Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10 allow local users to obtain sensitive information via an HTML document that loads a shortcut (aka .lnk) file for display within an IFRAME element, as demonstrated by a network share implemented by (1) Microsoft Windows or (2) Samba.

Changes in MozillaFirefox :

  - update to Firefox 13.0 (bnc#765204)

  - MFSA 2012-34/CVE-2012-1938/CVE-2012-1937/CVE-2011-3101     Miscellaneous memory safety hazards

  - MFSA 2012-36/CVE-2012-1944 (bmo#751422) Content Security     Policy inline-script bypass

  - MFSA 2012-37/CVE-2012-1945 (bmo#670514) Information     disclosure though Windows file shares and shortcut files

  - MFSA 2012-38/CVE-2012-1946 (bmo#750109) Use-after-free     while replacing/inserting a node in a document

  - MFSA 2012-40/CVE-2012-1947/CVE-2012-1940/CVE-2012-1941     Buffer overflow and use-after-free issues found using     Address Sanitizer

  - require NSS 3.13.4

  - MFSA 2012-39/CVE-2012-0441 (bmo#715073)

  - fix sound notifications when filename/path contains a     whitespace (bmo#749739)

  - fix build on arm

  - reenabled crashreporter for Factory/12.2 (fix in     mozilla-gcc47.patch)

Changes in MozillaThunderbird :

  - update to Thunderbird 13.0 (bnc#765204)

  - MFSA 2012-34/CVE-2012-1938/CVE-2012-1937/CVE-2011-3101     Miscellaneous memory safety hazards

  - MFSA 2012-36/CVE-2012-1944 (bmo#751422) Content Security     Policy inline-script bypass

  - MFSA 2012-37/CVE-2012-1945 (bmo#670514) Information     disclosure though Windows file shares and shortcut files

  - MFSA 2012-38/CVE-2012-1946 (bmo#750109) Use-after-free     while replacing/inserting a node in a document

  - MFSA 2012-40/CVE-2012-1947/CVE-2012-1940/CVE-2012-1941     Buffer overflow and use-after-free issues found using     Address Sanitizer

  - require NSS 3.13.4

  - MFSA 2012-39/CVE-2012-0441 (bmo#715073)

  - fix build with system NSPR (mozilla-system-nspr.patch)

  - add dependentlibs.list for improved XRE startup

  - update enigmail to 1.4.2

  - reenabled crashreporter for Factory/12.2 (fix in     mozilla-gcc47.patch)

  - update to Thunderbird 12.0.1

  - fix regressions

  - POP3 filters (bmo#748090)

  - Message Body not loaded when using 'Fetch Headers Only'     (bmo#748865)

  - Received messages contain parts of other messages with     movemail account (bmo#748726)

  - New mail notification issue (bmo#748997)

  - crash in nsMsgDatabase::MatchDbName (bmo#748432)

  - fixed build with gcc 4.7

Changes in seamonkey :

  - update to SeaMonkey 2.10 (bnc#765204)

  - MFSA 2012-34/CVE-2012-1938/CVE-2012-1937/CVE-2011-3101     Miscellaneous memory safety hazards

  - MFSA 2012-36/CVE-2012-1944 (bmo#751422) Content Security     Policy inline-script bypass

  - MFSA 2012-37/CVE-2012-1945 (bmo#670514) Information     disclosure though Windows file shares and shortcut files

  - MFSA 2012-38/CVE-2012-1946 (bmo#750109) Use-after-free     while replacing/inserting a node in a document

  - MFSA 2012-40/CVE-2012-1947/CVE-2012-1940/CVE-2012-1941     Buffer overflow and use-after-free issues found using     Address Sanitizer

  - requires NSS 3.13.4

  - MFSA 2012-39/CVE-2012-0441 (bmo#715073)

  - update to SeaMonkey 2.9.1

  - fix regressions

  - POP3 filters (bmo#748090)

  - Message Body not loaded when using 'Fetch Headers Only'     (bmo#748865)

  - Received messages contain parts of other messages with     movemail account (bmo#748726)

  - New mail notification issue (bmo#748997)

  - crash in nsMsgDatabase::MatchDbName (bmo#748432)

  - fixed build with gcc 4.7

Changes in mozilla-nss :

  - update to 3.13.5 RTM

  - update to 3.13.4 RTM

  - fixed some bugs

  - fixed cert verification regression in PKIX mode     (bmo#737802) introduced in 3.13.2

Changes in xulrunner :

  - update to 13.0 (bnc#765204)

  - MFSA 2012-34/CVE-2012-1938/CVE-2012-1937/CVE-2011-3101     Miscellaneous memory safety hazards

  - MFSA 2012-36/CVE-2012-1944 (bmo#751422) Content Security     Policy inline-script bypass

  - MFSA 2012-37/CVE-2012-1945 (bmo#670514) Information     disclosure though Windows file shares and shortcut files

  - MFSA 2012-38/CVE-2012-1946 (bmo#750109) Use-after-free     while replacing/inserting a node in a document

  - MFSA 2012-40/CVE-2012-1947/CVE-2012-1940/CVE-2012-1941     Buffer overflow and use-after-free issues found using     Address Sanitizer

  - require NSS 3.13.4

  - MFSA 2012-39/CVE-2012-0441 (bmo#715073)

  - reenabled crashreporter for Factory/12.2 (fixed in     mozilla-gcc47.patch)

The remote Oracle Linux 6 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2012-0715 advisory.

