The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Mozilla Suite

computer vulnerability alert CVE-2009-1836 CVE-2009-2057 CVE-2009-2059

HTTPS: information disclosure via a proxy

Synthesis of the vulnerability

When an attacker can setup a proxy between the user and an HTTPS web server, he can obtain sensitive information.
Impacted products: IE, Firefox, SeaMonkey, Mozilla Suite, openSUSE, Opera, SSL protocol, SLES.
Severity: 2/4.
Consequences: data reading.
Provenance: intranet server.
Number of vulnerabilities in this bulletin: 5.
Creation date: 18/06/2009.
Identifiers: BID-35411, BID-35412, CVE-2009-1836, CVE-2009-2057, CVE-2009-2059, CVE-2009-2061, CVE-2009-2063, CVE-2009-2064, CVE-2009-2065, CVE-2009-2067, CVE-2009-2069, CVE-2009-2070, SUSE-SR:2009:015, VIGILANCE-VUL-8806.

Description of the vulnerability

The HTTPS (HTTP+SSL) protocol is used to encrypt data between the client and the server. A proxy between the client and the server cannot obtain the content of exchanges. However, several alternate attack methods can be used by a malicious proxy to obtain information from the victim's web browser.

When the proxy generates a 4xx or 5xx error page, the JavaScript code it contains is interpreted in the context of the requested HTTPS website. This JavaScript code can thus read the content of the HTTPS web site displayed in victim's web browser. This vulnerability is corrected in IE 8, Firefox 3.0.10 and Opera 9.25. [severity:2/4; CVE-2009-1836, CVE-2009-2057, CVE-2009-2059]

The proxy can redirect pages containing JavaScript code to a malicious site. The malicious JavaScript code is then included in the HTTPS page and interpreted in its context. This vulnerability is corrected in Firefox 3.0.10 and Opera 9.25 (IE is not vulnerable). [severity:2/4; BID-35412, CVE-2009-2061, CVE-2009-2063]

When a website allows users to load the same page as HTTP or HTTPS, the proxy can use the HTTPS page in order to force the victim to enter in a SSL session, so a malicious JavaScript code can access to HTTPS data. This vulnerability is not corrected yet. [severity:2/4; CVE-2009-2064, CVE-2009-2065, CVE-2009-2067]

A malicious SSL proxy can first allow a SSL session in order to force the browser to keep the SSL certificate in its cache, and then return a malicious 4xx or 5XX error page. However, this error page is displayed with attributes of a secured page (lock, green/blue address bar). This vulnerability is corrected in IE 8 and Firefox 3.0.10 (Opera is not vulnerable). [severity:2/4; BID-35411, CVE-2009-2069, CVE-2009-2070]

When an HTTPS web site uses cookies without the "secured" flags, the proxy can use an HTTP session to obtain the cookie. This vulnerability will not be corrected in web browsers: it has to be corrected by web sites developers. [severity:2/4]

When an attacker owns or can setup a proxy between the user and an HTTPS web server, he can therefore obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce 8497

Firefox: new homographs

Synthesis of the vulnerability

Several homographs characters are not recognized by Firefox.
Impacted products: Firefox, SeaMonkey, Mozilla Suite.
Severity: 1/4.
Consequences: disguisement.
Provenance: internet server.
Creation date: 27/02/2009.
Identifiers: VIGILANCE-VUL-8497.

Description of the vulnerability

Some characters are very similar, such as the '0' (zero) and the 'O' (the 'o' character). Moreover, some Unicode characters look like the slash ('/'), such as 0x2044, 0x2215 and 0x3033. Some attackers use domain names with these variations in order to convince the victim to click on a link.

Firefox contains a list of homograph characters, to ensure they are not displayed in urls.

However, several characters are missing from this list:
 - 0x66A, 0x799, 0x780, 0x9F4, 0xAEE, 0x96E, 0x2220, 0x2571 : homographs of '/'
 - 0x203D : homograph of '?'

An attacker can therefore use these characters in a url in order to deceive the victim.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2009-0652

HTTPS: man-in-the-middle in the middle attack by using http, SSLstrip

Synthesis of the vulnerability

An attacker located as a man-in-the-middle can deceive the victim to connect to an http site instead of an https (HTTP over SSL) site.
Impacted products: IE, Firefox, SeaMonkey, Mozilla Suite, NLD, OES, openSUSE, Opera, SSL protocol, RHEL, SLES.
Severity: 2/4.
Consequences: data reading, data flow.
Provenance: internet server.
Creation date: 19/02/2009.
Identifiers: BID-33837, CVE-2009-0652, RHSA-2009:0436-02, RHSA-2009:0437-02, SUSE-SR:2009:010, VIGILANCE-VUL-8479.

Description of the vulnerability

The SSL protocol (used for "https://" urls) is conceived to forbid the success of man-in-the-middle attacks. Indeed, if the attacker is located between the client and the web server, the certificate presented to the client is not valid, and an error message is displayed in his web browser.

