MAIN MEMBERS CALENDAR AEA NEWS CAREER EDUCATION CENTER CONTACT US  

PUBLIC EDUCATION ISSUES ACTION IN TRENTON FIND YOUR LOCAL AUTHORITES LINKS QUESTIONS?

   

 

Cyber Notices & Alerts - Updated 8/19/10

 

 

MULTI-STATE INFORMATION SHARING AND ANALYSIS CENTER CYBER SECURITY ADVISORY  (posted 8/19/10)

 

MS-ISAC ADVISORY NUMBER:
 2010-067

DATE(S) ISSUED:
 8/11/2010

 

SUBJECT:
 Multiple Vulnerabilities Discovered in Adobe Products

 

OVERVIEW:
 Six vulnerabilities have been discovered in Adobe Flash Player and Adobe AIR. Adobe Flash Player is a widely distributed multimedia and application player for Microsoft Windows, Mozilla, and Apple systems. Adobe AIR is a cross-platform runtime for developing Internet applications on the desktop. These vulnerabilities can be exploited if a user visits a website hosting malicious content or opens an email attachment containing Flash media designed to exploit these vulnerabilities.

 

Successful exploitation of five of these vulnerabilities could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The remaining vulnerability could allow an attacker to obtain confidential information.

 

SYSTEMS AFFECTED:

 

  • Adobe Flash Player 10.1.53.64 and earlier

  • Adobe AIR 2.0.2.12610 and earlier

 

RISK:


Government:

  • Large and medium government entities: High

  • Small government entities: High

 

Businesses:

  • Large and medium business entities: High

  • Small business entities: High

 

Home users: High

 

DESCRIPTION:

Six vulnerabilities have been identified in Adobe Flash Player and Adobe AIR, which include remote code execution and click-jacking. These vulnerabilities can be exploited if a user visits a website hosting malicious content or opens an email attachment containing a Flash media file designed to trigger these issues. Details of these vulnerabilities are as follows:

 

  • Five vulnerabilities caused by unspecified Memory Corruption errors could result in remote code-execution.

  • A click-jacking vulnerability affecting Flash Player 10 on unspecified platforms. Click-jacking is a technique that involves embedding code or a script into a web page that tricks a user into performing unintended actions. This occurs when a user mistakenly clicks on a concealed link or when the user clicks on a button that triggers the malicious action.

 

Successful exploitation of these vulnerabilities could allow an attacker to gain the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

 

RECOMMENDATIONS:
 We recommend the following actions be taken:

  • Apply the appropriate updates which have been provided by Adobe to vulnerable systems immediately after appropriate testing.

  • Systems running Adobe Flash Player 10.1.53.64 and earlier versions should be updated to version 10.1.82.76.

  • Systems running Adobe AIR 2.0.2.12610 and earlier versions should be updated to version 2.0.3.

  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.

 

REFERENCES:

 

Adobe:

http://www.adobe.com/support/security/bulletins/apsb10-16.html

 

Security Focus:

http://www.securityfocus.com/bid/42361

http://www.securityfocus.com/bid/42362

http://www.securityfocus.com/bid/42363

http://www.securityfocus.com/bid/42364

 

CVE:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0209

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2188

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2213

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2214

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2215

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2216

 

 

MULTI-STATE INFORMATION SHARING AND ANALYSIS CENTER CYBER SECURITY ADVISORY (posted 8/19/10)

 

MS-ISAC ADVISORY NUMBER:
 2010-066

DATE(S) ISSUED:
 8/11/2010

 

SUBJECT:
 Multiple Vulnerabilities in Internet Explorer Could Allow Remote Code Execution (MS10-053)

 

OVERVIEW:
 Six vulnerabilities have been discovered in Microsoft's web browser, Internet Explorer, which could allow an attacker to take complete control of an affected system. Exploitation may occur if a user visits or is redirected to a web page which is specifically crafted to take advantage of these vulnerabilities. Successful exploitation of these vulnerabilities could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

 

SYSTEMS AFFECTED:

 

  • Internet Explorer 6

  • Internet Explorer 7

  • Internet Explorer 8

  • Windows XP SP3

  • Windows Server 2003

  • Windows Server 2008

  • Windows Vista

  • Windows 7

 

RISK:


Government:

  • Large and medium government entities: High

  • Small government entities: High

 

Businesses:

  • Large and medium business entities: High

  • Small business entities: High

 

Home users: High

 

DESCRIPTION:

Six vulnerabilities have been discovered in Microsoft Internet Explorer. Details of these vulnerabilities are as follows:


Event Handler Cross-Domain Vulnerability

An information disclosure vulnerability exists in Microsoft Internet Explorer that could allow a remote attacker access to sensitive data.  More specifically, a script could be written that would allow the attacker to gain access in another domain or Internet Explorer zone. Exploitation may occur if a user visits a web page which is specifically crafted to take advantage of this vulnerability. Successful exploitation of this vulnerability could result in an attacker viewing content from the local computer or another browser window in another domain or Internet Explorer zone.

 

Three Uninitialized Memory Corruption Vulnerabilities

Three remote code execution vulnerabilities exist in the way that Microsoft Internet Explorer accesses an object that has not been correctly initialized or deleted. Exploitation may occur if a user visits a web page which is specifically crafted to take advantage of this vulnerability. When a user views the Web page, the vulnerability could allow remote code execution. Successfully exploiting this issue will give the attacker access in the context of the currently logged on user.  Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. 

 

Race Condition Memory Corruption Vulnerability

A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that may have been corrupted due to a race condition. Exploitation may occur if a user visits a web page which is specifically crafted to take advantage of this vulnerability. Successful exploitation of this vulnerability could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

 

HTML Layout Memory Corruption Vulnerability

A remote code execution vulnerability has been discovered in the way that Internet Explorer accesses an object that has not been correctly initialized or deleted. Exploitation may occur if a user visits a web page which is specifically crafted to take advantage of this vulnerability. When a user views the Web page, the vulnerability could allow remote code execution. Successfully exploiting this issue may give the attacker access in the context of the currently logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. 

 

It should be noted that, by default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. Enhanced Security Configuration is a group of preconfigured settings in Internet Explorer that can reduce the likelihood of a user or administrator downloading and running specially crafted Web content on a server. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that have not been added to the Internet Explorer Trusted sites zone.

 

RECOMMENDATIONS:
 We recommend the following actions be taken:

  • Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.

  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

  • Consider configuring Internet Explorer to prompt before running Active Scripting or to disable Active Scripting.

  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.

 

REFERENCES:

 

Microsoft:

http://www.microsoft.com/technet/security/bulletin/MS10-053.mspx

 

Security Focus:

http://www.securityfocus.com/bid/42288

http://www.securityfocus.com/bid/42289

http://www.securityfocus.com/bid/42257

http://www.securityfocus.com/bid/42292

http://www.securityfocus.com/bid/42290

http://www.securityfocus.com/bid/42258

 

Secunia:

http://secunia.com/advisories/40895/

 

CVE:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1258

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2556

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2557

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2558

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2559

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2560

 

MULTI-STATE INFORMATION SHARING AND ANALYSIS CENTER CYBER SECURITY ADVISORY (posted 8/19/10)

 MS-ISAC ADVISORY NUMBER:
 2010-062

DATE(S) ISSUED:
 8/10/2010

 

SUBJECT:
 Vulnerability in Microsoft Office Excel Could Allow Remote Code Execution (MS10-057)

 

OVERVIEW:
 A vulnerability has been discovered in Microsoft Office Excel, a spreadsheet application. This vulnerability could allow remote code execution if a user opens a specially crafted Excel file. The file may be received as an email attachment, or downloaded via the web. Successful exploitation could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

 

SYSTEMS AFFECTED:

 

  • Microsoft Office XP

  • Microsoft Office 2003

  • Microsoft Office 2004 for Mac

  • Microsoft Office 2008 for Mac

  • Open XML File Format Converter for Mac

 

RISK:


Government:

  • Large and medium government entities: High

  • Small government entities: High

 

Businesses:

  • Large and medium business entities: High

  • Small business entities: High

 

Home users: High

 

DESCRIPTION:
 A vulnerability has been identified in Microsoft Office Excel that could allow an attacker to take complete control of an affected system. This vulnerability exists because of the way Microsoft Office Excel parses the Excel file format when processing Excel files (.xls). This can be triggered by opening a specially crafted Excel file and can be exploited via email or through the web. In an email based scenario, the user would have to open the specially crafted Excel file as an email attachment. In a web based scenario, a user would have to open the specially crafted Excel file that is hosted on a website. When the user opens the Excel file, the attacker's supplied code will execute.