    [10.0.5-2.0.1.el6_2]
    - Replaced thunderbird-redhat-default-prefs.js with thunderbird-oracle-default-prefs.js
    - Replace clean.gif in tarball

    [10.0.5-2]
    - Update to 10.0.5 ESR

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 5 / 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2012-0710 advisory.

    firefox:

    [10.0.5-1.0.1.el6_2]
    - Replace firefox-redhat-default-prefs.js with firefox-oracle-default-prefs.js

    [10.0.5-1]
    - Update to 10.0.5 ESR

    xulrunner:

    [10.0.5-1.0.1.el6_2]
    - Replace xulrunner-redhat-default-prefs.js with xulrunner-oracle-default-prefs.js

    [10.0.5-1]
    - Update to 10.0.5 ESR

    [10.0.4-2]
    - Added patch for mozbz#703633

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Mozilla Firefox has been updated to 10.0.5ESR fixing various bugs and security issues.

  - Mozilla developers identified and fixed several memory     safety bugs in the browser engine used in Firefox and     other Mozilla-based products. Some of these bugs showed     evidence of memory corruption under certain     circumstances, and we presume that with enough effort at     least some of these could be exploited to run arbitrary     code. (MFSA 2012-34)

    In general these flaws cannot be exploited through email     in the Thunderbird and SeaMonkey products because     scripting is disabled, but are potentially a risk in     browser or browser-like contexts in those products.
    References

    Jesse Ruderman, Igor Bukanov, Bill McCloskey, Christian     Holler, Andrew McCreight, and Brian Bondy reported     memory safety problems and crashes that affect Firefox     12. (CVE-2012-1938)

    Christian Holler reported a memory safety problem that     affects Firefox ESR. (CVE-2012-1939)

    Igor Bukanov, Olli Pettay, Boris Zbarsky, and Jesse     Ruderman reported memory safety problems and crashes     that affect Firefox ESR and Firefox 13. (CVE-2012-1937)

    Ken Russell of Google reported a bug in NVIDIA graphics     drivers that they needed to work around in the Chromium     WebGL implementation. Mozilla has done the same in     Firefox 13 and ESR 10.0.5. (CVE-2011-3101)

  - Security researcher James Forshaw of Context Information     Security found two issues with the Mozilla updater and     the Mozilla updater service introduced in Firefox 12 for     Windows. The first issue allows Mozilla's updater to     load a local DLL file in a privileged context. The     updater can be called by the Updater Service or     independently on systems that do not use the service.
    The second of these issues allows for the updater     service to load an arbitrary local DLL file, which can     then be run with the same system privileges used by the     service. Both of these issues require local file system     access to be exploitable. (MFSA 2012-35)

    Possible Arbitrary Code Execution by Update Service     (CVE-2012-1942) Updater.exe loads wsock32.dll from     application directory. (CVE-2012-1943)

  - Security researcher Adam Barth found that inline event     handlers, such as onclick, were no longer blocked by     Content Security Policy's (CSP) inline-script blocking     feature. Web applications relying on this feature of CSP     to protect against cross-site scripting (XSS) were not     fully protected. (CVE-2012-1944). (MFSA 2012-36)

  - Security researcher Paul Stone reported an attack where     an HTML page hosted on a Windows share and then loaded     could then load Windows shortcut files (.lnk) in the     same share. These shortcut files could then link to     arbitrary locations on the local file system of the     individual loading the HTML page. That page could show     the contents of these linked files or directories from     the local file system in an iframe, causing information     disclosure. (MFSA 2012-37)

    This issue could potentially affect Linux machines with     samba shares enabled. (CVE-2012-1945)

  - Security researcher Arthur Gerkis used the Address     Sanitizer tool to find a use-after-free while     replacing/inserting a node in a document. This     use-after-free could possibly allow for remote code     execution. (CVE-2012-1946). (MFSA 2012-38)

  - Security researcher Kaspar Brand found a flaw in how the     Network Security Services (NSS) ASN.1 decoder handles     zero length items. Effects of this issue depend on the     field. One known symptom is an unexploitable crash in     handling OCSP responses. NSS also mishandles zero-length     basic constraints, assuming default values for some     types that should be rejected as malformed. These issues     have been addressed in NSS 3.13.4, which is now being     used by Mozilla. (CVE-2012-0441). (MFSA 2012-39)

  - Security researcher Abhishek Arya of Google used the     Address Sanitizer tool to uncover several issues: two     heap buffer overflow bugs and a use-after-free problem.
    The first heap buffer overflow was found in conversion     from unicode to native character sets when the function     fails. The use-after-free occurs in nsFrameList when     working with column layout with absolute positioning in     a container that changes size. The second buffer     overflow occurs in nsHTMLReflowState when a window is     resized on a page with nested columns and a combination     of absolute and relative positioning. All three of these     issues are potentially exploitable. (MFSA 2012-40)

    Heap-buffer-overflow in utf16_to_isolatin1     (CVE-2012-1947) Heap-use-after-free in     nsFrameList::FirstChild. (CVE-2012-1940)

    Heap-buffer-overflow in     nsHTMLReflowState::CalculateHypotheticalBox, with nested     multi-column, relative position, and absolute position.
    (CVE-2012-1941)

More information on security issues can be found on:
http://www.mozilla.org/security/announce/

The remote host is affected by the vulnerability described in GLSA-201301-01 (Mozilla Products: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Mozilla Firefox,       Thunderbird, SeaMonkey, NSS, GNU IceCat, and XULRunner. Please review the       CVE identifiers referenced below for details.
  Impact :

    A remote attacker could entice a user to view a specially crafted web       page or email, possibly resulting in execution of arbitrary code or a       Denial of Service condition. Furthermore, a remote attacker may be able       to perform Man-in-the-Middle attacks, obtain sensitive information,       bypass restrictions and protection mechanisms, force file downloads,       conduct XML injection attacks, conduct XSS attacks, bypass the Same       Origin Policy, spoof URL&rsquo;s for phishing attacks, trigger a vertical       scroll, spoof the location bar, spoof an SSL indicator, modify the       browser&rsquo;s font, conduct clickjacking attacks, or have other unspecified       impact.
    A local attacker could gain escalated privileges, obtain sensitive       information, or replace an arbitrary downloaded file.
  Workaround :

    There is no known workaround at this time.