If the attacker is located as a man-in-the-middle he can capture "http://" sessions. The attacker can then replace all https urls by http urls created on the fly. For example, if a document contains the following link:
  https://www.example.com/auth
the attacker can replace this link by:
  http://www.example.com/auth-
When the victim clicks on this link (http://www.example.com/auth-), the attacker connects to the https server (https://www.example.com/auth) to obtain the real content of the web page, and returns this page to the client in the http session. Some victims does not detect that they are still in a http session and can enter their password.

Moreover, if the attacker owns a valid wildcard certificate (*.attacker.com), he can use an homograph of the slash character (represented as "[/]" here in after, such as 0x2044, 0x2215 or 0x3033), in order to create the following url, instead of using an http url:
  https://www.example.com[/]auth.attacker.com
In this case, an https site is used, and a lock is displayed, thus the attack is harder to detect.

An attacker located as a man-in-the-middle can therefore deceive the victim to connect to an http site instead of an https (HTTP over SSL) site.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2004-2761

SSL: creating a fake certification authority

Synthesis of the vulnerability

An attacker, with important resources, can create a fake intermediary certification authority using a MD5 hash.
Impacted products: Brocade Network Advisor, Brocade vTM, ASA, IOS by Cisco, Cisco Router, Fedora, HP Switch, Notes, IE, Windows (platform) ~ not comprehensive, Firefox, SeaMonkey, Mozilla Suite, Opera, RHEL, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: data flow.
Provenance: internet server.
Creation date: 16/01/2009.
Identifiers: 17341, BID-33065, BSA-2016-004, c05336888, CSCsw88068, CSCsw90626, CVE-2004-2761, FEDORA-2009-1276, FEDORA-2009-1291, HPSBHF03673, RHSA-2010:0837-01, RHSA-2010:0838-01, VIGILANCE-VUL-8401, VU#836068.

Description of the vulnerability

At the end of 2008 (VIGILANCE-ACTU-1377), using a cluster of 200 game consoles, researchers used a collision on MD5, to create a fake certification authority recognized by all browsers.

Here is a description of the attack:
 - The attacker chooses a Certification Authority (CA) using MD5 signatures (RapidSSL, FreeSSL, TC TrustCenter AG, RSA Data Security, Thawte, verisign.co.jp).
 - The attacker requests to this CA a certificate for a web site. This initial certificate is thus signed with MD5.
 - The attacker alters this certificate to transform it to an Intermediary Certification Authority (IAC), and then uses a MD5 collision to ensure it has the same MD5 as the initial certificate.
 - The attacker uses the IAC to generate a web site certificate (WS).
 - The attacker setups a malicious web site, proposing certificates for the WS and the ACI.
 - The victim connects to the web site. His web browser contains the root certificate of the CA, which authenticates the IAC and then the WS.

No error message is displayed in victim's browser, who can then trust attacker's web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2007-6591 CVE-2007-6592 CVE-2008-2809

Firefox, Netscape: spoofing via subjectAltName dNSName

Synthesis of the vulnerability

An attacker can create a SSL certificate using the subjectAltName:dNSName extension, whose warning dialog will not be displayed.
Impacted products: Firefox, SeaMonkey, Mozilla Suite.
Severity: 1/4.
Consequences: data flow.
Provenance: internet server.
Number of vulnerabilities in this bulletin: 3.
Creation date: 19/11/2007.
Revision date: 20/11/2007.
Identifiers: BID-26501, CVE-2007-6590-REJECT, CVE-2007-6591, CVE-2007-6592, CVE-2008-2809, VIGILANCE-VUL-7351.

Description of the vulnerability

The subjectAltName extension family adds additional information to a X.509 certificate.

The subjectAltName:dNSName extension indicates a list of domain names. For example:
 - subjectAltName:dNSName=www.personalpage.dom
 - subjectAltName:dNSName=www.bank.dom
This certificate can thus be used for both domains.

This field can contain "*" or "*.org" in order to encompass several names. [severity:1/4]

This field is not generally displayed, which can lead victim to accept a certificate for "www.personalpage.dom", whereas it also contains "www.bank.dom". [severity:1/4]

Moreover, browsers of Firefox familly do not associate the certificate to the orign web site. Thus, attacker can invite victim to accept the certificate for a non important web site such as "www.personalpage.dom". Then attacker can for example use a DNS attack to redirect victim to a fake "www.bank.dom" website with the same certificate. When victim will land on this site, no message will warn him that the certificate is new. [severity:1/4]

An attacker can therefore create phishing attacks.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2007-5947

Firefox: Cross Site Scripting via jar

Synthesis of the vulnerability

An attacker can upload a jar archive on a public site in order to create a Cross Site Scripting on this site.
Impacted products: Firefox, SeaMonkey, Mozilla Suite.
Severity: 1/4.
Consequences: client access/rights.
Provenance: internet server.
Creation date: 09/11/2007.
Identifiers: 369814, BID-26385, CVE-2007-5947, VIGILANCE-VUL-7326, VU#715737.

Description of the vulnerability

A JAR file is a ZIP archive containing required files such as HTML pages or images.