 

Successful exploitation of this vulnerability could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

 

RECOMMENDATIONS:
 We recommend the following actions be taken:

  • Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.

  • Remind users not to open e-mail attachments from unknown users or suspicious e-mails from un-trusted sources.

  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

  • Consider using the Microsoft Office Isolated Conversion Environment (MOICE - http://support.microsoft.com/kb/935865).

REFERENCES:

 

Microsoft:

http://www.microsoft.com/technet/security/bulletin/ms10-057.mspx

http://support.microsoft.com/kb/935865

 

CVE:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2562

 

Security Focus:

http://www.securityfocus.com/bid/42199

 

MULTI-STATE INFORMATION SHARING AND ANALYSIS CENTER CYBER SECURITY ADVISORY (posted 8/19/10)

 

MS-ISAC ADVISORY NUMBER:
 2010-061

 

DATE(S) ISSUED:
 8/10/2010

 

SUBJECT:
 Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (MS10-056)

 

OVERVIEW:
 Four vulnerabilities have been discovered in Microsoft Office Word. These vulnerabilities can be exploited by opening a malicious Word document received as an email attachment, or by visiting a web site that is hosting a malicious Word document. Successful exploitation could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploitation could result in denial-of-service conditions.

 

SYSTEMS AFFECTED:

 

  • Microsoft Office XP

  • Microsoft Office 2003

  • 2007 Microsoft Office System

  • Microsoft Office 2004 for Mac

  • Microsoft Office 2008 for Mac

  • Open XML File Format Converter for Mac

  • Microsoft Office Word Viewer

  • Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats

  • Microsoft Works 9

 

RISK:


Government:

  • Large and medium government entities: High

  • Small government entities: High

 

Businesses:

  • Large and medium business entities: High

  • Small business entities: High

 

Home users: High

 

DESCRIPTION:
 Four vulnerabilities have been discovered in Microsoft Office Word. Details of these vulnerabilities are as follows:

 

Word Record Parsing Vulnerability

A remote code execution vulnerability exists in the way that Microsoft Office Word handles malformed records inside a specially crafted Word file. When Microsoft Office Word opens a specially crafted Word file, it may corrupt system memory in such a way that an attacker could execute arbitrary code.

 

Word RTF Parsing Engine Memory Corruption Vulnerability

A remote code execution vulnerability exists in the way that Microsoft Office Word parses rich text data. Microsoft Office Word does not perform sufficient data validation when handling rich text data. When Word opens and parses a specially crafted rich text format (RTF) e-mail message or file, it may corrupt memory in such a way that an attacker could execute arbitrary code.

 

Word RTF Parsing Buffer Overflow Vulnerability

A remote code execution vulnerability exists in the way that Microsoft Office Word parses certain rich text data. Microsoft Office Word does not perform sufficient data validation when handling rich text data. When Word opens and parses a specially crafted rich text format (RTF) e-mail message or file, it may corrupt memory in such a way that an attacker could execute arbitrary code. 

 

Word HTML Linked Objects Memory Corruption Vulnerability

A remote code execution vulnerability exists in the way that Microsoft Office Word handles a specially crafted Word file that includes a malformed record. When Microsoft Office Word opens a specially crafted Word file, it may corrupt system memory in such a way that an attacker could execute arbitrary code.

 

Successful exploitation of these vulnerabilities will result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploitation could result in denial-of-service conditions.

 

RECOMMENDATIONS:
 We recommend the following actions be taken:

  • Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.