Mozilla Thunderbird is a standalone mail and newsgroup client.

Several flaws were found in the processing of malformed content.
Malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2011-3101, CVE-2012-1937, CVE-2012-1938, CVE-2012-1939, CVE-2012-1940, CVE-2012-1941, CVE-2012-1946, CVE-2012-1947)

Note: CVE-2011-3101 only affected users of certain NVIDIA display drivers with graphics cards that have hardware acceleration enabled.

It was found that the Content Security Policy (CSP) implementation in Thunderbird no longer blocked Thunderbird inline event handlers.
Malicious content could possibly bypass intended restrictions if that content relied on CSP to protect against flaws such as cross-site scripting (XSS). (CVE-2012-1944)

If a web server hosted content that is stored on a Microsoft Windows share, or a Samba share, loading such content with Thunderbird could result in Windows shortcut files (.lnk) in the same share also being loaded. An attacker could use this flaw to view the contents of local files and directories on the victim's system. This issue also affected users opening content from Microsoft Windows shares, or Samba shares, that are mounted on their systems. (CVE-2012-1945)

Note: None of the issues in this advisory can be exploited by a specially crafted HTML mail message as JavaScript is disabled by default for mail messages. They could be exploited another way in Thunderbird, for example, when viewing the full remote content of an RSS feed.

All Thunderbird users should upgrade to this updated package, which contains Thunderbird version 10.0.5 ESR, which corrects these issues.
After installing the update, Thunderbird must be restarted for the changes to take effect.

Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox.

Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2011-3101, CVE-2012-1937, CVE-2012-1938, CVE-2012-1939, CVE-2012-1940, CVE-2012-1941, CVE-2012-1946, CVE-2012-1947)

Note: CVE-2011-3101 only affected users of certain NVIDIA display drivers with graphics cards that have hardware acceleration enabled.

It was found that the Content Security Policy (CSP) implementation in Firefox no longer blocked Firefox inline event handlers. A remote attacker could use this flaw to possibly bypass a web application's intended restrictions, if that application relied on CSP to protect against flaws such as cross-site scripting (XSS). (CVE-2012-1944)

If a web server hosted HTML files that are stored on a Microsoft Windows share, or a Samba share, loading such files with Firefox could result in Windows shortcut files (.lnk) in the same share also being loaded. An attacker could use this flaw to view the contents of local files and directories on the victim's system. This issue also affected users opening HTML files from Microsoft Windows shares, or Samba shares, that are mounted on their systems. (CVE-2012-1945)

For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 10.0.5 ESR.

All Firefox users should upgrade to these updated packages, which contain Firefox version 10.0.5 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.

USN-1463-1 fixed vulnerabilities in Firefox. This update provides the corresponding fixes for Thunderbird.

Jesse Ruderman, Igor Bukanov, Bill McCloskey, Christian Holler, Andrew McCreight, Olli Pettay, Boris Zbarsky, and Brian Bondy discovered memory safety issues affecting Firefox. If the user were tricked into opening a specially crafted page, an attacker could possibly exploit these to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Firefox. (CVE-2012-1937, CVE-2012-1938)

It was discovered that Mozilla's WebGL implementation exposed a bug in certain NVIDIA graphics drivers. The impact of this issue has not been disclosed at this time.
(CVE-2011-3101)

Adam Barth discovered that certain inline event handlers were not being blocked properly by the Content Security Policy's (CSP) inline-script blocking feature. Web applications relying on this feature of CSP to protect against cross-site scripting (XSS) were not fully protected.
With cross-site scripting vulnerabilities, if a user were tricked into viewing a specially crafted page, a remote attacker could exploit this to modify the contents, or steal confidential data, within the same domain. (CVE-2012-1944)

Paul Stone discovered that a viewed HTML page hosted on a Windows or Samba share could load Windows shortcut files (.lnk) in the same share. These shortcut files could then link to arbitrary locations on the local file system of the individual loading the HTML page. An attacker could potentially use this vulnerability to show the contents of these linked files or directories in an iframe, resulting in information disclosure. (CVE-2012-1945)

Arthur Gerkis discovered a use-after-free vulnerability while replacing/inserting a node in a document. If the user were tricked into opening a specially crafted page, an attacker could possibly exploit this to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Firefox.
(CVE-2012-1946)

Kaspar Brand discovered a vulnerability in how the Network Security Services (NSS) ASN.1 decoder handles zero length items. If the user were tricked into opening a specially crafted page, an attacker could possibly exploit this to cause a denial of service via application crash.
(CVE-2012-0441)

Abhishek Arya discovered two buffer overflow and one use-after-free vulnerabilities. If the user were tricked into opening a specially crafted page, an attacker could possibly exploit these to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Firefox. (CVE-2012-1940, CVE-2012-1941, CVE-2012-1947).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Security issues were identified and fixed in mozilla firefox and thunderbird :

Heap-based buffer overflow in the utf16_to_isolatin1 function in Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10 allows remote attackers to execute arbitrary code via vectors that trigger a character-set conversion failure (CVE-2012-1947)

Use-after-free vulnerability in the nsFrameList::FirstChild function in Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption and application crash) by changing the size of a container of absolutely positioned elements in a column (CVE-2012-1940).

Heap-based buffer overflow in the nsHTMLReflowState::CalculateHypotheticalBox function in Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10 allows remote attackers to execute arbitrary code by resizing a window displaying absolutely positioned and relatively positioned elements in nested columns (CVE-2012-1941).

Use-after-free vulnerability in the nsINode::ReplaceOrInsertBefore function in Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10 might allow remote attackers to execute arbitrary code via document changes involving replacement or insertion of a node (CVE-2012-1946).

Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10 allow local users to obtain sensitive information via an HTML document that loads a shortcut (aka .lnk) file for display within an IFRAME element, as demonstrated by a network share implemented by (1) Microsoft Windows or (2) Samba (CVE-2012-1945).

The Content Security Policy (CSP) implementation in Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10 does not block inline event handlers, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted HTML document (CVE-2012-1944).

Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 13.0, Thunderbird before 13.0, and SeaMonkey before 2.10 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to (1) methodjit/ImmutableSync.cpp, (2) the JSObject::makeDenseArraySlow function in js/src/jsarray.cpp, and unknown other components (CVE-2012-1938).

jsinfer.cpp in Mozilla Firefox ESR 10.x before 10.0.5 and Thunderbird ESR 10.x before 10.0.5 does not properly determine data types, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via crafted JavaScript code (CVE-2012-1939).

Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors (CVE-2012-1937).

Ken Russell of Google reported a bug in NVIDIA graphics drivers that they needed to work around in the Chromium WebGL implementation.
Mozilla has done the same in Firefox 13 and ESR 10.0.5 (CVE-2011-3101).

The ASN.1 decoder in the QuickDER decoder in Mozilla Network Security Services (NSS) before 3.13.4, as used in Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10, allows remote attackers to cause a denial of service (application crash) via a zero-length item, as demonstrated by (1) a zero-length basic constraint or (2) a zero-length field in an OCSP response (CVE-2012-0441). NOTE: This flaw was addressed earlier with the MDVA-2012:036 advisory.

The mozilla firefox and thunderbird packages has been upgraded to the latest respective versions which is unaffected by these security flaws.

Additionally the NSPR and the NSS packages has been upgraded to the latest versions which resolves various upstream bugs.

USN-1463-1 fixed vulnerabilities in Firefox. The new package caused a regression in the rendering of Hebrew text and the ability of the Hotmail inbox to auto-update. This update fixes the problem.

Jesse Ruderman, Igor Bukanov, Bill McCloskey, Christian Holler, Andrew McCreight, Olli Pettay, Boris Zbarsky, and Brian Bondy discovered memory safety issues affecting Firefox. If the user were tricked into opening a specially crafted page, an attacker could possibly exploit these to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Firefox. (CVE-2012-1937, CVE-2012-1938)

It was discovered that Mozilla's WebGL implementation exposed a bug in certain NVIDIA graphics drivers. The impact of this issue has not been disclosed at this time.
(CVE-2011-3101)

Adam Barth discovered that certain inline event handlers were not being blocked properly by the Content Security Policy's (CSP) inline-script blocking feature. Web applications relying on this feature of CSP to protect against cross-site scripting (XSS) were not fully protected.
With cross-site scripting vulnerabilities, if a user were tricked into viewing a specially crafted page, a remote attacker could exploit this to modify the contents, or steal confidential data, within the same domain. (CVE-2012-1944)

Paul Stone discovered that a viewed HTML page hosted on a Windows or Samba share could load Windows shortcut files (.lnk) in the same share. These shortcut files could then link to arbitrary locations on the local file system of the individual loading the HTML page. An attacker could potentially use this vulnerability to show the contents of these linked files or directories in an iframe, resulting in information disclosure. (CVE-2012-1945)

Arthur Gerkis discovered a use-after-free vulnerability while replacing/inserting a node in a document. If the user were tricked into opening a specially crafted page, an attacker could possibly exploit this to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Firefox.
(CVE-2012-1946)

Kaspar Brand discovered a vulnerability in how the Network Security Services (NSS) ASN.1 decoder handles zero length items. If the user were tricked into opening a specially crafted page, an attacker could possibly exploit this to cause a denial of service via application crash.
(CVE-2012-0441)

Abhishek Arya discovered two buffer overflow and one use-after-free vulnerabilities. If the user were tricked into opening a specially crafted page, an attacker could possibly exploit these to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Firefox. (CVE-2012-1940, CVE-2012-1941, CVE-2012-1947).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

MozillaFirefox has been updated to 10.0.5ESR fixing various bugs and security issues.

