Executive Summary

Summary
Title Mozilla Firefox 3.5 TraceMonkey JavaScript engine uninitialized memory vulnerability
Informations
Name VU#443060 First vendor Publication 2009-07-14
Vendor VU-CERT Last vendor Modification 2009-07-17
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 9.3 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#443060

Mozilla Firefox 3.5 TraceMonkey JavaScript engine uninitialized memory vulnerability

Overview

Mozilla Firefox's javascript engine contains a vulnerability that may allow an attacker to execute code.

I. Description

Mozilla Firefox version 3.5 contains a vulnerability in the TraceMonkey components of Firefox's JavaScript engine.

Per Mozilla Bug Bug 503286:
"This is a JS engine bug dealing with deep bailing not properly restoring the return value from the result of the (fast native) escape function. We then try to do something with the uninitialized memory and crash in the interpreter."

Note that proof of concept code that demonstrates issue this is publicly available.

II. Impact

A remote, unauthenticated attacker may be able to execute arbitrary code or cause Firefox to crash.

III. Solution

Firefox 3.5.1 has been released to address this issue. See Mozilla Foundation Security Advisory 2009-41 for more information. Until updates can be applied, the below workarounds may mitigate this issue.

Disable TraceMonkey

To disable the vulnerable components, use the about:config interface to set javascript.options.jit.content and javascript.options.jit.chrome to false. This will still allow JavaScript to run, but it will disable the TraceMonkey performance enhancements.

Use NoScript

Using the Mozilla Firefox NoScript extension to whitelist web sites that can run scripts will help to mitigate this vulnerability. Further details for configuring NoScript are available in the Securing Your Web Browser document.

Disable JavaScript

For instructions on how to disable JavaScript in Firefox, please refer to the Firefox section of the Securing Your Web Browser document.

Systems Affected

VendorStatusDate NotifiedDate Updated
MozillaVulnerable2009-07-14

References


http://www.mozilla.org/security/announce/2009/mfsa2009-41.html
http://blog.mozilla.com/security/2009/07/14/critical-javascript-vulnerability-in-firefox-35/
https://bugzilla.mozilla.org/show_bug.cgi?id=503286
http://milw0rm.com/exploits/9137
http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries
http://voices.washingtonpost.com/securityfix/2009/07/stopgap_fix_for_critical_firef.html?wprss=securityfix

Credit

Information from zbyte, Mozilla, and other sources was used in this report.

This document was written by Ryan Giobbi.

Other Information

Date Public:2009-07-09
Date First Published:2009-07-14
Date Last Updated:2009-07-17
CERT Advisory: 
CVE-ID(s): 
NVD-ID(s): 
US-CERT Technical Alerts: 
Metric:40.50
Document Revision:21

Original Source

Url : http://www.kb.cert.org/vuls/id/443060

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-94 Failure to Control Generation of Code ('Code Injection')

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1

SAINT Exploits

Description Link
Mozilla Firefox JIT Escape Function Memory Corruption More info here

OpenVAS Exploits

Date Description
2009-07-29 Name : Fedora Core 11 FEDORA-2009-7898 (firefox)
File : nvt/fcore_2009_7898.nasl
2009-07-29 Name : FreeBSD Ports: firefox35
File : nvt/freebsd_firefox350.nasl
2009-07-17 Name : Mozilla Firefox JavaScript Compiler Code Execution Vulnerability (Linux)
File : nvt/gb_firefox_js_compiler_code_exec_vuln_lin.nasl
2009-07-17 Name : Mozilla Firefox JavaScript Compiler Code Execution Vulnerability (Win)
File : nvt/gb_firefox_js_compiler_code_exec_vuln_win.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
55846 Mozilla Firefox Just-in-time (JIT) JavaScript Compiler js/src/jstracer.cpp fo...

A memory corruption flaw exists in Firefox. The Just-in-Time (JIT) compiler can enter a corrupt state following native function calls resulting in memory corruption. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.

Snort® IPS/IDS

Date Description
2014-01-10 Possible generic javascript heap spray attempt
RuleID : 20137 - Revision : 12 - Type : INDICATOR-OBFUSCATION
2014-01-10 Possible generic javascript heap spray attempt
RuleID : 18168 - Revision : 14 - Type : INDICATOR-SHELLCODE
2014-01-10 Possible generic javascript heap spray attempt
RuleID : 18167 - Revision : 14 - Type : INDICATOR-SHELLCODE
2014-01-10 Mozilla Firefox JIT escape function memory corruption attempt
RuleID : 15997 - Revision : 11 - Type : BROWSER-FIREFOX
2014-01-10 Possible generic javascript heap spray attempt
RuleID : 15698 - Revision : 15 - Type : INDICATOR-SHELLCODE
2014-01-10 Mozilla Firefox 3.5 TraceMonkey JavaScript engine uninitialized memory corrup...
RuleID : 15696 - Revision : 4 - Type : SPECIFIC-THREATS

Nessus® Vulnerability Scanner

Date Description
2013-01-08 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201301-01.nasl - Type : ACT_GATHER_INFO
2009-07-23 Name : The remote Fedora host is missing one or more security updates.
File : fedora_2009-7898.nasl - Type : ACT_GATHER_INFO
2009-07-20 Name : The remote FreeBSD host is missing a security-related update.
File : freebsd_pkg_c1ef9b3372a611de82ea0030843d3802.nasl - Type : ACT_GATHER_INFO
2009-07-17 Name : The remote Windows host contains a web browser that is affected by multiple f...
File : mozilla_firefox_351.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
Date Informations
2014-02-17 12:07:51
  • Multiple Updates
2014-01-19 21:31:03
  • Multiple Updates