  • Remind users not to open e-mail attachments from unknown users or suspicious e-mails from trusted sources.

  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

  • Consider using the Microsoft Office Isolated Conversion Environment (MOICE - http://support.microsoft.com/kb/935865).

 

 

REFERENCES:

 

Microsoft:

http://www.microsoft.com/technet/security/bulletin/MS10-056.mspx

 

CVE:
 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1900
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1901
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1902
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1903

 

MULTI-STATE INFORMATION SHARING AND ANALYSIS CENTER CYBER SECURITY ADVISORY (posted 8/6/10)

MS-ISAC ADVISORY NUMBER:
2010-053 - Updated

DATE(S) ISSUED:
 7/17/2010
7/20/2010 – UPDATED
7/21/2010 – UPDATED

8/2/2010 UPDATE

SUBJECT:
 Vulnerability in Windows Shell Could Allow Automatic File Execution

ORIGINAL OVERVIEW:

A vulnerability has been discovered in Windows Shell, component of Microsoft Windows Operating System, that could allow automatic file execution. Specifically this vulnerability exists because Microsoft Windows incorrectly parses shortcuts (LNK files) in such a way that malicious code may be executed when the user views the displayed icon of a specially crafted shortcut. Successful exploitation may result in an attacker gaining at least the same user privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

It has been confirmed that this vulnerability is being exploited in limited targeted attacks, however, we should anticipate more widespread exploitation in the short term.

There is currently no patch available for this vulnerability.

July 20 - UPDATED OVERVIEW:
 Exploit code is publicly available. The exploit code has also been added to the Metasploit exploitation framework. We have tested the exploit code in our lab and confirmed that the exploit allows for code execution.

July 21 UPDATED OVERVIEW:
 Microsoft Knowledge Base Article 2286198 has been updated to reflect that Program Information Files (PIF) are also affected by this vulnerability. The Microsoft Knowledge Base Article includes a FixIt tool that will disable LNK and PIF file functionality ( http://support.microsoft.com/kb/2286198). This workaround only applies to systems affected listed below.

Microsoft has also updated Security Advisory 2286198 to include additional attack vectors for this vulnerability which increases the possibility of exploitation. An attacker could embed an exploit in a document that supports embedded shortcuts or hosted browser controls, such as, Microsoft Office documents, e-mail attachments, or web sites.

August 2 UPDATED OVERVIEW:

Microsoft has issued an Out of Band patch to address this vulnerability. Please note that this patch will not undo the previously indicated workarounds or the changes applied by the “Fix it” tool.

SYSTEMS AFFECTED:

  • Windows XP

  • Windows Vista

  • Windows 7

  • Windows Server 2003

  • Windows Server 2008

RISK:
Government:

  • Large and medium government entities: High

  • Small government entities: High

Businesses:

  • Large and medium business entities: High

  • Small business entities: High

Home users: High

ORIGINAL DESCRIPTION:
A vulnerability has been discovered in Windows Shell in the way it processes shortcut 'LNK' files that could allow automatic file execution. Exploitation may occur when the user views the displayed icon of a specially crafted shortcut. No user interaction is required other than viewing a folder while the specially crafted shortcut is displayed. Successful exploitation may result in an attacker gaining the same user privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Current reports indicate that this vulnerability is being exploited with USB and other removable media. It is possible for this vulnerability to be exploited through network shares.

This vulnerability is being exploited in limited targeted attacks and currently being detected as W32.temphid (Symantec), Troj/Stuxnet-A (Sophos), or Rootkit.TmpHider (VirusBlokAda). The malware created to exploit this vulnerability appears to be targeting Siemens WinCC SCADA systems at this time according to independent researcher Frank Boldewin.

It should be noted that having AutoPlay disabled will prevent automatic file execution on removable disks. However, the attack could still be successful it the user browses to the root folder of the removable disk. Windows 7 has AutoPlay functionality for removable disks disabled by default.

There is currently no patch available for this vulnerability.

Microsoft has not released a patch for this vulnerability at this time, and is currently provided a workaround for disabling the displaying of icons for shortcuts and disabling the use of WebDAV which are known current attack vectors.

