SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Mozilla Firefox Vendors:   Mozilla.org
Mozilla Firefox Multiple Bugs Let Remote Users Execute Arbitrary Code, Spoof Information, and Inject Scripting Code
SecurityTracker Alert ID:  1027631
SecurityTracker URL:  http://securitytracker.com/id/1027631
CVE Reference:   CVE-2012-3982, CVE-2012-3983, CVE-2012-3984, CVE-2012-3985, CVE-2012-3986, CVE-2012-3987, CVE-2012-3988, CVE-2012-3989, CVE-2012-3990, CVE-2012-3991, CVE-2012-3992, CVE-2012-3993, CVE-2012-3994, CVE-2012-3995, CVE-2012-4179, CVE-2012-4180, CVE-2012-4181, CVE-2012-4182, CVE-2012-4183, CVE-2012-4184, CVE-2012-4185, CVE-2012-4186, CVE-2012-4187, CVE-2012-4188   (Links to External Site)
Date:  Oct 10 2012
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 16.0
Description:   Multiple vulnerabilities reported in Mozilla Firefox. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can inject scripting code. A remote user can spoof portions of the page.

A remote user can create specially crafted content that, when loaded by the target user, will trigger a memory corruption error, use-after-free memory error, buffer overflow, access control error, or other flaw and execute arbitrary code on the target system [CVE-2012-3982, CVE-2012-3983, CVE-2012-3986, CVE-2012-3988, CVE-2012-3989, CVE-2012-3990, CVE-2012-3991, CVE-2012-3995, CVE-2012-4179, CVE-2012-4180, CVE-2012-4181, CVE-2012-4182, CVE-2012-4183, CVE-2012-4185,
CVE-2012-4186, CVE-2012-4187, CVE-2012-4188]. The code will run with the privileges of the target user.

A remote user can cause arbitrary scripting code to be executed by the target user's browser [CVE-2012-3985, CVE-2012-3987 (affecting only Firefox for Android),
CVE-2012-3992, CVE-2012-3993, CVE-2012-3994, CVE-2012-4184]. The code will run in the security context of an arbitrary site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can exploit a flaw in the processing of <select> elements to spoof portions of a page [CVE-2012-3983].

The following researchers reported these vulnerabilities:

Henrik Skupin, Jesse Ruderman, moz_bug_r_a4, Christian Holler, David Bloom of Cue, Jordi Chancel, Collin Jackson, Mozilla developer Johnny Stenback, Warren He, Soroush Dalili, Mozilla community member Ms2ger, Mozilla community member Alice White,
Mariusz Mlynski, Abhishek Arya (Inferno) of the Google Chrome Security Team, Atte Kettunen from OUSPG, and miaubiz.

Impact:   A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with an arbitrary site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can spoof portions of a page.

Solution:   The vendor has issued a fix (ESR 10.0.8; 16.0).

The vendor's advisories are available at:

http://www.mozilla.org/security/announce/2012/mfsa2012-74.html
http://www.mozilla.org/security/announce/2012/mfsa2012-75.html
http://www.mozilla.org/security/announce/2012/mfsa2012-76.html
http://www.mozilla.org/security/announce/2012/mfsa2012-77.html
http://www.mozilla.org/security/announce/2012/mfsa2012-78.html
http://www.mozilla.org/security/announce/2012/mfsa2012-79.html
http://www.mozilla.org/security/announce/2012/mfsa2012-80.html
http://www.mozilla.org/security/announce/2012/mfsa2012-81.html
http://www.mozilla.org/security/announce/2012/mfsa2012-82.html
http://www.mozilla.org/security/announce/2012/mfsa2012-83.html
http://www.mozilla.org/security/announce/2012/mfsa2012-84.html
http://www.mozilla.org/security/announce/2012/mfsa2012-85.html
http://www.mozilla.org/security/announce/2012/mfsa2012-86.html
http://www.mozilla.org/security/announce/2012/mfsa2012-87.html

Vendor URL:  www.mozilla.org/security/announce/2012/mfsa2012-74.html (Links to External Site)
Cause:   Access control error, Boundary error, Input validation error, State error
Underlying OS:  Android, Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Oct 10 2012 (Red Hat Issues Fix) Mozilla Firefox Multiple Bugs Let Remote Users Execute Arbitrary Code, Spoof Information, and Inject Scripting Code
Red Hat has issued a fix for Red Hat Enterprise Linux 5 and 6.
Oct 21 2013 (Oracle Issues Fix for Solaris) Mozilla Firefox Multiple Bugs Let Remote Users Execute Arbitrary Code, Spoof Information, and Inject Scripting Code
Oracle has issued a fix for Solaris 10.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC