issues are potentially exploitable. CVE-2012-1951:
Heap-use-after-free in nsSMILTimeValueSpec::IsEventBased
CVE-2012-1954: Heap-use-after-free in nsDocument::AdoptNode
CVE-2012-1953: Out of bounds read in
ElementAnimations::EnsureStyleRuleFor CVE-2012-1952: Bad cast in
nsTableFrame::InsertFrames

MFSA 2012-45 / CVE-2012-1955: Security researcher Mariusz Mlynski
reported an issue with spoofing of the location property. In this
issue, calls to history.forward and history.back are used to navigate
to a site while displaying the previous site in the addressbar but
changing the baseURI to the newer site. This can be used for phishing
by allowing the user input form or other data on the newer, attacking,
site while appearing to be on the older, displayed site.

MFSA 2012-46 / CVE-2012-1966: Mozilla security researcher moz_bug_r_a4
reported a cross-site scripting (XSS) attack through the context menu
using a data: URL. In this issue, context menu functionality ('View
Image', 'Show only this frame', and 'View background image') are
disallowed in a javascript: URL but allowed in a data: URL, allowing
for XSS. This can lead to arbitrary code execution.

MFSA 2012-47 / CVE-2012-1957: Security researcher Mario Heiderich
reported that JavaScript could be executed in the HTML feed-view using
<embed> tag within the RSS <description>. This problem is due to
<embed> tags not being filtered out during parsing and can lead to a
potential cross-site scripting (XSS) attack. The flaw existed in a
parser utility class and could affect other parts of the browser or
add-ons which rely on that class to sanitize untrusted input.

MFSA 2012-48 / CVE-2012-1958: Security researcher Arthur Gerkis used
the Address Sanitizer tool to find a use-after-free in
nsGlobalWindow::PageHidden when mFocusedContent is released and
oldFocusedContent is used afterwards. This use-after-free could
possibly allow for remote code execution.

MFSA 2012-49 / CVE-2012-1959: Mozilla developer Bobby Holley found
that same-compartment security wrappers (SCSW) can be bypassed by
passing them to another compartment. Cross-compartment wrappers often
do not go through SCSW, but have a filtering policy built into them.
When an object is wrapped cross-compartment, the SCSW is stripped off
and, when the object is read read back, it is not known that SCSW was
previously present, resulting in a bypassing of SCSW. This could
result in untrusted content having access to the XBL that implements
browser functionality.

MFSA 2012-50 / CVE-2012-1960: Google developer Tony Payne reported an
out of bounds (OOB) read in QCMS, Mozilla&rsquo;s color management
library. With a carefully crafted color profile portions of a user's
memory could be incorporated into a transformed image and possibly
deciphered.

MFSA 2012-51 / CVE-2012-1961: Bugzilla developer
Fr&eacute;d&eacute;ric Buclin reported that the 'X-Frame-Options
header is ignored when the value is duplicated, for example
X-Frame-Options: SAMEORIGIN, SAMEORIGIN. This duplication occurs for
unknown reasons on some websites and when it occurs results in Mozilla
browsers not being protected against possible clickjacking attacks on
those pages.

MFSA 2012-52 / CVE-2012-1962: Security researcher Bill Keese reported
a memory corruption. This is caused by JSDependentString::undepend
changing a dependent string into a fixed string when there are
additional dependent strings relying on the same base. When the
undepend occurs during conversion, the base data is freed, leaving
other dependent strings with dangling pointers. This can lead to a
potentially exploitable crash.

MFSA 2012-53 / CVE-2012-1963: Security researcher Karthikeyan
Bhargavan of Prosecco at INRIA reported Content Security Policy (CSP)
1.0 implementation errors. CSP violation reports generated by Firefox
and sent to the 'report-uri' location include sensitive data within
the 'blocked-uri' parameter. These include fragment components and
query strings even if the 'blocked-uri' parameter has a different
origin than the protected resource. This can be used to retrieve a
user's OAuth 2.0 access tokens and OpenID credentials by malicious
sites.

MFSA 2012-54 / CVE-2012-1964: Security Researcher Matt McCutchen
reported that a clickjacking attack using the certificate warning
page. A man-in-the-middle (MITM) attacker can use an iframe to display
its own certificate error warning page (about:certerror) with the 'Add
Exception' button of a real warning page from a malicious site. This
can mislead users to adding a certificate exception for a different
site than the perceived one. This can lead to compromised
communications with the user perceived site through the MITM attack
once the certificate exception has been added.

MFSA 2012-55 / CVE-2012-1965: Security researchers Mario Gomes and
Soroush Dalili reported that since Mozilla allows the pseudo-protocol
feed: to prefix any valid URL, it is possible to construct
feed:javascript: URLs that will execute scripts in some contexts. On
some sites it may be possible to use this to evade output filtering
that would otherwise strip javascript: URLs and thus contribute to
cross-site scripting (XSS) problems on these sites.

MFSA 2012-56 / CVE-2012-1967: Mozilla security researcher moz_bug_r_a4
reported a arbitrary code execution attack using a javascript: URL.
The Gecko engine features a JavaScript sandbox utility that allows the
browser or add-ons to safely execute script in the context of a web
page. In certain cases, javascript: URLs are executed in such a
sandbox with insufficient context that can allow those scripts to
escape from the sandbox and run with elevated privilege. This can lead
to arbitrary code execution.

See also :

http://lists.opensuse.org/opensuse-updates/2012-07/msg00039.html
https://bugzilla.novell.com/show_bug.cgi?id=771583

Solution :

Update the affected MozillaFirefox packages.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now