Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title thunderbird security update
Informations
Name RHSA-2013:1142 First vendor Publication 2013-08-07
Vendor RedHat Last vendor Modification 2013-08-07
Severity (Vendor) Important Revision 01

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Problem Description:

An updated thunderbird package that fixes several security issues is now available for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

2. Relevant releases/architectures:

RHEL Optional Productivity Applications (v. 5 server) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

Several flaws were found in the processing of malformed content. Malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2013-1701)

A flaw was found in the way Thunderbird generated Certificate Request Message Format (CRMF) requests. An attacker could use this flaw to perform cross-site scripting (XSS) attacks or execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2013-1710)

A flaw was found in the way Thunderbird handled the interaction between frames and browser history. An attacker could use this flaw to trick Thunderbird into treating malicious content as if it came from the browser history, allowing for XSS attacks. (CVE-2013-1709)

It was found that the same-origin policy could be bypassed due to the way Uniform Resource Identifiers (URI) were checked in JavaScript. An attacker could use this flaw to perform XSS attacks, or install malicious add-ons from third-party pages. (CVE-2013-1713)

It was found that web workers could bypass the same-origin policy. An attacker could use this flaw to perform XSS attacks. (CVE-2013-1714)

It was found that, in certain circumstances, Thunderbird incorrectly handled Java applets. If a user launched an untrusted Java applet via Thunderbird, the applet could use this flaw to obtain read-only access to files on the user's local system. (CVE-2013-1717)

Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Jeff Gilbert, Henrik Skupin, moz_bug_r_a4, Cody Crews, Federico Lanusse, and Georgi Guninski as the original reporters of these issues.

Note: All of the above issues cannot be exploited by a specially-crafted HTML mail message as JavaScript is disabled by default for mail messages. They could be exploited another way in Thunderbird, for example, when viewing the full remote content of an RSS feed.

All Thunderbird users should upgrade to this updated package, which contains Thunderbird version 17.0.8 ESR, which corrects these issues. After installing the update, Thunderbird must be restarted for the changes to take effect.

4. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258

5. Bugs fixed (http://bugzilla.redhat.com/):

993598 - CVE-2013-1701 Mozilla: Miscellaneous memory safety hazards (rv:17.0.8) (MFSA 2013-63) 993600 - CVE-2013-1709 Mozilla: Document URI misrepresentation and masquerading (MFSA 2013-68) 993602 - CVE-2013-1710 Mozilla: CRMF requests allow for code execution and XSS attacks (MFSA 2013-69) 993603 - CVE-2013-1713 Mozilla: Wrong principal used for validating URI for some Javascript components (MFSA 2013-72) 993604 - CVE-2013-1714 Mozilla: Same-origin bypass with web workers and XMLHttpRequest (MFSA 2013-73) 993605 - CVE-2013-1717 Mozilla: Local Java applets may read contents of local file system (MFSA 2013-75)

Original Source

Url : https://rhn.redhat.com/errata/RHSA-2013-1142.html

CWE : Common Weakness Enumeration

% Id Name
60 % CWE-264 Permissions, Privileges, and Access Controls
20 % CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25)
20 % CWE-20 Improper Input Validation

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:18002
 
Oval ID: oval:org.mitre.oval:def:18002
Title: Same-origin bypass with web workers and XMLHttpRequest
Description: The Web Workers implementation in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 does not properly restrict XMLHttpRequest calls, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via unspecified vectors.
Family: windows Class: vulnerability
Reference(s): CVE-2013-1714
Version: 20
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows 7
Product(s): Mozilla Firefox
Mozilla Thunderbird
Mozilla Seamonkey
Mozilla Firefox ESR
Mozilla Thunderbird ESR
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:18048
 