To disable the displaying of icons perform the following steps:

  1. Click Start, click Run, type Regedit in the Open box, and then click OK

  2. Locate and then click the following registry key: HKEY_CLASSES_ROOT\Inkfile\shellex\IconHandler

  3. Select the value (Default) on the right hand window in the Registry Editor. Press Enter to edit the value of the key. Remove the value, so that the value is blank, and press Enter.

  4. Restart explorer.exe or restart the computer.

To disable the WebClient service perform the following steps:

  1. Click Start, click Run, type Services.msc and then click OK.

  2. Right-click WebClient service and select Properties.

  3. Change the Startup type to Disabled. If the service is running, click Stop.

  4. Click OK and exit the management application.

July 20 - UPDATED DESCRIPTION:
 Exploit code is publicly available. The exploit code has also been added to the Metasploit exploitation framework. We have tested the exploit code in our lab and confirmed that the exploit allows for code execution.

July 21 UPDATED DESCRIPTION:
 Microsoft Knowledge Base Article 2286198 has been updated to reflect that Program Information Files (PIF) are also affected by this vulnerability. The Microsoft Knowledge Base Article includes a FixIt tool that will disable LNK and PIF file functionality ( http://support.microsoft.com/kb/2286198 ). This workaround only applies to affected systems listed above. Please note, if the Fixit tool is employed, be sure to consider how to return systems to their original state when the patch for this vulnerability is released.

Microsoft has also updated Security Advisory 2286198 to include additional attack vectors for this vulnerability which increases the possibility of exploitation. An attacker could embed an exploit in a document that supports embedded shortcuts or hosted browser controls, such as, Microsoft Office documents, e-mail attachments, or web sites.

To manually disable the displaying of icons for PIF files perform the following steps:

  1. Click Start, click Run, type Regedit in the Open box, and then click OK

  2. Locate and then click the following registry key: HKEY_CLASSES_ROOT\piffile\shellex\IconHandler

  3. Select the value (Default) on the right hand window in the Registry Editor. Press Enter to edit the value of the key. Remove the value, so that the value is blank, and press Enter.

  4. Restart explorer.exe or restart the computer.

August 2 UPDATED DESCRIPTION:

Microsoft has issued an Out of Band patch to address this vulnerability. Please note that this patch will not undo the previously indicated workarounds or the changes applied by the “Fix it” tool.

ORIGINAL RECOMMENDATIONS:
We recommend the following actions be taken:

  • Ensure that all anti-virus software is up to date with the latest signatures.

  • Blocking outbound SMB connections on the perimeter firewall will reduce the risk of remote exploitation using file shares.

  • Consider disabling the displaying of icons for shortcuts

  • Consider disabling the Webclient service where possible

  • Install the appropriate vendor patch as soon as it becomes available after appropriate testing.

  • Establish policies for the use of removable media on all enterprise and control system networks.

July 21 UPDATED RECOMMENDATIONS:
We recommend the following actions be taken:

  • Consider blocking LNK and PIF files at the network perimeter.

  • Consider disabling LNK and PIF file functionality by using the "FixIt" tool found in Knowledge Base Article 2286198 ( http://support.microsoft.com/kb/2286198 ).

August 2 UPDATED RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.

ORIGINAL REFERENCES:
Security Focus:
 http://www.securityfocus.com/bid/41732

August 2 UPDATED REFERENCES:

MS-ISAC
30 South Pearl Street, Suite P2
Albany, NY 12207
(518) 474-0865
7x24 SOC 1-866-787-4722

 

 

 

MULTI-STATE INFORMATION SHARING AND ANALYSIS CENTER CYBER SECURITY ADVISORY (posted 7/30/10)

 

MS-ISAC ADVISORY NUMBER:
2010-055
 

DATE(S) ISSUED:
7/26/2010

 

SUBJECT:
Vulnerability in Mozilla Firefox Could Allow Remote Code Execution

 

OVERVIEW:
A vulnerability has been discovered in Mozilla Firefox which could allow for remote code execution. Mozilla Firefox is a web browser used to access the Internet.

