MozillaFirefox MozillaFirefox: Security update to 3.0.14 release MozillaFirefox: Security update to 3.0.14 release This update brings the Mozilla Firefox browser to the 3.0.14 stable release. It also fixes various security issues: MFSA 2009-47 / CVE-2009-3069 / CVE-2009-3070 / CVE-2009-3071 / CVE-2009-3072 / CVE-2009-3073 / CVE-2009-30 / CVE-2009-3075: Mozilla developers and community members identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code. MFSA 2009-48 / CVE-2009-3076: Mozilla security researcher Jesse Rudermanreported that when security modules were added or removed via pkcs11.addmodule or pkcs11.deletemodule, the resulting dialog was not sufficiently informative. Without sufficient warning, an attacker could entice a victim to install a malicious PKCS11 module and affect the cryptographic integrity of the victim's browser. Security researcher Dan Kaminsky reported that this issue had not been fixed in Firefox 3.0 and that under certain circumstances pkcs11 modules could be installed from a remote location. Firefox 3.5 releases are not affected. MFSA 2009-49 / CVE-2009-3077: An anonymous security researcher, via TippingPoint's Zero Day Initiative, reported that the columns of a XUL tree element could be manipulated in a particular way which would leave a pointer owned by the column pointing to freed memory. An attacker could potentially use this vulnerability to crash a victim's browser and run arbitrary code on the victim's computer. MFSA 2009-50 / CVE-2009-3078: Security researcher Juan Pablo Lopez Yacubian reported that the default Windows font used to render the locationbar and other text fields was improperly displaying certain Unicode characters with tall line-height. In such cases the tall line-height would cause the rest of the text in the input field to be scrolled vertically out of view. An attacker could use this vulnerability to prevent a user from seeing the URL of a malicious site. Corrie Sloot also independently reported this issue to Mozilla. MFSA 2009-51 / CVE-2009-3079: Mozilla security researcher moz_bug_r_a4 reported that the BrowserFeedWriter could be leveraged to run JavaScript code from web content with elevated privileges. Using this vulnerability, an attacker could construct an object containing malicious JavaScript and cause the FeedWriter to process the object, running the malicious code with chrome privileges. Thunderbird does not support the BrowserFeedWriter object and is not vulnerable in its default configuration. Thunderbird might be vulnerable if the user has installed any add-on which adds a similarly implemented feature and then enables JavaScript in mail messages. This is not the default setting and we strongly discourage users from running JavaScript in mail. Issues fixed in the 3.0.13 release were: MFSA 2009-44 / CVE-2009-2654: Security researcher Juan Pablo Lopez Yacubian reported that an attacker could call window.open() on an invalid URL which looks similar to a legitimate URL and then use document.write() to place content within the new document, appearing to have come from the spoofed location. Additionally, if the spoofed document was created by a document with a valid SSL certificate, the SSL indicators would be carried over into the spoofed document. An attacker could use these issues to display misleading location and SSL information for a malicious web page. MFSA 2009-45 / CVE-2009-2662:The browser engine in Mozilla Firefox before 3.0.13, and 3.5.x before 3.5.2, allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to the TraceRecorder::snapshot function in js/src/jstracer.cpp, and unspecified other vectors. CVE-2009-2663 / MFSA 2009-45: libvorbis before r16182, as used in Mozilla Firefox before 3.0.13 and 3.5.x before 3.5.2 and other products, allows context-dependent attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted .ogg file. CVE-2009-2664 / MFSA 2009-45: The js_watch_set function in js/src/jsdbgapi.cpp in the JavaScript engine in Mozilla Firefox before 3.0.13, and 3.5.x before 3.5.2, allows remote attackers to cause a denial of service (assertion failure and application exit) or possibly execute arbitrary code via a crafted .js file, related to a "memory safety bug. This update brings the Mozilla Firefox browser to the 3.0.14 stable release. It also fixes various security issues: MFSA 2009-47 / CVE-2009-3069 / CVE-2009-3070 / CVE-2009-3071 / CVE-2009-3072 / CVE-2009-3073 / CVE-2009-30 / CVE-2009-3075: Mozilla developers and community members identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code. MFSA 2009-48 / CVE-2009-3076: Mozilla security researcher Jesse Rudermanreported that when security modules were added or removed via pkcs11.addmodule or pkcs11.deletemodule, the resulting dialog was not sufficiently informative. Without sufficient warning, an attacker could entice a victim to install a malicious PKCS11 module and affect the cryptographic integrity of the victim's browser. Security researcher Dan Kaminsky reported that this issue had not been fixed in Firefox 3.0 and that under certain circumstances pkcs11 modules could be installed from a remote location. Firefox 3.5 releases are not affected. MFSA 2009-49 / CVE-2009-3077: An anonymous security researcher, via TippingPoint's Zero Day Initiative, reported that the columns of a XUL tree element could be manipulated in a particular way which would leave a pointer owned by the column pointing to freed memory. An attacker could potentially use this vulnerability to crash a victim's browser and run arbitrary code on the victim's computer. MFSA 2009-50 / CVE-2009-3078: Security researcher Juan Pablo Lopez Yacubian reported that the default Windows font used to render the locationbar and other text fields was improperly displaying certain Unicode characters with tall line-height. In such cases the tall line-height would cause the rest of the text in the input field to be scrolled vertically out of view. An attacker could use this vulnerability to prevent a user from seeing the URL of a malicious site. Corrie Sloot also independently reported this issue to Mozilla. MFSA 2009-51 / CVE-2009-3079: Mozilla security researcher moz_bug_r_a4 reported that the BrowserFeedWriter could be leveraged to run JavaScript code from web content with elevated privileges. Using this vulnerability, an attacker could construct an object containing malicious JavaScript and cause the FeedWriter to process the object, running the malicious code with chrome privileges. Thunderbird does not support the BrowserFeedWriter object and is not vulnerable in its default configuration. Thunderbird might be vulnerable if the user has installed any add-on which adds a similarly implemented feature and then enables JavaScript in mail messages. This is not the default setting and we strongly discourage users from running JavaScript in mail. Issues fixed in the 3.0.13 release were: MFSA 2009-44 / CVE-2009-2654: Security researcher Juan Pablo Lopez Yacubian reported that an attacker could call window.open() on an invalid URL which looks similar to a legitimate URL and then use document.write() to place content within the new document, appearing to have come from the spoofed location. Additionally, if the spoofed document was created by a document with a valid SSL certificate, the SSL indicators would be carried over into the spoofed document. An attacker could use these issues to display misleading location and SSL information for a malicious web page. MFSA 2009-45 / CVE-2009-2662:The browser engine in Mozilla Firefox before 3.0.13, and 3.5.x before 3.5.2, allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to the TraceRecorder::snapshot function in js/src/jstracer.cpp, and unspecified other vectors. CVE-2009-2663 / MFSA 2009-45: libvorbis before r16182, as used in Mozilla Firefox before 3.0.13 and 3.5.x before 3.5.2 and other products, allows context-dependent attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted .ogg file. CVE-2009-2664 / MFSA 2009-45: The js_watch_set function in js/src/jsdbgapi.cpp in the JavaScript engine in Mozilla Firefox before 3.0.13, and 3.5.x before 3.5.2, allows remote attackers to cause a denial of service (assertion failure and application exit) or possibly execute arbitrary code via a crafted .js file, related to a "memory safety bug. security MozillaFirefox i586 bd10ad454dff277809bfe014d65e79ba8a45a36d MozillaFirefox ppc 6b4f8114de587bb02fea44b23bc9b869edf6558d MozillaFirefox x86_64 0ffcf05ee89951b707291c01f28fc8dbecd05df3 MozillaFirefox-translations i586 edb8c6c366230838836c014007a00687d141c860 MozillaFirefox-translations ppc 2e8b77bd67b8fe7bd7bce89d326ec5bbdb3e1be3 MozillaFirefox-translations x86_64 07dd2715333413aa97ba878da8e3ad05964a80da mozilla-xulrunner190 i586 5ba6b3332c1e6dc8e3b3805fea2b8d05b10f2308 mozilla-xulrunner190 ppc 1ad5f840de24312dcac6de626c9690e1e153c67e mozilla-xulrunner190 x86_64 bd74dc8d3f62219cb25aabbd629285c71b360e72 mozilla-xulrunner190-32bit x86_64 029b803fe6f2dcd55f1d882df307e4861f5c21f2 mozilla-xulrunner190-64bit ppc 575051cc1326ff65bb1b135977668704097410a9 mozilla-xulrunner190-devel i586 d1381146ee9e381a18e23d6de9ede9e7225c75fb mozilla-xulrunner190-devel ppc cb17a2b602545f3779bfaf6ee6cebffea34812ab mozilla-xulrunner190-devel x86_64 7e100d05a7d76ce06e2b180c72d77642858c4788 mozilla-xulrunner190-gnomevfs i586 f01bce6a023b348e9fd87b56f3234ddc26c65ba6 mozilla-xulrunner190-gnomevfs ppc 9c85706396a62f298429dfce34befacfa369a687 mozilla-xulrunner190-gnomevfs x86_64 5ad97cbadef774e64de6191fb0b47108f1c12b6b mozilla-xulrunner190-gnomevfs-32bit x86_64 ee1eb4a73bf3260520ea944652607d2cc3789b76 mozilla-xulrunner190-gnomevfs-64bit ppc 0636372112da4fb6e8baa98b2d5d85081066760a mozilla-xulrunner190-translations i586 a41a9fd31d62a1d9483fedaeab3c0baa95c94bf4 mozilla-xulrunner190-translations ppc c4653a6239ac723c7694fd0715f98eea60515cf2 mozilla-xulrunner190-translations x86_64 a9b781d8b0b96a782f53208d806822c2049a6809 mozilla-xulrunner190-translations-32bit x86_64 44cf891e82929c3f6d6660c9491477c595fa91f8 mozilla-xulrunner190-translations-64bit ppc 9329f1086117587f788916b2068b4c213bcf3967 python-xpcom190 i586 6c9e8f45e216041ed3e4992f2eb29f26be00e391