JAR uris have the following syntax:
  jar:url_to_the_archive!path_in_the_archive
For example:
  jar:http://server/file.jar!/rep/document

If attacker can upload a JAR archive to a public server, he can invite victims to click on following uri:
  jar:http://publicserver/attackersfile.zip!...
When Firefox opens this uri, the content of attacker's file is opened in the context of the public server. Attacker can therefore create a Cross Site Scripting attack.

It can be noted that several documents are in ZIP format (OpenOffice, Microsoft Office 2007, etc.) and are generally allowed to be stored on a public server.

Other web browsers (IE, Opera) may also be affected by this vulnerability.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2007-4841

Firefox, Thunderbird: command execution via mailto, nntp, news and snews

Synthesis of the vulnerability

An attacker can use mailto, nntp, news and snews uris to execute commands under Windows.
Impacted products: Firefox, SeaMonkey, Mozilla Suite, Thunderbird.
Severity: 3/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 06/09/2007.
Identifiers: BID-25543, CVE-2007-4841, VIGILANCE-VUL-7154.

Description of the vulnerability

The VIGILANCE-VUL-7009 bulletin describes a generic vulnerability affecting protocol handlers under Windows.

A new attack variant was announced. It consists in using an "unexpected uri".

An attacker can therefore create a malicious HTML page in order to execute commands with user's privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2007-4041 CVE-2007-4042

Firefox, Netscape: command execution via mailto, nntp, news and snews

Synthesis of the vulnerability

An attacker can use mailto, nntp, news and snews uris to inject commands under Windows.
Impacted products: Debian, HP-UX, Mandriva Linux, Firefox, SeaMonkey, Mozilla Suite, Thunderbird, Slackware.
Severity: 4/4.
Consequences: user access/rights.
Provenance: internet server.
Number of vulnerabilities in this bulletin: 2.
Creation date: 25/07/2007.
Revision date: 26/07/2007.
Identifiers: 389580, BID-25053, c00771742, CERTA-2002-AVI-136, CVE-2007-4041, CVE-2007-4042, DSA-1344-1, DSA-1345-1, DSA-1346-1, HPSBUX02153, MDKSA-2007:152, SSA:2007-213-01, SSA:2007-222-04, SSRT061181, VIGILANCE-VUL-7037, VU#403150, VU#783400.

Description of the vulnerability

Firefox browser opens mailto, nntp, news and snews protocol handlers without warning the user.

When Internet Explorer 7 is installed on the system, handlers are not called in the same way if url contains a null character (%00). For example:
 - mailto:command.bat : call the "mailto" protocol handler
 - mailto:%00command.bat : call the "bat" file type handler
When victim clicks on the second url in Firefox, a shell command is thus automatically launched (without warning the user). This vulnerability cannot be exploited from Internet Explorer because it refuses to open handlers containing %00.

This vulnerability is different from VIGILANCE-VUL-7009.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2007-3832 CVE-2007-4038 CVE-2007-4039

IE, Firefox: protocol handlers vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities were announced in protocol handlers available from web browsers.
Impacted products: IE, Windows 2000, Windows 2003, Windows Vista, Windows XP, Firefox, SeaMonkey, Mozilla Suite.
Severity: 1/4.
Consequences: user access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 4.
Creation date: 16/07/2007.
Revisions dates: 20/07/2007, 25/07/2007.
Identifiers: BID-25021, CVE-2007-3832, CVE-2007-4038, CVE-2007-4039, CVE-2007-4040, VIGILANCE-VUL-7009, VU#786920.

Description of the vulnerability

Protocol handlers are registered in the registry. For example:
  HKEY_CLASSES_ROOT\proto
    "URL Protocol" exists to indicate it is a protocol handler
    "shell\open\command" contains:
       program_for_proto.exe "%1"

With a web browser, when victim clicks on an uri like:
  proto://abc
web browser executes:
       program_for_proto.exe "proto://abc"
Internet Explorer opens every protocol handler without warning the user. Firefox only opens mailto, nntp, news and snews (by default) without warning the user.

However, two types of vulnerability affect protocol handlers;
 - web browsers do not replace quotes by \" in "%1" (origin of VIGILANCE-VUL-6995, origin of VIGILANCE-VUL-7039)
 - called programs do not check provided parameters (second origin of VIGILANCE-VUL-6995, second origin of VIGILANCE-VUL-7039, and origin of a buffer overflow of AIM)

An attacker can therefore create a malicious HTML page in order to exploit vulnerabilities of protocol handlers.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2007-3656

Firefox: accessing and altering cached data

Synthesis of the vulnerability

Cached data can be reached via a redirection to a wyciwyg uri.
Impacted products: Firefox, SeaMonkey, Mozilla Suite.
Severity: 3/4.
Consequences: data reading, data creation/edition.
Provenance: document.
Creation date: 10/07/2007.
Identifiers: 387333, BID-24831, CVE-2007-3656, VIGILANCE-VUL-6975.

Description of the vulnerability

Documents cached by Firefox browser are handled via an internal uri like:
  wyciwyg://i/http://www.example.dom/
These uris are normally not accessible.

However, using an HTTP redirect, a malicious script can access to cached data. Attacker can thus obtain their sensitive data, alter them before displaying them, etc.

This vulnerability for example permits attacker to obtain sensitive information or to create phishing attacks.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.