November 2007

ID: 3503
Date: 27/11/2007

---

Title: 3503 - Mozilla Firefox 2.0.0.10 Fixes Multiple Vulnerabilities
Platform level affected:Net Application - Client
Specific operating systems components affected: 32-bit Windows
Other software: Web Browser
Remediation Summary:Update your copy of the software with the download available from the supplier.
Vendors affected:Mozilla
Applications affected:Firefox
Adversity source: Unknown
Attack Vector: Vulnerability exploitation
Virulence: Unknown
Warning Status: Unknown
Potential Damage: Remote execution/modification
Possible Duration: Unknown
Availability of fix: Available
Type of fix: Patch
Source: Securitymob
Reliability of source: Known
Source URL: http://www.securitymob.com/?i=1K9X
CVE: CVE-2007-5947, CVE-2007-5959, CVE-2007-5960
Abstract: Mozilla has released Firefox 2.0.0.10 to fix a number of vulnerabilities.

Mozilla Firefox 2.0.0.10 Fixes Multiple Vulnerabilities

UPDATE INFORMATION

Mozilla has released Firefox 2.0.0.10 to fix this and other vulnerabilities. Elevated threat level to Medium.

CURRENT RISK LEVEL : Medium

ALERT TYPE : Patch release

FURTHER INFO

http://www.mozilla.org/security/announce/2007/mfsa2007-37.html
http://www.mozilla.org/security/announce/2007/mfsa2007-38.html
http://www.mozilla.org/security/announce/2007/mfsa2007-39.html
http://www.securityfocus.com/bid/26385
http://www.kb.cert.org/vuls/id/715737

PROBLEM ISSUE SUMMARY

<strong>Update 26 November 2007</strong>

Mozilla Foundation Security Advisory 2007-37

Description

The jar: URI scheme was introduced as a mechanism to support digitally signed web pages, enabling web sites to load pages packaged in zip archives containing signatures in java-archive format.

Jesse Ruderman and Petko D. Petkov point out this means that sites that allow users to upload binary content in zip format are effectively allowing users to install web pages on their site, and these can be used to perform Cross-Site Scripting (XSS) attacks.

The blogger at beford.org noted that redirects confused Mozilla browsers about the true source of the jar: content: the content was wrongly considered to originate with the redirecting site rather than the actual source. This meant that an XSS attack could be mounted against any site with an open redirect even if it didn't allow uploads. A published proof-of-concept demonstrates stealing the GMail contact list of users logged-in to

WORKAROUND

Workarounds for network administrators and users

    * Using proxy servers or application firewalls to block URIs that contain jar: may mitigate this vulnerability.
    * NoScript version 1.1.7.8 and later may prevent this vulnerability from being exploited.

Workarounds for website administrators

    * Blocking URIs that contain jar: using a reverse proxy or application firewall could prevent an attacker from uploading content that could exploit website visitors.

SOLUTION

Update to version 2.0.0.10

DESCRIPTION

Source information provided by : Mozilla Fixed in Firefox 2.0.0.10 MFSA 2007-39 Referer-spoofing via window.location race condition MFSA 2007-38 Memory corruption vulnerabilities (rv:1.8.1.10) MFSA 2007-37 jar: URI scheme XSS hazard

Mozilla Foundation Security Advisory 2007-37

Title: jar: URI scheme XSS hazard
Impact: High
Announced: November 26, 2007
Reporter: Jesse Ruderman, Petko D. Petkov, beford.org
Products: Firefox, SeaMonkey

Fixed in: Firefox 2.0.0.10
  SeaMonkey 1.1.7
Description

The jar: URI scheme was introduced as a mechanism to support digitally signed web pages, enabling web sites to load pages packaged in zip archives containing signatures in java-archive format.

Jesse Ruderman and Petko D. Petkov point out this means that sites that allow users to upload binary content in zip format are effectively allowing users to install web pages on their site, and these can be used to perform Cross-Site Scripting (XSS) attacks.

The blogger at beford.org

IMPACT TYPE

Cross-site scripting, Denial of service, Potential arbitrary code execution

IMPACTS FROM

Remote

CVE CODE(S)

CVE-2007-5947, CVE-2007-5959, CVE-2007-5960

 

View this alert online at http://www.securitymob.com/?i=1K9X

 

 

This advisory contains information released by the original author. Some of the information may have changed since it was released. If the issue affects you, it may be prudent to retrieve the advisory from the site of the original source to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI.

The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. CPNI shall not accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this advisory.

CSIRTUK is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large.