Security update for Mozilla Firefox (important)

MozillaFirefox was updated to the 10.0.9ESR security
release which fixes bugs and security issues:

MFSA 2012-73 / CVE-2012-3977: Security researchers
Thai Duong and Juliano Rizzo reported that SPDY’s request
header compression leads to information leakage, which can
allow the extraction of private data such as session
cookies, even over an encrypted SSL connection. (This does
not affect Firefox 10 as it does not feature the SPDY
extension. It was silently fixed for Firefox 15.)

MFSA 2012-74: Mozilla developers identified and fixed
several memory safety bugs in the browser engine used in
Firefox and other Mozilla-based products. Some of these
bugs showed evidence of memory corruption under certain
circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary
code.

In general these flaws cannot be exploited through
email in the Thunderbird and SeaMonkey products because
scripting is disabled, but are potentially a risk in
browser or browser-like contexts in those products.

CVE-2012-3983: Henrik Skupin, Jesse Ruderman and
moz_bug_r_a4 reported memory safety problems and crashes
that affect Firefox 15.

CVE-2012-3982: Christian Holler and Jesse Ruderman
reported memory safety problems and crashes that affect
Firefox ESR 10 and Firefox 15.

MFSA 2012-75 / CVE-2012-3984: Security researcher
David Bloom of Cue discovered that "select" elements are
always-on-top chromeless windows and that navigation away
from a page with an active "select" menu does not remove
this window.When another menu is opened programmatically on
a new page, the original "select" menu can be retained and
arbitrary HTML content within it rendered, allowing an
attacker to cover arbitrary portions of the new page
through absolute positioning/scrolling, leading to spoofing
attacks. Security researcher Jordi Chancel found a
variation that would allow for click-jacking attacks was
well.

In general these flaws cannot be exploited through
email in the Thunderbird and SeaMonkey products because
scripting is disabled, but are potentially a risk in
browser or browser-like contexts in those products.
References

Navigation away from a page with an active "select"
dropdown menu can be used for URL spoofing, other evil

Firefox 10.0.1 : Navigation away from a page with
multiple active "select" dropdown menu can be used for
Spoofing And ClickJacking with XPI using window.open and
geolocalisation

MFSA 2012-76 / CVE-2012-3985: Security researcher
Collin Jackson reported a violation of the HTML5
specifications for document.domain behavior. Specified
behavior requires pages to only have access to windows in a
new document.domain but the observed violation allowed
pages to retain access to windows from the page’s initial
origin in addition to the new document.domain. This could
potentially lead to cross-site scripting (XSS) attacks.

MFSA 2012-77 / CVE-2012-3986: Mozilla developer
Johnny Stenback discovered that several methods of a
feature used for testing (DOMWindowUtils) are not protected
by existing security checks, allowing these methods to be
called through script by web pages. This was addressed by
adding the existing security checks to these methods.

MFSA 2012-78 / CVE-2012-3987: Security researcher
Warren He reported that when a page is transitioned into
Reader Mode in Firefox for Android, the resulting page has
chrome privileges and its content is not thoroughly
sanitized. A successful attack requires user enabling of
reader mode for a malicious page, which could then perform
an attack similar to cross-site scripting (XSS) to gain the
privileges allowed to Firefox on an Android device. This
has been fixed by changing the Reader Mode page into an
unprivileged page.

This vulnerability only affects Firefox for Android.

MFSA 2012-79 / CVE-2012-3988: Security researcher
Soroush Dalili reported that a combination of invoking full
screen mode and navigating backwards in history could, in
some circumstances, cause a hang or crash due to a timing
dependent use-after-free pointer reference. This crash may
be potentially exploitable.

MFSA 2012-80 / CVE-2012-3989: Mozilla community
member Ms2ger reported a crash due to an invalid cast when
using the instanceof operator on certain types of
JavaScript objects. This can lead to a potentially
exploitable crash.

MFSA 2012-81 / CVE-2012-3991: Mozilla community
member Alice White reported that when the GetProperty
function is invoked through JSAPI, security checking can be
bypassed when getting cross-origin properties. This
potentially allowed for arbitrary code execution.

MFSA 2012-82 / CVE-2012-3994: Security researcher
Mariusz Mlynski reported that the location property can be
accessed by binary plugins through top.location and top can
be shadowed by Object.defineProperty as well. This can
allow for possible cross-site scripting (XSS) attacks
through plugins.

MFSA 2012-83: Security researcher Mariusz Mlynski
reported that when InstallTrigger fails, it throws an error
wrapped in a Chrome Object Wrapper (COW) that fails to
specify exposed properties. These can then be added to the
resulting object by an attacker, allowing access to chrome
privileged functions through script.

While investigating this issue, Mozilla security
researcher moz_bug_r_a4 found that COW did not disallow
accessing of properties from a standard prototype in some
situations, even when the original issue had been fixed.

These issues could allow for a cross-site scripting
(XSS) attack or arbitrary code execution.

CVE-2012-3993: XrayWrapper pollution via unsafe COW

CVE-2012-4184: ChromeObjectWrapper is not implemented
as intended

MFSA 2012-84 / CVE-2012-3992: Security researcher
Mariusz Mlynski reported an issue with spoofing of the
location property. In this issue, writes to location.hash
can be used in concert with scripted history navigation to
cause a specific website to be loaded into the history
object. The baseURI can then be changed to this stored
site, allowing an attacker to inject a script or intercept
posted data posted to a location specified with a relative
path.

MFSA 2012-85: Security researcher Abhishek Arya
(Inferno) of the Google Chrome Security Team discovered a
series of use-after-free, buffer overflow, and out of
bounds read issues using the Address Sanitizer tool in
shipped software. These issues are potentially exploitable,
allowing for remote code execution. We would also like to
thank Abhishek for reporting two additional use-after-free
flaws introduced during Firefox 16 development and fixed
before general release.

CVE-2012-3995: Out of bounds read in
IsCSSWordSpacingSpace

CVE-2012-4179: Heap-use-after-free in
nsHTMLCSSUtils::CreateCSSPropertyTxn

CVE-2012-4180: Heap-buffer-overflow in
nsHTMLEditor::IsPrevCharInNodeWhitespace

CVE-2012-4181: Heap-use-after-free in
nsSMILAnimationController::DoSample

CVE-2012-4182: Heap-use-after-free in
nsTextEditRules::WillInsert

CVE-2012-4183: Heap-use-after-free in
DOMSVGTests::GetRequiredFeatures

MFSA 2012-86: Security researcher Atte Kettunen from
OUSPG reported several heap memory corruption issues found
using the Address Sanitizer tool. These issues are
potentially exploitable, allowing for remote code execution.

CVE-2012-4185: Global-buffer-overflow in
nsCharTraits::length

CVE-2012-4186: Heap-buffer-overflow in
nsWaveReader::DecodeAudioData

CVE-2012-4187: Crash with ASSERTION: insPos too small

CVE-2012-4188: Heap-buffer-overflow in Convolve3x3

MFSA 2012-87 / CVE-2012-3990: Security researcher
miaubiz used the Address Sanitizer tool to discover a
use-after-free in the IME State Manager code. This could
lead to a potentially exploitable crash.

MFSA 2012-89 / CVE-2012-4192 / CVE-2012-4193: Mozilla
security researcher moz_bug_r_a4 reported a regression
where security wrappers are unwrapped without doing a
security check in defaultValue(). This can allow for
improper access access to the Location object. In versions
15 and earlier of affected products, there was also the
potential for arbitrary code execution.