----------------------------------------------------------------------

Become a PSI 3.0 beta tester!
Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface.
Download it here!
http://secunia.com/psi_30_beta_launch

----------------------------------------------------------------------

TITLE:
Mozilla Firefox / Thunderbird Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA48932

VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/48932/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=48932

RELEASE DATE:
2012-04-25

DISCUSS ADVISORY:
http://secunia.com/advisories/48932/#comments

AVAILABLE ON SITE AND IN CUSTOMER AREA:
 * Last Update
 * Popularity
 * Comments
 * Criticality Level
 * Impact
 * Where
 * Solution Status
 * Operating System / Software
 * CVE Reference(s)

http://secunia.com/advisories/48932/

ONLY AVAILABLE IN CUSTOMER AREA:
 * Authentication Level
 * Report Reliability
 * Secunia PoC
 * Secunia Analysis
 * Systems Affected
 * Approve Distribution
 * Remediation Status
 * Secunia CVSS Score
 * CVSS

https://ca.secunia.com/?page=viewadvisory&vuln_id=48932

ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
 * AUTOMATED SCANNING

http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/

DESCRIPTION:
Multiple vulnerabilities have been reported in Mozilla Firefox and
Thunderbird, which can be exploited by malicious people to conduct
cross-site scripting and spoofing attacks, disclose certain system
and sensitive information, bypass certain security restrictions, and
compromise a user's system.

1) Multiple unspecified errors can be exploited to corrupt memory.

2) A use-after-free error exists within the XPConnect hashtable when
handling IDBKeyRange indexedDB.

3) An error within the gfxImageSurface class when handling certain
graphic values can be exploited to cause a heap-based buffer
overflow.

4) An error when handling multi-octet encoding can be exploited to
conduct cross-site scripting attacks.

5) An error within the "cairo_dwrite_font_face()" function when
rendering fonts can be exploited to corrupt memory.

6) An error within the "WebGL.drawElements()" function when handling
certain template arguments can be exploited to disclose contents of
arbitrary video memory.

7) An error within docshell when loading pages can be exploited to
display arbitrary content while showing the URL of a trusted web site
in the address bar and e.g. conduct cross-site scripting attacks.

8) An error within the handling of XMLHttpRequest and WebSocket while
using an IPv6 address can be exploited to bypass the same-origin
policy.

9) An error when decoding ISO-2022-KR and ISO-2022-CN character sets
can be exploited to conduct cross-site scripting attacks.

10) An error exists within the "texImage2D()" function within WebGL
when using JSVAL_TO_OBJECT.

11) An off-by-one error exists within the OpenType sanitizer when
parsing certain data.

12) An error within the handling of javascript errors can be
exploited to disclose the file names and location of javascript files
on a server.

13) An error when handling RSS and Atom XML content loaded over HTTPS
can be exploited to display arbitrary content while showing the URL of
a trusted web site in the address bar.

Successful exploitation of vulnerabilities #1, #2, #3, #5, #10, and
#11 may allow execution of arbitrary code.

SOLUTION:
Upgrade to Firefox version 12.0 and Thunderbird version 12.0

PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Christian Holler, Bob Clary, Christian Holler, Brian Hackett,
Bobby Holley, Gary Kwong, Hilary Hall, Honza Bambas, Jesse Ruderman,
Julian Seward, and Olli Pettay
2) Aki Helin, OUSPG
3) Atte Kettunen, OUSPG
4) Anne van Kesteren, Opera Software
5) wushi, team509 via iDefense
6) Matias Juntunen
7) Jordi Chancel, Eddy Bordi, and Chris McGowen
8) Simone Fabiano
9) Masato Kinugawa
10) Ms2ger
11) Mateusz Jurczyk, Google Security Team
12) Daniel Divricean
13) Jeroen van der Gun

ORIGINAL ADVISORY:
http://www.mozilla.org/security/announce/2012/mfsa2012-20.html
http://www.mozilla.org/security/announce/2012/mfsa2012-22.html
http://www.mozilla.org/security/announce/2012/mfsa2012-23.html
http://www.mozilla.org/security/announce/2012/mfsa2012-24.html
http://www.mozilla.org/security/announce/2012/mfsa2012-25.html
http://www.mozilla.org/security/announce/2012/mfsa2012-26.html
http://www.mozilla.org/security/announce/2012/mfsa2012-27.html
http://www.mozilla.org/security/announce/2012/mfsa2012-28.html
http://www.mozilla.org/security/announce/2012/mfsa2012-29.html
http://www.mozilla.org/security/announce/2012/mfsa2012-30.html
http://www.mozilla.org/security/announce/2012/mfsa2012-31.html
http://www.mozilla.org/security/announce/2012/mfsa2012-32.html
http://www.mozilla.org/security/announce/2012/mfsa2012-33.html

OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/

DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/

EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/

EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/

EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/advisories/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------

Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

----------------------------------------------------------------------