Oval ID: oval:org.mitre.oval:def:18048
Title: USN-1924-2 -- ubufox, unity-firefox-extension update
Description: This update provides compatible packages for Firefox 23.
Family: unix Class: patch
Reference(s): USN-1924-2
CVE-2013-1701
CVE-2013-1702
CVE-2013-1704
CVE-2013-1705
CVE-2013-1708
CVE-2013-1709
CVE-2013-1710
CVE-2013-1711
CVE-2013-1713
CVE-2013-1714
CVE-2013-1717
Version: 7
Platform(s): Ubuntu 13.04
Ubuntu 12.10
Ubuntu 12.04
Product(s): ubufox
unity-firefox-extension
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:18122
 
Oval ID: oval:org.mitre.oval:def:18122
Title: DSA-2746-1 icedove - several
Description: Multiple security issues have been found in Icedove, Debian's version of the Mozilla Thunderbird mail and news client. Multiple memory safety errors, missing permission checks and other implementation errors may lead to the execution of arbitrary code or cross-site scripting.
Family: unix Class: patch
Reference(s): DSA-2746-1
CVE-2013-1701
CVE-2013-1709
CVE-2013-1710
CVE-2013-1713
CVE-2013-1714
CVE-2013-1717
Version: 8
Platform(s): Debian GNU/Linux 7
Debian GNU/kFreeBSD 7
Product(s): icedove
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:18367
 
Oval ID: oval:org.mitre.oval:def:18367
Title: Local Java applets may read contents of local file system
Description: Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 do not properly restrict local-filesystem access by Java applets, which allows user-assisted remote attackers to read arbitrary files by leveraging a download to a fixed pathname or other predictable pathname.
Family: windows Class: vulnerability
Reference(s): CVE-2013-1717
Version: 20
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows 7
Product(s): Mozilla Firefox
Mozilla Thunderbird
Mozilla Seamonkey
Mozilla Firefox ESR
Mozilla Thunderbird ESR
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:18374
 
Oval ID: oval:org.mitre.oval:def:18374
Title: USN-1925-1 -- thunderbird vulnerabilities
Description: Several security issues were fixed in Thunderbird.
Family: unix Class: patch
Reference(s): USN-1925-1
CVE-2013-1701
CVE-2013-1709
CVE-2013-1710
CVE-2013-1713
CVE-2013-1714
CVE-2013-1717
Version: 7
Platform(s): Ubuntu 13.04
Ubuntu 12.10
Ubuntu 12.04
Product(s): thunderbird
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:18410
 
Oval ID: oval:org.mitre.oval:def:18410
Title: USN-1924-1 -- firefox vulnerabilities
Description: Firefox could be made to crash or run programs as your login if it opened a malicious website.
Family: unix Class: patch
Reference(s): USN-1924-1
CVE-2013-1701
CVE-2013-1702
CVE-2013-1704
CVE-2013-1705
CVE-2013-1708
CVE-2013-1709
CVE-2013-1710
CVE-2013-1711
CVE-2013-1713
CVE-2013-1714
CVE-2013-1717
Version: 7
Platform(s): Ubuntu 13.04
Ubuntu 12.10
Ubuntu 12.04
Product(s): firefox
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:18514
 
Oval ID: oval:org.mitre.oval:def:18514
Title: Miscellaneous memory safety hazards
Description: Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
Family: windows Class: vulnerability
Reference(s): CVE-2013-1701
Version: 20
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows 7
Product(s): Mozilla Firefox
Mozilla Thunderbird
Mozilla Seamonkey
Mozilla Firefox ESR
Mozilla Thunderbird ESR
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:18531
 
Oval ID: oval:org.mitre.oval:def:18531
Title: Document URI misrepresentation and masquerading
Description: Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 do not properly handle the interaction between FRAME elements and history, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors involving spoofing a relative location in a previously visited document.
Family: windows Class: vulnerability
Reference(s): CVE-2013-1709
Version: 20
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows 7
Product(s): Mozilla Firefox
Mozilla Thunderbird
Mozilla Seamonkey
Mozilla Firefox ESR
Mozilla Thunderbird ESR
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:18773
 