  - Mozilla developers identified and fixed several memory     safety bugs in the browser engine used in Firefox and     other Mozilla-based products. Some of these bugs showed     evidence of memory corruption under certain     circumstances, and we presume that with enough effort at     least some of these could be exploited to run arbitrary     code. (MFSA 2012-34)

    In general these flaws cannot be exploited through email     in the Thunderbird and SeaMonkey products because     scripting is disabled, but are potentially a risk in     browser or browser-like contexts in those products.
    References

    Jesse Ruderman, Igor Bukanov, Bill McCloskey, Christian     Holler, Andrew McCreight, and Brian Bondy reported     memory safety problems and crashes that affect Firefox     12. (CVE-2012-1938)

    Christian Holler reported a memory safety problem that     affects Firefox ESR. (CVE-2012-1939)

    Igor Bukanov, Olli Pettay, Boris Zbarsky, and Jesse     Ruderman reported memory safety problems and crashes     that affect Firefox ESR and Firefox 13. (CVE-2012-1937)

    Ken Russell of Google reported a bug in NVIDIA graphics     drivers that they needed to work around in the Chromium     WebGL implementation. Mozilla has done the same in     Firefox 13 and ESR 10.0.5. (CVE-2011-3101)

  - Security researcher James Forshaw of Context Information     Security found two issues with the Mozilla updater and     the Mozilla updater service introduced in Firefox 12 for     Windows. The first issue allows Mozilla's updater to     load a local DLL file in a privileged context. The     updater can be called by the Updater Service or     independently on systems that do not use the service.
    The second of these issues allows for the updater     service to load an arbitrary local DLL file, which can     then be run with the same system privileges used by the     service. Both of these issues require local file system     access to be exploitable. (MFSA 2012-35)

    Possible Arbitrary Code Execution by Update Service     (CVE-2012-1942) Updater.exe loads wsock32.dll from     application directory. (CVE-2012-1943)

  - Security researcher Adam Barth found that inline event     handlers, such as onclick, were no longer blocked by     Content Security Policy's (CSP) inline-script blocking     feature. Web applications relying on this feature of CSP     to protect against cross-site scripting (XSS) were not     fully protected. (CVE-2012-1944). (MFSA 2012-36)

  - Security researcher Paul Stone reported an attack where     an HTML page hosted on a Windows share and then loaded     could then load Windows shortcut files (.lnk) in the     same share. These shortcut files could then link to     arbitrary locations on the local file system of the     individual loading the HTML page. That page could show     the contents of these linked files or directories from     the local file system in an iframe, causing information     disclosure. (MFSA 2012-37)

    This issue could potentially affect Linux machines with     samba shares enabled. (CVE-2012-1945)

  - Security researcher Arthur Gerkis used the Address     Sanitizer tool to find a use-after-free while     replacing/inserting a node in a document. This     use-after-free could possibly allow for remote code     execution. (CVE-2012-1946). (MFSA 2012-38)

  - Security researcher Kaspar Brand found a flaw in how the     Network Security Services (NSS) ASN.1 decoder handles     zero length items. Effects of this issue depend on the     field. One known symptom is an unexploitable crash in     handling OCSP responses. NSS also mishandles zero-length     basic constraints, assuming default values for some     types that should be rejected as malformed. These issues     have been addressed in NSS 3.13.4, which is now being     used by Mozilla. (CVE-2012-0441). (MFSA 2012-39)

  - Security researcher Abhishek Arya of Google used the     Address Sanitizer tool to uncover several issues: two     heap buffer overflow bugs and a use-after-free problem.
    The first heap buffer overflow was found in conversion     from unicode to native character sets when the function     fails. The use-after-free occurs in nsFrameList when     working with column layout with absolute positioning in     a container that changes size. The second buffer     overflow occurs in nsHTMLReflowState when a window is     resized on a page with nested columns and a combination     of absolute and relative positioning. All three of these     issues are potentially exploitable. (MFSA 2012-40)

    Heap-buffer-overflow in utf16_to_isolatin1     (CVE-2012-1947) Heap-use-after-free in     nsFrameList::FirstChild. (CVE-2012-1940)

    Heap-buffer-overflow in     nsHTMLReflowState::CalculateHypotheticalBox, with nested     multi-column, relative position, and absolute position.
    (CVE-2012-1941)

More information on security issues can be found on:
http://www.mozilla.org/security/announce/

Versions of SeaMonkey 2.x earlier than 2.10 are potentially affected by the following security issues :

  - An error exists in the ASN.1 decoder when handling zero length items that can lead to application crashes. (CVE-2012-0441)

  - Multiple memory corruption errors exist. (CVE-2012-1937, CVE-2012-1938)

  - Two heap-based buffer overflows and one heap-based use-after-free error exist and are potentially exploitable. (CVE-2012-1940, CVE-2012-1941, CVE-2012-1947)

  - Two arbitrary DLL load issues exist related to the application update and update service functionality. (CVE-2012-1942, CVE-2012-1943)

  - The inline-script blocking feature of the 'Content Security Policy' (CSP) does not properly block inline event handlers. This error allows remote attackers to more easily carry out cross-site scripting attacks. (CVE-2012-1944)

  -  A use-after-free error exists related to replacing or inserting a node into a web document. (CVE-2012-1946)

An updated thunderbird package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Mozilla Thunderbird is a standalone mail and newsgroup client.

Several flaws were found in the processing of malformed content.
Malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2011-3101, CVE-2012-1937, CVE-2012-1938, CVE-2012-1939, CVE-2012-1940, CVE-2012-1941, CVE-2012-1946, CVE-2012-1947)

Note: CVE-2011-3101 only affected users of certain NVIDIA display drivers with graphics cards that have hardware acceleration enabled.