 

This vulnerability requires that a user visit or be redirected to a web page, or open a malicious file crafted to take advantage of this specific vulnerability. This vulnerability, if exploited, could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts may result in a denial-of-service condition.

 

SYSTEMS AFFECTED:

 

  • Mozilla Firefox 3.6.7

 

RISK:


Government:

  • Large and medium government entities: High

  • Small government entities: High

 

Businesses:

  • Large and medium business entities: High

  • Small business entities: High

 

Home users: High

 

DESCRIPTION:

A vulnerability has been identified for Mozilla Firefox which may allow for remote code execution. This vulnerability was caused by the Mozilla Firefox 3.6.7 release, which was recently pushed out to fix several previously disclosed vulnerabilities. According to Mozilla, the Firefox 3.6.7 release that was pushed out to resolve a plugin parameter array crash has unexpectedly resulted in a newly discovered crash which shows signs of memory corruption. Also, in certain instances the parameter array for a plugin instance could be freed too early resulting in a dangling pointer which could then be executed by the plugin.

 

In order for this vulnerability to be exploited a user would have to visit or be redirected to a web page, or open a malicious file specifically crafted to take advantage of this vulnerability. If successfully exploited this vulnerability could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts may result in a denial-of-service condition.

 

According to Mozilla, this vulnerability has been fixed in Firefox 3.6.8.

 

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Upgrade to Firefox 3.6.8 provided by Mozilla on vulnerable systems immediately after appropriate testing.

  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

  • Remind users not to download or open files from un-trusted websites.

 

REFERENCES:

 

Mozilla Foundation Security:

 

CVE:

 

Red Hat Bugzilla:

 

Security Focus:

 

 

MS-ISAC

30 South Pearl Street, Suite P2

Albany, NY 12207

(518) 474-0865

7x24 SOC 1-866-787-4722

 


 

MULTI-STATE INFORMATION SHARING AND ANALYSIS CENTER CYBER SECURITY ADVISORY (posted July 23, 2010)

 

MS-ISAC ADVISORY NUMBER:
2010-054
 

DATE(S) ISSUED:
7/21/2010

 

SUBJECT:
Multiple Vulnerabilities in Mozilla Products Could Allow Remote Code Execution

 

OVERVIEW:
Multiple vulnerabilities have been discovered in the Mozilla Firefox, Mozilla Thunderbird and Mozilla SeaMonkey applications which could allow remote code execution. Mozilla Firefox is a web browser used to access the Internet. Mozilla Thunderbird is an email client. Mozilla SeaMonkey is a cross platform Internet suite of tools ranging from a web browser to an email client.

 

These vulnerabilities may be exploited if a user visits, or is redirected to, a web page or opens a malicious file specifically crafted to take advantage of these vulnerabilities. Successful exploitation of these vulnerabilities could result in either an attacker gaining the same privileges as the logged on user, or gaining session authentication credentials. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts may result in a denial-of-service condition.

 

SYSTEMS AFFECTED:

 

  • Mozilla Firefox 3.5.0 - 3.5.10

  • Mozilla Firefox 3.6 - 3.6.4

  • Mozilla SeaMonkey 2.0 - 2.0.5

  • Mozilla Thunderbird 3.0 - 3.0.2

  • Mozilla Thunderbird 3.0.4 - 3.0.5

 

RISK:


Government:

  • Large and medium government entities: High

  • Small government entities: High

 

Businesses:

  • Large and medium business entities: High

  • Small business entities: High

 

Home users: High

 

DESCRIPTION:

Multiple vulnerabilities have been discovered in Mozilla Firefox, Mozilla Thunderbird, and Mozilla SeaMonkey. Details of these vulnerabilities are as follows:


Memory Safety Bugs (MFSA2010-34)

Multiple memory safety bugs exist in the browser engine used by multiple Mozilla products. Most of these bugs have shown evidence of memory corruption, however, the vulnerabilities could allow for the ability to run arbitrary code.

 

DOM attribute cloning remote code execution vulnerability (MFSA2010-35)

An error was reported in the DOM attribute cloning routine where an event attribute node can be deleted while another object still contains a reference to it. This reference could subsequently be accessed, potentially allowing code execution in memory.

 

Use-after-free error in NodeIterator (MFSA2010-36)

An error was reported in Mozilla's implementation of NodeIterator.  An attacker could create a malicious NodeFilter which would detach nodes from the DOM tree while it was being traversed. The use of a detached and subsequently deleted node could result in code being executed in memory.

 

Plugin parameter EnsureCachedAttrParamArrays remote code execution vulnerability (MFSA2010-37)

An error was reported in the code used to store the names and values of plugin parameter elements. A malicious page could embed plugin content which would cause a buffer overflow that could potentially result in code execution.

 

Arbitrary code execution using SJOW and fast native function (MFSA2010-38)

A cross-domain security-bypass vulnerability exists for Firefox and Thunderbird which if exploited could allow for the execution of arbitrary code. This issue occurs because a content script can access content objects within the browser's chrome through 'SJOW'. Please note, Firefox 3.5 and other Mozilla products built from Gecko 1.9.1 are not affected by this issue.

 

nsCSSValue::Array index integer overflow (MFSA2010-39)

It has been reported that an array class used to store CSS values contains an integer overflow vulnerability. The integer value used in allocating the size of the array could overflow, resulting in too small a memory buffer being created. This could result in code being executed in attacker-controlled memory.

 

nsTreeSelection dangling pointer remote code execution vulnerability (MFSA2010-40)

An integer overflow vulnerability exists in the implementation of the XUL <tree> element's selection attribute. This vulnerability could be used by an attacker to call deleted memory and run arbitrary code on a victim's computer.

 

Remote code execution using malformed PNG image (MFSA2010-41)

A buffer overflow exists in the Mozilla graphics code which consumes image data processed by libpng. A malformed PNG file could be created which would cause libpng to incorrectly report the size of the image to downstream consumers. This could result in code being executed in attacker-controlled memory.

 

Cross-origin data disclosure via Web Workers and importScripts (MFSA2010-42)

A cross-domain information-disclosure issue has been reported which affects multiple Mozilla products. This issue affects the Web Worker method  'importScript()? and will allow attackers to read and parse resources from other domains when the content is not valid JavaScript.

 

Same-origin bypass using canvas context (MFSA 2010-43)

A cross-domain information-disclosure vulnerability affects Firefox and Thunderbird. This issue affects the canvas element and can be used to read content from other sites.

 

Characters mapped to U+FFFD in 8 bit encodings cause subsequent characters to vanish (MFSA 2010-44)

A security-weakness in Firefox and Thunderbird exists due to the undefined positions within various 8-bit character encodings are mapped to the sequence U+FFFD. An attacker can exploit this issue in conjunction with other latent vulnerabilities to conduct cross-site scripting attacks.

 

Multiple location bar spoofing vulnerabilities (MFSA 2010-45)

Three spoofing vulnerabilities exist which allow attackers to spoof the location bar so that an insecure page may be viewed as a secured page. This could then lead to other attacks, such as remote code execution or information disclosure.

 

Cross-domain data theft using CSS (MFSA 2010-46)

A cross-domain security-bypass vulnerability exists in which attackers could gain access to content in another domain by injecting invalid CSS selectors into a target site and then retrieving the data using a JavaScript API.

 

Cross-origin data leakage from script filename in error messages (MFSA-2010-47)

A cross-domain information-disclosure vulnerability exists which may allow attackers to leak sensitive URL parameters across domains.

 

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate patches provided by Mozilla to vulnerable systems immediately after appropriate testing.

  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

  • Remind users not to download or open files from un-trusted websites.

 

REFERENCES:

 

Mozilla:

 

Secunia:

 

VUPEN:

 

CVE:

 

MS-ISAC

30 South Pearl Street, Suite P2

Albany, NY 12207

(518) 474-0865

7x24 SOC 1-866-787-4722

 


 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 
 
 
 
 
 

 

 


 
 

 

 

 

Hit Counter