Oval ID: oval:org.mitre.oval:def:18773
Title: CRMF requests allow for code execution and XSS attacks
Description: The crypto.generateCRMFRequest function in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 allows remote attackers to execute arbitrary JavaScript code or conduct cross-site scripting (XSS) attacks via vectors related to Certificate Request Message Format (CRMF) request generation.
Family: windows Class: vulnerability
Reference(s): CVE-2013-1710
Version: 19
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows 7
Product(s): Mozilla Firefox
Mozilla Thunderbird
Mozilla Seamonkey
Mozilla Firefox ESR
Mozilla Thunderbird ESR
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:18884
 
Oval ID: oval:org.mitre.oval:def:18884
Title: Wrong principal used for validating URI for some Javascript components
Description: Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 use an incorrect URI within unspecified comparisons during enforcement of the Same Origin Policy, which allows remote attackers to conduct cross-site scripting (XSS) attacks or install arbitrary add-ons via a crafted web site.
Family: windows Class: vulnerability
Reference(s): CVE-2013-1713
Version: 19
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows 7
Product(s): Mozilla Firefox
Mozilla Thunderbird
Mozilla Seamonkey
Mozilla Firefox ESR
Mozilla Thunderbird ESR
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:18974
 
Oval ID: oval:org.mitre.oval:def:18974
Title: DSA-2735-1 iceweasel - several
Description: Multiple security issues have been found in Iceweasel, Debian's version of the Mozilla Firefox web browser: multiple memory safety errors, missing permission checks and other implementation errors may lead to the execution of arbitrary code, cross-site scripting, privilege escalation, bypass of the same-origin policy or the installation of malicious addons.
Family: unix Class: patch
Reference(s): DSA-2735-1
CVE-2013-1701
CVE-2013-1709
CVE-2013-1710
CVE-2013-1713
CVE-2013-1714
CVE-2013-1717
Version: 8
Platform(s): Debian GNU/Linux 7
Debian GNU/kFreeBSD 7
Product(s): iceweasel
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:20604
 
Oval ID: oval:org.mitre.oval:def:20604
Title: RHSA-2013:1140: firefox security update (Critical)
Description: Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 do not properly restrict local-filesystem access by Java applets, which allows user-assisted remote attackers to read arbitrary files by leveraging a download to a fixed pathname or other predictable pathname.
Family: unix Class: patch
Reference(s): RHSA-2013:1140-01
CESA-2013:1140
CVE-2013-1701
CVE-2013-1709
CVE-2013-1710
CVE-2013-1713
CVE-2013-1714
CVE-2013-1717
Version: 87
Platform(s): Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
CentOS Linux 5
CentOS Linux 6
Product(s): firefox
xulrunner
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:21008
 
Oval ID: oval:org.mitre.oval:def:21008
Title: RHSA-2013:1142: thunderbird security update (Important)
Description: Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed content. Malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2013-1701) A flaw was found in the way Thunderbird generated Certificate Request Message Format (CRMF) requests. An attacker could use this flaw to perform cross-site scripting (XSS) attacks or execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2013-1710) A flaw was found in the way Thunderbird handled the interaction between frames and browser history. An attacker could use this flaw to trick Thunderbird into treating malicious content as if it came from the browser history, allowing for XSS attacks. (CVE-2013-1709) It was found that the same-origin policy could be bypassed due to the way Uniform Resource Identifiers (URI) were checked in JavaScript. An attacker could use this flaw to perform XSS attacks, or install malicious add-ons from third-party pages. (CVE-2013-1713) It was found that web workers could bypass the same-origin policy. An attacker could use this flaw to perform XSS attacks. (CVE-2013-1714) It was found that, in certain circumstances, Thunderbird incorrectly handled Java applets. If a user launched an untrusted Java applet via Thunderbird, the applet could use this flaw to obtain read-only access to files on the user's local system. (CVE-2013-1717) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Jeff Gilbert, Henrik Skupin, moz_bug_r_a4, Cody Crews, Federico Lanusse, and Georgi Guninski as the original reporters of these issues. Note: All of the above issues cannot be exploited by a specially-crafted HTML mail message as JavaScript is disabled by default for mail messages. They could be exploited another way in Thunderbird, for example, when viewing the full remote content of an RSS feed. All Thunderbird users should upgrade to this updated package, which contains Thunderbird version 17.0.8 ESR, which corrects these issues. After installing the update, Thunderbird must be restarted for the changes to take effect.
Family: unix Class: patch
Reference(s): RHSA-2013:1142-01
CESA-2013:1142
CVE-2013-1701
Version: 5
Platform(s): Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 5
CentOS Linux 5
CentOS Linux 6
Product(s): thunderbird
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22897
 