It was found that the Content Security Policy (CSP) implementation in Thunderbird no longer blocked Thunderbird inline event handlers.
Malicious content could possibly bypass intended restrictions if that content relied on CSP to protect against flaws such as cross-site scripting (XSS). (CVE-2012-1944)

If a web server hosted content that is stored on a Microsoft Windows share, or a Samba share, loading such content with Thunderbird could result in Windows shortcut files (.lnk) in the same share also being loaded. An attacker could use this flaw to view the contents of local files and directories on the victim's system. This issue also affected users opening content from Microsoft Windows shares, or Samba shares, that are mounted on their systems. (CVE-2012-1945)

Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Ken Russell of Google as the original reporter of CVE-2011-3101; Igor Bukanov, Olli Pettay, Boris Zbarsky, and Jesse Ruderman as the original reporters of CVE-2012-1937; Jesse Ruderman, Igor Bukanov, Bill McCloskey, Christian Holler, Andrew McCreight, and Brian Bondy as the original reporters of CVE-2012-1938;
Christian Holler as the original reporter of CVE-2012-1939; security researcher Abhishek Arya of Google as the original reporter of CVE-2012-1940, CVE-2012-1941, and CVE-2012-1947; security researcher Arthur Gerkis as the original reporter of CVE-2012-1946; security researcher Adam Barth as the original reporter of CVE-2012-1944; and security researcher Paul Stone as the original reporter of CVE-2012-1945.

Note: None of the issues in this advisory can be exploited by a specially crafted HTML mail message as JavaScript is disabled by default for mail messages. They could be exploited another way in Thunderbird, for example, when viewing the full remote content of an RSS feed.

All Thunderbird users should upgrade to this updated package, which contains Thunderbird version 10.0.5 ESR, which corrects these issues.
After installing the update, Thunderbird must be restarted for the changes to take effect.

Versions of Firefox 12.x  are potentially affected by the following security issues :

  - An error exists in the ASN.1 decoder when handling zero length items that can lead to application crashes. (CVE-2012-0441)

  - Multiple memory corruption errors exist. (CVE-2012-1937, CVE-2012-1038)

  - Two heap-based buffer overflows and one heap-based use-after-free error exist and are potentially exploitable. (CVE-2012-1940, CVE-2012-1941, CVE-2012-1947)

  - Two arbitrary DLL load issues exist related to the application update and update service functionality. (CVE-2012-1942, CVE-2012-1943)

  - The inline-script blocking feature of the 'Content Security Policy' (CSP) does not properly block inline event handlers. This error allows remote attackers to more easily carry out cross-site scripting attacks. (CVE-2012-1944)

  -  A use-after-free error exists related to replacing or inserting a node into a web document. (CVE-2012-1946)

Versions of Thunderbird 12.x  are potentially affected by the following security issues :

  - An error exists in the ASN.1 decoder when handling zero length items that can lead to application crashes. (CVE-2012-0441)

  - Multiple memory corruption errors exist. (CVE-2012-1937, CVE-2012-1038)

  - Two heap-based buffer overflows and one heap-based use-after-free error exist and are potentially exploitable. (CVE-2012-1940, CVE-2012-1941, CVE-2012-1947)

  - Two arbitrary DLL load issues exist related to the application update and update service functionality. (CVE-2012-1942, CVE-2012-1943)

  - The inline-script blocking feature of the 'Content Security Policy' (CSP) does not properly block inline event handlers. This error allows remote attackers to more easily carry out cross-site scripting attacks. (CVE-2012-1944)

  -  A use-after-free error exists related to replacing or inserting a node into a web document. (CVE-2012-1946)

Versions of Mozilla Thunderbird prior to 13.0 are affected by the following security issues :

 - An error exists in the ASN.1 decoder when handling zero length items that can lead to application crashes. (CVE-2012-0441)
 - Multiple memory corruption errors exist. (CVE-2012-1937, CVE-2012-1038)
 - Two heap-based buffer overflows and one heap-based use-after-free error exist and are potentially exploitable. (CVE-2012-1940, CVE-2012-1941, CVE-2012-1947)
 - Two arbitrary DLL load issues exist related to the application update and update service functionality. (CVE-2012-1942, CVE-2012-1943)
 - The inline-script blocking feature of the 'Content Security Policy' (CSP) does not properly block inline event handlers. This error allows remote attackers to more easily carry out cross-site scripting attacks. (CVE-2012-1944)
 - A use-after-free error exists related to replacing or inserting a node into a web document. (CVE-2012-1946)

Versions of Firefox prior to 13.0 are potentially affected by the following security issues :

 - An error exists in the ASN.1 decoder when handling zero length items that can lead to application crashes. (CVE-2012-0441)
 - Multiple memory corruption errors exist. (CVE-2012-1937, CVE-2012-1038)
 - Two heap-based buffer overflows and one heap-based use-after-free error exist and are potentially exploitable. (CVE-2012-1940, CVE-2012-1941, CVE-2012-1947)
 - Two arbitrary DLL load issues exist related to the application update and update service functionality. (CVE-2012-1942, CVE-2012-1943)
 - The inline-script blocking feature of the 'Content Security Policy' (CSP) does not properly block inline event handlers. This error allows remote attackers to more easily carry out cross-site scripting attacks. (CVE-2012-1944)
 -  A use-after-free error exists related to replacing or inserting a node into a web document. (CVE-2012-1946)


Jesse Ruderman, Igor Bukanov, Bill McCloskey, Christian Holler, Andrew McCreight, Olli Pettay, Boris Zbarsky, and Brian Bondy discovered memory safety issues affecting Firefox. If the user were tricked into opening a specially crafted page, an attacker could possibly exploit these to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Firefox. (CVE-2012-1937, CVE-2012-1938)

It was discovered that Mozilla's WebGL implementation exposed a bug in certain NVIDIA graphics drivers. The impact of this issue has not been disclosed at this time. (CVE-2011-3101)

