Date: Wed, 15 Sep 2004 15:15:51 +0200
From: =?ISO-8859-1?Q?Ga=EBl?= Delalleau <[email protected]>
To: [email protected]Subject: New Mozilla, Firefox and Thunderbird releases fix critical security issues
(This is not an official Mozilla advisory. My goal here is to bring
awareness about these issues to the users of Mozilla-based products, and
to provide some links to more detailed technical information about the
security bugs I found.)
Overview
--------
Firefox Preview Release, Thunderbird 0.8, and Mozilla 1.7.3 are
available for download at www.mozilla.org since Sept 13 and 14. These
releases fix 7 critical security issues, detailed on the "Known
Vulnerabilities in Mozilla" page:
http://www.mozilla.org/projects/security/known-vulnerabilities.html
Three of these issues are rated at maximum level "Severity: Critical"
and "Risk: High":
* Non-ascii hostname heap overrun (reported by Mats Palmgren, Ga=EBl
Delalleau)
A link with a non-ascii hostname can cause a heap buffer overrun that
could potentially be exploited to run arbitrary code.
* BMP integer overflow (reported by Ga=EBl Delalleau)
Extremely wide BMP images trigger an integer overflow, leading to
heap overruns that are potentially exploitable to run arbitrary code.
* Buffer overflow when displaying VCard (reported by Georgi Guninski)
A stack buffer overrun in VCard display routines could be exploited
to run arbitrary code supplied by the attacker.
Technical information about the security bugs I reported
--------------------------------------------------------
These are some links to my original source code audit reports. I audited
parts of the Mozilla 1.7.2 C++ source code tree during my free time, in
an attempt to promote and participate to the Mozilla Security Bug Bounty
Program.
* Arbitrary code execution while parsing a malformed .BMP image
http://www.zencomsec.com/advisories/mozilla-1.7.2-BMP.txt
* Out of bounds writes in the POP3 protocol handler allows for arbitrary
code execution
http://www.zencomsec.com/advisories/mozilla-1.7.2-POP3.txt
* Non-ascii hostname heap overrun
http://www.zencomsec.com/advisories/mozilla-1.7.2-UTF8link.txt
Other products at risk?
-----------------------
Although not 100% verified, it is very likely some of these critical
security bugs are also exploitable in other products based on Mozilla,
like Netscape 7 and Galeon.
Users of such products should ask vendors for a patch, and meanwhile
apply the workarounds described on the "Known Vulnerabilities in
Mozilla" page.
Ga=EBl Delalleau
Zencom Secure Solutions=20
71 avenue d'Italie
75013 PARIS - FRANCE