Oval ID: oval:org.mitre.oval:def:22897
Title: DEPRECATED: ELSA-2013:1142: thunderbird security update (Important)
Description: Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 do not properly restrict local-filesystem access by Java applets, which allows user-assisted remote attackers to read arbitrary files by leveraging a download to a fixed pathname or other predictable pathname.
Family: unix Class: patch
Reference(s): ELSA-2013:1142-02
CVE-2013-1701
CVE-2013-1709
CVE-2013-1710
CVE-2013-1713
CVE-2013-1714
CVE-2013-1717
Version: 30
Platform(s): Oracle Linux 6
Oracle Linux 5
Product(s): thunderbird
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22906
 
Oval ID: oval:org.mitre.oval:def:22906
Title: DEPRECATED: ELSA-2013:1140: firefox security update (Critical)
Description: Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 do not properly restrict local-filesystem access by Java applets, which allows user-assisted remote attackers to read arbitrary files by leveraging a download to a fixed pathname or other predictable pathname.
Family: unix Class: patch
Reference(s): ELSA-2013:1140-01
CVE-2013-1701
CVE-2013-1709
CVE-2013-1710
CVE-2013-1713
CVE-2013-1714
CVE-2013-1717
Version: 30
Platform(s): Oracle Linux 5
Oracle Linux 6
Product(s): firefox
xulrunner
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24083
 
Oval ID: oval:org.mitre.oval:def:24083
Title: ELSA-2013:1140: firefox security update (Critical)
Description: Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 do not properly restrict local-filesystem access by Java applets, which allows user-assisted remote attackers to read arbitrary files by leveraging a download to a fixed pathname or other predictable pathname.
Family: unix Class: patch
Reference(s): ELSA-2013:1140-01
CVE-2013-1701
CVE-2013-1709
CVE-2013-1710
CVE-2013-1713
CVE-2013-1714
CVE-2013-1717
Version: 29
Platform(s): Oracle Linux 5
Oracle Linux 6
Product(s): firefox
xulrunner
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24091
 
Oval ID: oval:org.mitre.oval:def:24091
Title: ELSA-2013:1142: thunderbird security update (Important)
Description: Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 do not properly restrict local-filesystem access by Java applets, which allows user-assisted remote attackers to read arbitrary files by leveraging a download to a fixed pathname or other predictable pathname.
Family: unix Class: patch
Reference(s): ELSA-2013:1142-02
CVE-2013-1701
CVE-2013-1709
CVE-2013-1710
CVE-2013-1713
CVE-2013-1714
CVE-2013-1717
Version: 29
Platform(s): Oracle Linux 6
Oracle Linux 5
Product(s): thunderbird
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24995
 