Adam Barth discovered that certain inline event handlers were not being blocked properly by the Content Security Policy's (CSP) inline-script blocking feature. Web applications relying on this feature of CSP to protect against cross-site scripting (XSS) were not fully protected. With cross-site scripting vulnerabilities, if a user were tricked into viewing a specially crafted page, a remote attacker could exploit this to modify the contents, or steal confidential data, within the same domain. (CVE-2012-1944)

Paul Stone discovered that a viewed HTML page hosted on a Windows or Samba share could load Windows shortcut files (.lnk) in the same share. These shortcut files could then link to arbitrary locations on the local file system of the individual loading the HTML page. An attacker could potentially use this vulnerability to show the contents of these linked files or directories in an iframe, resulting in information disclosure. (CVE-2012-1945)

Arthur Gerkis discovered a use-after-free vulnerability while replacing/inserting a node in a document. If the user were tricked into opening a specially crafted page, an attacker could possibly exploit this to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Firefox. (CVE-2012-1946)

Kaspar Brand discovered a vulnerability in how the Network Security Services (NSS) ASN.1 decoder handles zero length items. If the user were tricked into opening a specially crafted page, an attacker could possibly exploit this to cause a denial of service via application crash. (CVE-2012-0441)

Abhishek Arya discovered two buffer overflow and one use-after-free vulnerabilities. If the user were tricked into opening a specially crafted page, an attacker could possibly exploit these to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Firefox. (CVE-2012-1940, CVE-2012-1941, CVE-2012-1947).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Redhat Enterprise Linux 5 / 6 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2012:0715 advisory.

    Mozilla Thunderbird is a standalone mail and newsgroup client.

    Several flaws were found in the processing of malformed content. Malicious     content could cause Thunderbird to crash or, potentially, execute arbitrary     code with the privileges of the user running Thunderbird. (CVE-2011-3101,     CVE-2012-1937, CVE-2012-1938, CVE-2012-1939, CVE-2012-1940, CVE-2012-1941,     CVE-2012-1946, CVE-2012-1947)

    Note: CVE-2011-3101 only affected users of certain NVIDIA display drivers     with graphics cards that have hardware acceleration enabled.

    It was found that the Content Security Policy (CSP) implementation in     Thunderbird no longer blocked Thunderbird inline event handlers. Malicious     content could possibly bypass intended restrictions if that content relied     on CSP to protect against flaws such as cross-site scripting (XSS).
    (CVE-2012-1944)

    If a web server hosted content that is stored on a Microsoft Windows share,     or a Samba share, loading such content with Thunderbird could result in     Windows shortcut files (.lnk) in the same share also being loaded. An     attacker could use this flaw to view the contents of local files and     directories on the victim's system. This issue also affected users opening     content from Microsoft Windows shares, or Samba shares, that are mounted     on their systems. (CVE-2012-1945)

    Red Hat would like to thank the Mozilla project for reporting these issues.
    Upstream acknowledges Ken Russell of Google as the original reporter of     CVE-2011-3101; Igor Bukanov, Olli Pettay, Boris Zbarsky, and Jesse Ruderman     as the original reporters of CVE-2012-1937; Jesse Ruderman, Igor Bukanov,     Bill McCloskey, Christian Holler, Andrew McCreight, and Brian Bondy as the     original reporters of CVE-2012-1938; Christian Holler as the original     reporter of CVE-2012-1939; security researcher Abhishek Arya of Google as     the original reporter of CVE-2012-1940, CVE-2012-1941, and CVE-2012-1947;
    security researcher Arthur Gerkis as the original reporter of     CVE-2012-1946; security researcher Adam Barth as the original reporter of     CVE-2012-1944; and security researcher Paul Stone as the original reporter     of CVE-2012-1945.

    Note: None of the issues in this advisory can be exploited by a     specially-crafted HTML mail message as JavaScript is disabled by default     for mail messages. They could be exploited another way in Thunderbird, for     example, when viewing the full remote content of an RSS feed.

    All Thunderbird users should upgrade to this updated package, which     contains Thunderbird version 10.0.5 ESR, which corrects these issues. After     installing the update, Thunderbird must be restarted for the changes to     take effect.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Updated firefox packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox.

Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2011-3101, CVE-2012-1937, CVE-2012-1938, CVE-2012-1939, CVE-2012-1940, CVE-2012-1941, CVE-2012-1946, CVE-2012-1947)

Note: CVE-2011-3101 only affected users of certain NVIDIA display drivers with graphics cards that have hardware acceleration enabled.

It was found that the Content Security Policy (CSP) implementation in Firefox no longer blocked Firefox inline event handlers. A remote attacker could use this flaw to possibly bypass a web application's intended restrictions, if that application relied on CSP to protect against flaws such as cross-site scripting (XSS). (CVE-2012-1944)

If a web server hosted HTML files that are stored on a Microsoft Windows share, or a Samba share, loading such files with Firefox could result in Windows shortcut files (.lnk) in the same share also being loaded. An attacker could use this flaw to view the contents of local files and directories on the victim's system. This issue also affected users opening HTML files from Microsoft Windows shares, or Samba shares, that are mounted on their systems. (CVE-2012-1945)

For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 10.0.5 ESR. You can find a link to the Mozilla advisories in the References section of this erratum.

Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Ken Russell of Google as the original reporter of CVE-2011-3101; Igor Bukanov, Olli Pettay, Boris Zbarsky, and Jesse Ruderman as the original reporters of CVE-2012-1937; Jesse Ruderman, Igor Bukanov, Bill McCloskey, Christian Holler, Andrew McCreight, and Brian Bondy as the original reporters of CVE-2012-1938;
Christian Holler as the original reporter of CVE-2012-1939; security researcher Abhishek Arya of Google as the original reporter of CVE-2012-1940, CVE-2012-1941, and CVE-2012-1947; security researcher Arthur Gerkis as the original reporter of CVE-2012-1946; security researcher Adam Barth as the original reporter of CVE-2012-1944; and security researcher Paul Stone as the original reporter of CVE-2012-1945.

