-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 iDefense Security Advisory 10.28.09 http://labs.idefense.com/intelligence/vulnerabilities/ Oct 28, 2009 I. BACKGROUND Firefox is the Mozilla Foundation's open source internet web browser. Among the browser's capabilities is the display of GIF images. GIF is a widely used image format with features such as loss-less compression, animation and color palettes. For more information, visit the URLs shown below. http://www.mozilla.com/firefox/ http://en.wikipedia.org/wiki/Graphics_Interchange_Format II. DESCRIPTION Remote exploitation of a buffer overflow in the Mozilla Foundation's libpr0n image processing library allows attackers to execute arbitrary code. The libpr0n GIF parser was designed using a state machine which is represented as a series of switch/case statements. One particularly interesting state, 'gif_image_header', is responsible for interpreting a single image/frame description record. A single GIF file may contain many images, each with a different color map associated. The problem lies in the handling of changes to the color map of subsequent images in a multiple-image GIF file. Memory reallocation is not managed correctly and can result in an exploitable heap overflow condition. III. ANALYSIS Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the user running the vulnerable application. To exploit this vulnerability, a targeted user must load a malicious Web page created by an attacker. An attacker typically accomplishes this via social engineering or injecting content into compromised, trusted sites. IV. DETECTION iDefense confirmed the existence of this vulnerability using Mozilla Firefox versions 3.0.13 and 3.5.2 on 32-bit Windows XP SP3. Other versions, and potentially other applications using libpr0n, are suspected to be vulnerable. V. WORKAROUND Although it is not widely viewed as a viable workaround, disabling automatic image loading can prevent exploitation of this vulnerability. The following steps explains how to disable this setting on Firefox 3.0.x. 1. From the "Tools" menu, select "Options" 2. Navigate to the "Content" settings. 3. Ensure that "Load images automatically" is not checked. VI. VENDOR RESPONSE Mozilla has released a patch which fixes this issue in Firefox 3.5.4, Firefox 3.0.15, and SeaMonkey 2.0. Information about downloadable vendor updates can be found by clicking on the URL shown. http://www.mozilla.com/en-US/firefox/ie.html VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2009-3373 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 08/20/2009 - Initial Vendor Notification 10/27/2009 - Vendor Public Disclosure 10/28/2009 - iDefense Public Disclosure IX. CREDIT This vulnerability was reported to iDefense by regenrecht. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2009 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@xxxxxxxxxxxx for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFK6J6Ybjs6HoxIfBkRAn01AKDDafS/+W3ifh/UXOfAMQgGpk/YGgCfc0Uo 4FncE3T7P7SeNFaDcuNg3G8= =/3we -----END PGP SIGNATURE-----