Oval ID: oval:org.mitre.oval:def:24995
Title: SUSE-SU-2013:1382-1 -- Security update for Mozilla Firefox
Description: Update to Firefox 17.0.8esr (bnc#833389) to address: * MFSA 2013-63/CVE-2013-1701/CVE-2013-1702 (bmo#855331, bmo#844088, bmo#858060, bmo#870200, bmo#874974, bmo#861530, bmo#854157, bmo#893684, bmo#878703, bmo#862185, bmo#879139, bmo#888107, bmo#880734) Miscellaneous memory safety hazards (rv:23.0 / rv:17.0.8) * MFSA 2013-66/CVE-2013-1706/CVE-2013-1707 (bmo#888314, bmo#888361) Buffer overflow in Mozilla Maintenance Service and Mozilla Updater * MFSA 2013-68/CVE-2013-1709 (bmo#848253) Document URI misrepresentation and masquerading * MFSA 2013-69/CVE-2013-1710 (bmo#871368) CRMF requests allow for code execution and XSS attacks * MFSA 2013-71/CVE-2013-1712 (bmo#859072) Further Privilege escalation through Mozilla Updater * MFSA 2013-72/CVE-2013-1713 (bmo#887098) Wrong principal used for validating URI for some Javascript components * MFSA 2013-73/CVE-2013-1714 (bmo#879787) Same-origin bypass with web workers and XMLHttpRequest * MFSA 2013-75/CVE-2013-1717 (bmo#406541) Local Java applets may read contents of local file system
Family: unix Class: patch
Reference(s): SUSE-SU-2013:1382-1
CVE-2013-1701
CVE-2013-1702
CVE-2013-1706
CVE-2013-1707
CVE-2013-1709
CVE-2013-1710
CVE-2013-1712
CVE-2013-1713
CVE-2013-1714
CVE-2013-1717
Version: 3
Platform(s): SUSE Linux Enterprise Server 10
Product(s): Mozilla Firefox
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25591
 
Oval ID: oval:org.mitre.oval:def:25591
Title: SUSE-SU-2013:1325-2 -- Security update for Mozilla Firefox
Description: This update to Firefox 17.0.8esr (bnc#833389) addresses the following issues: * MFSA 2013-63/CVE-2013-1701/CVE-2013-1702 (bmo#855331, bmo#844088, bmo#858060, bmo#870200, bmo#874974, bmo#861530, bmo#854157, bmo#893684, bmo#878703, bmo#862185, bmo#879139, bmo#888107, bmo#880734) Miscellaneous memory safety hazards (rv:23.0 / rv:17.0.8) * MFSA 2013-66/CVE-2013-1706/CVE-2013-1707 (bmo#888314, bmo#888361) Buffer overflow in Mozilla Maintenance Service and Mozilla Updater * MFSA 2013-68/CVE-2013-1709 (bmo#848253) Document URI misrepresentation and masquerading * MFSA 2013-69/CVE-2013-1710 (bmo#871368) CRMF requests allow for code execution and XSS attacks * MFSA 2013-71/CVE-2013-1712 (bmo#859072) Further Privilege escalation through Mozilla Updater * MFSA 2013-72/CVE-2013-1713 (bmo#887098) Wrong principal used for validating URI for some Javascript components * MFSA 2013-73/CVE-2013-1714 (bmo#879787) Same-origin bypass with web workers and XMLHttpRequest * MFSA 2013-75/CVE-2013-1717 (bmo#406541) Local Java applets may read contents of local file system
Family: unix Class: patch
Reference(s): SUSE-SU-2013:1325-2
CVE-2013-1701
CVE-2013-1702
CVE-2013-1706
CVE-2013-1707
CVE-2013-1709
CVE-2013-1710
CVE-2013-1712
CVE-2013-1713
CVE-2013-1714
CVE-2013-1717
Version: 5
Platform(s): SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Server 10
Product(s): Mozilla Firefox
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25646
 
