The Security Side of Firefox 3.6.9
The Mozilla Foundation has recently updated the Firefox 3.6 browser to version 3.6.9. This new version is meant to make the browser more stable, which is good. The new version is also meant to fix several security issues, which is even better – at least from a security point of view. What’s also great from a security point of view is the fact that Firefox 3.6.9 comes with support for the X-Frame-Options HTTP response header.
As Michael Coates (Web Security at Mozilla) explained, site owners can include this header to prevent 3rd parties from maliciously framing their web content. If included in to the HTTP response, the header can instruct the client’s browser on whether the returned content is allowed to be framed by other pages. This will prevent a 3rd party from say framing a website from another domain and surrounding the framed site with advertisements.
To make things short, the header can be used by site owners to ensure their content is not embedded into other sites and to mitigate clickjacking attacks.
“The x-frame-options header supports the following values:
SAMEORIGIN – allows only sites from the same domain to frame the page
DENY – prevents any site from framing the page,” explained Michael Coates.
As mentioned above, Firefox 3.6.9 has been released to fix several security issues. Alongside the 3.6.9 update, Mozilla has released 14 security advisories – 10 of them have been rated as critical.
Here are the critical advisories: Title: Miscellaneous memory safety hazards
Affected software: Firefox, Thunderbird, SeaMonkey
Description: Several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code
Credit: Peter Van der Beken, Jason Oster, Jesse Ruderman, Igor Bukanov, Jeff Walden, Gary Kwong, Olli Pettay, Michal Zalewski. Title: Frameset integer overflow vulnerability
Affected software: Firefox, Thunderbird, SeaMonkey
Description: The implementation of the HTML frameset element contained an integer overflow vulnerability. The code responsible for parsing the frameset columns used an 8-byte counter for the column numbers, so when a very large number of columns was passed in the counter would overflow. When this counter was subsequently used to allocate memory for the frameset, the memory buffer would be too small, potentially resulting in a heap buffer overflow and execution of attacker-controlled memory.
Credit: Chris Rohlf of Matasano Security Title: Dangling pointer vulnerability using DOM plugin array
Affected software: Firefox, Thunderbird, SeaMonkey
Description: A dangling pointer vulnerability in the implementation of navigator.plugins in which the navigator object could retain a pointer to the plugins array even after it had been destroyed. An attacker could potentially use this issue to crash the browser and run arbitrary code on a victim's computer.
Credit: Sergey Glazunov. Title: Windows XP DLL loading vulnerability
Affected software: Firefox, Thunderbird, SeaMonkey
Description: Firefox could be used to load a malicious code library that had been planted on a victim's computer. Firefox attempts to load dwmapi.dll upon startup as part of its platform detection, so on systems that don't have this library, such as Windows XP, Firefox will subsequently attempt to load the library from the current working directory. An attacker could use this vulnerability to trick a user into downloading a HTML file and a malicious copy of dwmapi.dll into the same directory on their computer and opening the HTML file with Firefox, thus causing the malicious code to be executed.
Credit: Haifei Li of FortiGuard Labs and Acros Security. Title: Heap buffer overflow in nsTextFrameUtils::TransformText
Affected software: Firefox, Thunderbird, SeaMonkey
Description: A heap buffer overflow in code routines responsible for transforming text runs. A page could be constructed with a bidirectional text run which upon reflow could result in an incorrect length being calculated for the run of text. When this value is subsequently used to allocate memory for the text too small a buffer may be created potentially resulting in a buffer overflow and the execution of attacker controlled memory.
Credit: wushi of team509
MFSA 2010-54
Title: Dangling pointer vulnerability in nsTreeSelection
Affected software: Firefox, Thunderbird, SeaMonkey
Description: Under certain circumstances one of the pointers held by a XUL tree selection could be freed and then later reused, potentially resulting in the execution of attacker-controlled memory.
Credit: regenrecht, security researcher who reported the vulnerability via TippingPoint's Zero Day Initiative.
Title: Dangling pointer vulnerability in nsTreeContentView
Affected software: Firefox, Thunderbird, SeaMonkey
Description: The implementation of XUL <tree>'s content view contains a dangling pointer vulnerability. One of the content view's methods for accessing the internal structure of the tree could be manipulated into removing a node prior to accessing it, resulting in the accessing of deleted memory. If an attacker can control the contents of the deleted memory prior to its access they could use this vulnerability to run arbitrary code on a victim's machine.
Credit: regenrecht, security researcher who reported the vulnerability via TippingPoint's Zero Day Initiative.
Title: Crash and remote code execution in normalizeDocument
Affected software: Firefox, Thunderbird, SeaMonkey
Description: Code used to normalize a document contained a logical flaw that could be leveraged to run arbitrary code. When the normalization code ran, a static count of the document's child nodes was used in the traversal, so a page could be constructed that would remove DOM nodes during this normalization which could lead to the accessing of a deleted object and potentially the execution of attacker-controlled memory.
Credit: regenrecht, security researcher who reported the vulnerability via TippingPoint's Zero Day Initiative. Title: Crash on Mac using fuzzed font in data: URL
Affected software: Firefox, Thunderbird, SeaMonkey
Description: A specially crafted font could be applied to a document and cause a crash on Mac systems. The crash showed signs of memory corruption and presumably could be used by an attacker to execute arbitrary code on a victim's computer.
Credit: Marc Schoenefeld. Title: SJOW creates scope chains ending in outer object
Affected software: Firefox, Thunderbird
Description: The wrapper class XPCSafeJSObjectWrapper (SJOW), a security wrapper that allows content-defined objects to be safely accessed by privileged code, creates scope chains ending in outer objects. Users of SJOWs which expect the scope chain to end on an inner object may be handed a chrome privileged object which could be leveraged to run arbitrary JavaScript with chrome privileges.
Credit: Blake Kaplan
And here are the remaining 4 advisories that accompany the Firefox 3.6.9 update: Title: UTF-7 XSS by overriding document charset using <object> type attribute
Severity rating: High
Affected software: Firefox, Thunderbird, SeaMonkey
Description: The type attribute of an <object> tag can override the charset of a framed HTML document, even when the document is included across origins. A page could be constructed containing such an <object> tag which sets the charset of the framed document to UTF-7. This could potentially allow an attacker to inject UTF-7 encoded JavaScript into a site, bypassing the site's XSS filters, and then executing the code using the above technique.
Credit: David Huang, Collin Jackson Title: Copy-and-paste or drag-and-drop into designMode document allows XSS
Severity rating: Moderate
Affected software: Firefox, Thunderbird, SeaMonkey
Description: When an HTML selection containing JavaScript is copy-and-pasted or dropped onto a document with designMode enabled the JavaScript will be executed within the context of the site where the code was dropped. A malicious site could leverage this issue in an XSS attack by persuading a user into taking such an action and in the process running malicious JavaScript within the context of another site.
Credit: Paul Stone Title: XUL tree removal crash and remote code execution
Severity rating: Low
Affected software: Firefox, Thunderbird, SeaMonkey
Description: XUL <tree> objects could be manipulated such that the setting of certain properties on the object would trigger the removal of the tree from the DOM and cause certain sections of deleted memory to be accessed.
Credit: regenrecht, security researcher who reported the vulnerability via TippingPoint's Zero Day Initiative. Title: Information leak via XMLHttpRequest statusText
Severity rating: Low
Affected software: Firefox, Thunderbird, SeaMonkey
Description: The statusText property of an XMLHttpRequest object is readable by the requestor even when the request is made across origins. This status information reveals the presence of a web server and could be used to gather information about servers on internal private networks.
Credit: Matt Haggard, Nicholas Berthaume
Firefox 3.6.9 is available for download in more than 70 languages for Windows, Mac and Linux here.
As Michael Coates (Web Security at Mozilla) explained, site owners can include this header to prevent 3rd parties from maliciously framing their web content. If included in to the HTTP response, the header can instruct the client’s browser on whether the returned content is allowed to be framed by other pages. This will prevent a 3rd party from say framing a website from another domain and surrounding the framed site with advertisements.
To make things short, the header can be used by site owners to ensure their content is not embedded into other sites and to mitigate clickjacking attacks.
“The x-frame-options header supports the following values:
SAMEORIGIN – allows only sites from the same domain to frame the page
DENY – prevents any site from framing the page,” explained Michael Coates.
As mentioned above, Firefox 3.6.9 has been released to fix several security issues. Alongside the 3.6.9 update, Mozilla has released 14 security advisories – 10 of them have been rated as critical.
Here are the critical advisories: Title: Miscellaneous memory safety hazards
Affected software: Firefox, Thunderbird, SeaMonkey
Description: Several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code
Credit: Peter Van der Beken, Jason Oster, Jesse Ruderman, Igor Bukanov, Jeff Walden, Gary Kwong, Olli Pettay, Michal Zalewski. Title: Frameset integer overflow vulnerability
Affected software: Firefox, Thunderbird, SeaMonkey
Description: The implementation of the HTML frameset element contained an integer overflow vulnerability. The code responsible for parsing the frameset columns used an 8-byte counter for the column numbers, so when a very large number of columns was passed in the counter would overflow. When this counter was subsequently used to allocate memory for the frameset, the memory buffer would be too small, potentially resulting in a heap buffer overflow and execution of attacker-controlled memory.
Credit: Chris Rohlf of Matasano Security Title: Dangling pointer vulnerability using DOM plugin array
Affected software: Firefox, Thunderbird, SeaMonkey
Description: A dangling pointer vulnerability in the implementation of navigator.plugins in which the navigator object could retain a pointer to the plugins array even after it had been destroyed. An attacker could potentially use this issue to crash the browser and run arbitrary code on a victim's computer.
Credit: Sergey Glazunov. Title: Windows XP DLL loading vulnerability
Affected software: Firefox, Thunderbird, SeaMonkey
Description: Firefox could be used to load a malicious code library that had been planted on a victim's computer. Firefox attempts to load dwmapi.dll upon startup as part of its platform detection, so on systems that don't have this library, such as Windows XP, Firefox will subsequently attempt to load the library from the current working directory. An attacker could use this vulnerability to trick a user into downloading a HTML file and a malicious copy of dwmapi.dll into the same directory on their computer and opening the HTML file with Firefox, thus causing the malicious code to be executed.
Credit: Haifei Li of FortiGuard Labs and Acros Security. Title: Heap buffer overflow in nsTextFrameUtils::TransformText
Affected software: Firefox, Thunderbird, SeaMonkey
Description: A heap buffer overflow in code routines responsible for transforming text runs. A page could be constructed with a bidirectional text run which upon reflow could result in an incorrect length being calculated for the run of text. When this value is subsequently used to allocate memory for the text too small a buffer may be created potentially resulting in a buffer overflow and the execution of attacker controlled memory.
Credit: wushi of team509
MFSA 2010-54
Title: Dangling pointer vulnerability in nsTreeSelection
Affected software: Firefox, Thunderbird, SeaMonkey
Description: Under certain circumstances one of the pointers held by a XUL tree selection could be freed and then later reused, potentially resulting in the execution of attacker-controlled memory.
Credit: regenrecht, security researcher who reported the vulnerability via TippingPoint's Zero Day Initiative.
Title: Dangling pointer vulnerability in nsTreeContentView
Affected software: Firefox, Thunderbird, SeaMonkey
Description: The implementation of XUL <tree>'s content view contains a dangling pointer vulnerability. One of the content view's methods for accessing the internal structure of the tree could be manipulated into removing a node prior to accessing it, resulting in the accessing of deleted memory. If an attacker can control the contents of the deleted memory prior to its access they could use this vulnerability to run arbitrary code on a victim's machine.
Credit: regenrecht, security researcher who reported the vulnerability via TippingPoint's Zero Day Initiative.
Title: Crash and remote code execution in normalizeDocument
Affected software: Firefox, Thunderbird, SeaMonkey
Description: Code used to normalize a document contained a logical flaw that could be leveraged to run arbitrary code. When the normalization code ran, a static count of the document's child nodes was used in the traversal, so a page could be constructed that would remove DOM nodes during this normalization which could lead to the accessing of a deleted object and potentially the execution of attacker-controlled memory.
Credit: regenrecht, security researcher who reported the vulnerability via TippingPoint's Zero Day Initiative. Title: Crash on Mac using fuzzed font in data: URL
Affected software: Firefox, Thunderbird, SeaMonkey
Description: A specially crafted font could be applied to a document and cause a crash on Mac systems. The crash showed signs of memory corruption and presumably could be used by an attacker to execute arbitrary code on a victim's computer.
Credit: Marc Schoenefeld. Title: SJOW creates scope chains ending in outer object
Affected software: Firefox, Thunderbird
Description: The wrapper class XPCSafeJSObjectWrapper (SJOW), a security wrapper that allows content-defined objects to be safely accessed by privileged code, creates scope chains ending in outer objects. Users of SJOWs which expect the scope chain to end on an inner object may be handed a chrome privileged object which could be leveraged to run arbitrary JavaScript with chrome privileges.
Credit: Blake Kaplan
And here are the remaining 4 advisories that accompany the Firefox 3.6.9 update: Title: UTF-7 XSS by overriding document charset using <object> type attribute
Severity rating: High
Affected software: Firefox, Thunderbird, SeaMonkey
Description: The type attribute of an <object> tag can override the charset of a framed HTML document, even when the document is included across origins. A page could be constructed containing such an <object> tag which sets the charset of the framed document to UTF-7. This could potentially allow an attacker to inject UTF-7 encoded JavaScript into a site, bypassing the site's XSS filters, and then executing the code using the above technique.
Credit: David Huang, Collin Jackson Title: Copy-and-paste or drag-and-drop into designMode document allows XSS
Severity rating: Moderate
Affected software: Firefox, Thunderbird, SeaMonkey
Description: When an HTML selection containing JavaScript is copy-and-pasted or dropped onto a document with designMode enabled the JavaScript will be executed within the context of the site where the code was dropped. A malicious site could leverage this issue in an XSS attack by persuading a user into taking such an action and in the process running malicious JavaScript within the context of another site.
Credit: Paul Stone Title: XUL tree removal crash and remote code execution
Severity rating: Low
Affected software: Firefox, Thunderbird, SeaMonkey
Description: XUL <tree> objects could be manipulated such that the setting of certain properties on the object would trigger the removal of the tree from the DOM and cause certain sections of deleted memory to be accessed.
Credit: regenrecht, security researcher who reported the vulnerability via TippingPoint's Zero Day Initiative. Title: Information leak via XMLHttpRequest statusText
Severity rating: Low
Affected software: Firefox, Thunderbird, SeaMonkey
Description: The statusText property of an XMLHttpRequest object is readable by the requestor even when the request is made across origins. This status information reveals the presence of a web server and could be used to gather information about servers on internal private networks.
Credit: Matt Haggard, Nicholas Berthaume
Firefox 3.6.9 is available for download in more than 70 languages for Windows, Mac and Linux here.