All Firefox users should upgrade to these updated packages, which contain Firefox version 10.0.5 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.

The remote Redhat Enterprise Linux 5 / 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2012:0710 advisory.

  - Mozilla: Miscellaneous memory safety hazards (rv:13.0/ rv:10.0.5) (MFSA 2012-34) (CVE-2011-3101,     CVE-2012-1937, CVE-2012-1938, CVE-2012-1939, CVE-2012-3105)

  - Mozilla: Buffer overflow and use-after-free issues found using Address Sanitizer (MFSA 2012-40)     (CVE-2012-1940, CVE-2012-1941, CVE-2012-1947)

  - Mozilla: Content Security Policy inline-script bypass (MFSA 2012-36) (CVE-2012-1944)

  - Mozilla: Information disclosure though Windows file shares and shortcut files (MFSA 2012-37)     (CVE-2012-1945)

  - Mozilla: Use-after-free while replacing/inserting a node in a document (MFSA 2012-38) (CVE-2012-1946)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Mozilla Project reports :

MFSA 2012-34 Miscellaneous memory safety hazards (rv:13.0/ rv:10.0.5)

MFSA 2012-36 Content Security Policy inline-script bypass

MFSA 2012-37 Information disclosure though Windows file shares and shortcut files

MFSA 2012-38 Use-after-free while replacing/inserting a node in a document

MFSA 2012-39 NSS parsing errors with zero length items

MFSA 2012-40 Buffer overflow and use-after-free issues found using Address Sanitizer

ID	Name	Product	Family	Severity
74655	openSUSE Security Update : MozillaFirefox / MozillaThunderbird / mozilla-nss / etc (openSUSE-SU-2012:0760-1)	Nessus	SuSE Local Security Checks	critical
68536	Oracle Linux 6 : thunderbird (ELSA-2012-0715)	Nessus	Oracle Linux Local Security Checks	medium
68535	Oracle Linux 5 / 6 : firefox (ELSA-2012-0710)	Nessus	Oracle Linux Local Security Checks	medium
64208	SuSE 11.1 Security Update : Mozilla Firefox (SAT Patch Number 6425)	Nessus	SuSE Local Security Checks	critical
63402	GLSA-201301-01 : Mozilla Products: Multiple vulnerabilities (BEAST)	Nessus	Gentoo Local Security Checks	critical
61323	Scientific Linux Security Update : thunderbird on SL5.x, SL6.x i386/x86_64 (20120606)	Nessus	Scientific Linux Local Security Checks	critical
61322	Scientific Linux Security Update : firefox on SL5.x, SL6.x i386/x86_64 (20120605)	Nessus	Scientific Linux Local Security Checks	critical
59725	Ubuntu 11.04 : thunderbird vulnerabilities (USN-1463-6)	Nessus	Ubuntu Local Security Checks	critical
59681	Mandriva Linux Security Advisory : mozilla (MDVSA-2012:088-1)	Nessus	Mandriva Local Security Checks	critical
59654	Ubuntu 10.04 LTS / 11.10 / 12.04 LTS : thunderbird vulnerabilities (USN-1463-4)	Nessus	Ubuntu Local Security Checks	critical
59640	Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04 LTS : firefox regressions (USN-1463-3)	Nessus	Ubuntu Local Security Checks	critical
59520	SuSE 10 Security Update : Mozilla Firefox (ZYPP Patch Number 8189)	Nessus	SuSE Local Security Checks	critical
801375	Mozilla SeaMonkey 2.x < 2.10 Multiple Vulnerabilities	Log Correlation Engine	Web Clients	high
6496	SeaMonkey 2.x < 2.10 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	high
59412	CentOS 5 / 6 : thunderbird (CESA-2012:0715)	Nessus	CentOS Local Security Checks	critical
801297	Mozilla Firefox 12.x < 12 Multiple Vulnerabilities	Log Correlation Engine	Web Clients	high
801240	Mozilla Thunderbird 12.x < 12 Multiple Vulnerabilities	Log Correlation Engine	SMTP Clients	high
6498	Mozilla Thunderbird < 13.0 Multiple Vulnerabilities	Nessus Network Monitor	SMTP Clients	high
6497	Mozilla Firefox < 13.0 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	high
59394	Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04 LTS : firefox vulnerabilities (USN-1463-1)	Nessus	Ubuntu Local Security Checks	critical
59392	RHEL 5 / 6 : thunderbird (RHSA-2012:0715)	Nessus	Red Hat Local Security Checks	medium
59388	CentOS 5 / 6 : firefox (CESA-2012:0710)	Nessus	CentOS Local Security Checks	critical
59383	RHEL 5 / 6 : firefox (RHSA-2012:0710)	Nessus	Red Hat Local Security Checks	medium
59381	FreeBSD : mozilla -- multiple vulnerabilities (bfecf7c1-af47-11e1-9580-4061862b8c22)	Nessus	FreeBSD Local Security Checks	critical

Detections

Analytics

CVE-2012-1945

medium

Tenable Plugins

critical

medium

medium

critical

critical

critical

critical

critical

critical

critical

critical

critical

high

high

critical

high

high

high

high

critical

medium

critical

medium

critical