Oval ID: oval:org.mitre.oval:def:25646
Title: SUSE-SU-2013:1325-1 -- Security update for Mozilla Firefox
Description: This update to Firefox 17.0.8esr (bnc#833389) addresses: * MFSA 2013-63/CVE-2013-1701/CVE-2013-1702 (bmo#855331, bmo#844088, bmo#858060, bmo#870200, bmo#874974, bmo#861530, bmo#854157, bmo#893684, bmo#878703, bmo#862185, bmo#879139, bmo#888107, bmo#880734) Miscellaneous memory safety hazards have been fixed (rv:23.0 / rv:17.0.8): * MFSA 2013-66/CVE-2013-1706/CVE-2013-1707 (bmo#888314, bmo#888361) Buffer overflow in Mozilla Maintenance Service and Mozilla Updater * MFSA 2013-68/CVE-2013-1709 (bmo#848253) Document URI misrepresentation and masquerading * MFSA 2013-69/CVE-2013-1710 (bmo#871368) CRMF requests allow for code execution and XSS attacks * MFSA 2013-71/CVE-2013-1712 (bmo#859072) Further Privilege escalation through Mozilla Updater * MFSA 2013-72/CVE-2013-1713 (bmo#887098) Wrong principal used for validating URI for some Javascript components * MFSA 2013-73/CVE-2013-1714 (bmo#879787) Same-origin bypass with web workers and XMLHttpRequest * MFSA 2013-75/CVE-2013-1717 (bmo#406541) Local Java applets may read contents of local file system
Family: unix Class: patch
Reference(s): SUSE-SU-2013:1325-1
CVE-2013-1701
CVE-2013-1702
CVE-2013-1706
CVE-2013-1707
CVE-2013-1709
CVE-2013-1710
CVE-2013-1712
CVE-2013-1713
CVE-2013-1714
CVE-2013-1717
Version: 3
Platform(s): SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Desktop 11
Product(s): Mozilla Firefox
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26541
 
Oval ID: oval:org.mitre.oval:def:26541
Title: DEPRECATED: ELSA-2013-1142 -- thunderbird security update (important)
Description: [17.0.8-5.0.1.el6_4] - Replaced thunderbird-redhat-default-prefs.js with thunderbird-oracle-default-prefs.js [17.0.8-5] - Update to 17.0.8 ESR - Added strict aliasing patch (mozbz#821502)
Family: unix Class: patch
Reference(s): ELSA-2013-1142
CVE-2013-1701
CVE-2013-1709
CVE-2013-1710
CVE-2013-1713
CVE-2013-1714
CVE-2013-1717
Version: 4
Platform(s): Oracle Linux 5
Oracle Linux 6
Product(s): thunderbird
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27256
 
Oval ID: oval:org.mitre.oval:def:27256
Title: DEPRECATED: ELSA-2013-1140 -- firefox security update (critical)
Description: firefox [17.0.8-1.0.1.el6_4] - Add firefox-oracle-default-prefs.js and remove the corresponding Red Hat ones [17.0.8-1] - Update to 17.0.8 ESR xulrunner [17.0.8-3.0.1.el6_4] - Replaced xulrunner-redhat-default-prefs.js with xulrunner-oracle-default-prefs.js - Removed XULRUNNER_VERSION from SOURCE21 [17.0.8-3] - Update to 17.0.8 ESR Build 2 [17.0.8-2] - Added fix for rhbz#990921 - firefox does not build with required nss/nspr [17.0.8-1] - Update to 17.0.8 ESR
Family: unix Class: patch
Reference(s): ELSA-2013-1140
CVE-2013-1701
CVE-2013-1709
CVE-2013-1710
CVE-2013-1713
CVE-2013-1714
CVE-2013-1717
Version: 4
Platform(s): Oracle Linux 5
Oracle Linux 6
Product(s): firefox
xulrunner
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 336
Application 8
Application 197
Application 227
Application 8

SAINT Exploits

Description Link
Firefox crypto.generateCRMFRequest command execution More info here

ExploitDB Exploits

id Description
2014-08-19 Firefox toString console.time Privileged Javascript Injection
2013-12-24 Firefox 5.0 - 15.0.1 - __exposedProps__ XCS Code Execution

Snort® IPS/IDS

Date Description
2017-03-01 Mozilla Firefox generatecrmfrequest policy function call access attempt
RuleID : 41423 - Revision : 3 - Type : BROWSER-PLUGINS
2017-03-01 Mozilla Firefox generatecrmfrequest policy function call access attempt
RuleID : 41422 - Revision : 3 - Type : BROWSER-PLUGINS
2015-09-23 Mozilla Firefox generatecrmfrequest policy function call access attempt
RuleID : 35686 - Revision : 3 - Type : BROWSER-PLUGINS
2015-09-23 Mozilla Firefox generatecrmfrequest policy function call access attempt
RuleID : 35685 - Revision : 3 - Type : BROWSER-PLUGINS

Nessus® Vulnerability Scanner

Date Description
2014-06-13 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2013-652.nasl - Type : ACT_GATHER_INFO
2013-09-28 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201309-23.nasl - Type : ACT_GATHER_INFO
2013-08-30 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2746.nasl - Type : ACT_GATHER_INFO
2013-08-14 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_MozillaFirefox-130810.nasl - Type : ACT_GATHER_INFO
2013-08-14 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_MozillaFirefox-130809.nasl - Type : ACT_GATHER_INFO
2013-08-09 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2735.nasl - Type : ACT_GATHER_INFO
2013-08-09 Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_0998e79d005511e3905b0025905a4771.nasl - Type : ACT_GATHER_INFO
2013-08-08 Name : The remote Windows host contains a mail client that is potentially affected b...
File : mozilla_thunderbird_1708_esr.nasl - Type : ACT_GATHER_INFO
2013-08-08 Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-1925-1.nasl - Type : ACT_GATHER_INFO
2013-08-08 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20130807_thunderbird_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2013-08-08 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20130807_firefox_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2013-08-08 Name : The remote Windows host contains a web browser that is potentially affected b...
File : seamonkey_220.nasl - Type : ACT_GATHER_INFO
2013-08-08 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2013-1142.nasl - Type : ACT_GATHER_INFO
2013-08-08 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2013-1140.nasl - Type : ACT_GATHER_INFO
2013-08-08 Name : The remote Oracle Linux host is missing a security update.
File : oraclelinux_ELSA-2013-1142.nasl - Type : ACT_GATHER_INFO
2013-08-08 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2013-1140.nasl - Type : ACT_GATHER_INFO
2013-08-08 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2013-1140.nasl - Type : ACT_GATHER_INFO
2013-08-08 Name : The remote Windows host contains a mail client that is potentially affected b...
File : mozilla_thunderbird_1708.nasl - Type : ACT_GATHER_INFO
2013-08-08 Name : The remote Windows host contains a web browser that is potentially affected b...
File : mozilla_firefox_23.nasl - Type : ACT_GATHER_INFO
2013-08-08 Name : The remote Windows host contains a web browser that is potentially affected b...
File : mozilla_firefox_1708_esr.nasl - Type : ACT_GATHER_INFO
2013-08-08 Name : The remote Mac OS X host contains a mail client that is potentially affected ...
File : macosx_thunderbird_17_0_8_esr.nasl - Type : ACT_GATHER_INFO
2013-08-08 Name : The remote Mac OS X host contains a mail client that is potentially affected ...
File : macosx_thunderbird_17_0_8.nasl - Type : ACT_GATHER_INFO
2013-08-08 Name : The remote Mac OS X host contains a web browser that is potentially affected ...
File : macosx_firefox_23.nasl - Type : ACT_GATHER_INFO
2013-08-08 Name : The remote Mac OS X host contains a web browser that is potentially affected ...
File : macosx_firefox_17_0_8_esr.nasl - Type : ACT_GATHER_INFO
2013-08-08 Name : The remote CentOS host is missing a security update.
File : centos_RHSA-2013-1142.nasl - Type : ACT_GATHER_INFO
2013-08-07 Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-1924-1.nasl - Type : ACT_GATHER_INFO
2013-08-07 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-1924-2.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
Date Informations
2014-02-17 11:57:23
  • Multiple Updates
2013-08-07 21:23:17
  • Multiple Updates
2013-08-07 21:19:47
  • First insertion