SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Mozilla Firefox Vendors:   Mozilla.org
Mozilla Firefox Multiple Bugs Let Remote Users Execute Arbitrary Code, Obtain Information and Conduct Cross-Site Request Forgery Attacks and Let Local Users Obtain Elevated Privileges
SecurityTracker Alert ID:  1028702
SecurityTracker URL:  http://securitytracker.com/id/1028702
CVE Reference:   CVE-2013-1682, CVE-2013-1683, CVE-2013-1684, CVE-2013-1685, CVE-2013-1686, CVE-2013-1687, CVE-2013-1688, CVE-2013-1690, CVE-2013-1692, CVE-2013-1693, CVE-2013-1694, CVE-2013-1695, CVE-2013-1696, CVE-2013-1697, CVE-2013-1698, CVE-2013-1699, CVE-2013-1700   (Links to External Site)
Updated:  Jun 26 2013
Original Entry Date:  Jun 25 2013
Impact:   Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to ESR 17.0.7; prior to 22.0
Description:   Multiple vulnerabilities were reported in Mozilla Firefox. A remote user can cause arbitrary code to be executed on the target user's system. A local user can obtain elevated privileges on the target system. A remote user can conduct cross-site request forgery attacks. A remote user can obtain potentially sensitive information.

A remote user can create specially crafted content that, when loaded by the target user, will execute arbitrary code on the target system [CVE-2013-1682, CVE-2013-1683, CVE-2013-1684, CVE-2013-1685, CVE-2013-1686, CVE-2013-1687, CVE-2013-1688, CVE-2013-1690]. The code will run with the privileges of the target user.

The browser sends data in the body of XMLHttpRequest (XHR) HEAD requests. A remote user can exploit this to conduct cross-site request forgery attacks and take actions on the target site acting as the target user [CVE-2013-1692].

A remote user can exploit timing differences in the processing of SVG format images with filters to read pixel values [CVE-2013-1693].

A remote user can trigger a flaw in PreserveWrapper to execute arbitrary code [CVE-2013-1694].

The iframe sandbox restrictions are not applied to nested frame elements, which may allow a remote user to bypass sandbox restrictions [CVE-2013-1695].

The browser ignores the X-Frame-Options header when server push is used in multi-part responses. A remote user may be able to exploit this to conduct clickjacking attacks on sites that use X-Frame-Options as a protection [CVE-2013-1696].

A remote user can bypass XrayWrappers to run user defined methods with elevated privileges [CVE-2013-1697].

The getUserMedia permission dialog for an iframe may display the origin incorrectly. A target user may allow camera or microphone permissions inadvertently [CVE-2013-1698].

A remote user may be able to conduct homograph domain spoofing against .com, .net and .name domains [CVE-2013-1699].

On Windows-based systems, a local user can exploit a flaw in the Mozilla Maintenance Service to gain LocalSystem privileges [CVE-2013-1700].

Gary Kwong, Jesse Ruderman, Andrew McCreight, Christian Holler, Bobby Holley, Gary Kwong, Ben Turner, Ehsan Akhgari, Mats Palmgren, John Schoenick, Abhishek Arya (Inferno) of the Google Chrome Security Team, Johnathan Kuskos, Nils, Boris Zbarsky, Bob Owen, Frederic Buclin, moz_bug_r_a4, Matt Wobensmith, 3ric Johanson, Seb Patane, and Paul Stone of Context Information Security reported these vulnerabilities.

Impact:   A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.

A local user can obtain elevated privileges on the target system.

A remote user can take actions on the site acting as the target user.

A remote user can obtain potentially sensitive information.

Solution:   The vendor has issued a fix (ESR 17.0.7; 22.0).

The vendor's advisories are available at:

http://www.mozilla.org/security/announce/2013/mfsa2013-49.html
http://www.mozilla.org/security/announce/2013/mfsa2013-50.html
http://www.mozilla.org/security/announce/2013/mfsa2013-51.html
http://www.mozilla.org/security/announce/2013/mfsa2013-52.html
http://www.mozilla.org/security/announce/2013/mfsa2013-53.html
http://www.mozilla.org/security/announce/2013/mfsa2013-54.html
http://www.mozilla.org/security/announce/2013/mfsa2013-55.html
http://www.mozilla.org/security/announce/2013/mfsa2013-56.html
http://www.mozilla.org/security/announce/2013/mfsa2013-57.html
http://www.mozilla.org/security/announce/2013/mfsa2013-58.html
http://www.mozilla.org/security/announce/2013/mfsa2013-59.html
http://www.mozilla.org/security/announce/2013/mfsa2013-60.html
http://www.mozilla.org/security/announce/2013/mfsa2013-61.html
http://www.mozilla.org/security/announce/2013/mfsa2013-62.html

Vendor URL:  www.mozilla.org/security/announce/2013/mfsa2013-49.html (Links to External Site)
Cause:   Access control error, Boundary error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jun 26 2013 (Red Hat Issues Fix) Mozilla Firefox Multiple Bugs Let Remote Users Execute Arbitrary Code, Obtain Information and Conduct Cross-Site Request Forgery Attacks and Let Local Users Obtain Elevated Privileges
Red Hat has issued a fix for Red Hat Enterprise Linux 5 and 6.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC