Vulnerabilities > CVE-2011-3649 - Information Exposure vulnerability in Mozilla Firefox and Thunderbird
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Mozilla Firefox 7.0 and Thunderbird 7.0, when the Direct2D (aka D2D) API is used on Windows in conjunction with the Azure graphics back-end, allow remote attackers to bypass the Same Origin Policy, and obtain sensitive image data from a different domain, by inserting this data into a canvas. NOTE: this issue exists because of a CVE-2011-2986 regression.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 | |
| OS | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Subverting Environment Variable Values The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
- Footprinting An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
- Exploiting Trust in Client (aka Make the Client Invisible) An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
- Browser Fingerprinting An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
- Session Credential Falsification through Prediction This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_11_4_SEAMONKEY-111130.NASL description SeaMonkey was upgraded to version 2.5 in order to fix the following security problems : dbg114-seamonkey-5487 new_updateinfo seamonkey-5487 MFSA 2011-47/CVE-2011-3648 (bmo#690225) Potential XSS against sites using Shift-JIS dbg114-seamonkey-5487 new_updateinfo seamonkey-5487 MFSA 2011-48/CVE-2011-3651/CVE-2011-3652/CVE-2011-3654 Miscellaneous memory safety hazards dbg114-seamonkey-5487 new_updateinfo seamonkey-5487 MFSA 2011-49/CVE-2011-3650 (bmo#674776) Memory corruption while profiling using Firebug dbg114-seamonkey-5487 new_updateinfo seamonkey-5487 MFSA 2011-52/CVE-2011-3655 (bmo#672182) Code execution via NoWaiverWrapper last seen 2020-06-01 modified 2020-06-02 plugin id 76024 published 2014-06-13 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/76024 title openSUSE Security Update : seamonkey (openSUSE-SU-2011:1290-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update seamonkey-5487. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(76024); script_version("1.5"); script_cvs_date("Date: 2019/10/25 13:36:42"); script_cve_id("CVE-2011-2372", "CVE-2011-2996", "CVE-2011-2998", "CVE-2011-2999", "CVE-2011-3000", "CVE-2011-3001", "CVE-2011-3640", "CVE-2011-3647", "CVE-2011-3648", "CVE-2011-3649", "CVE-2011-3650", "CVE-2011-3651", "CVE-2011-3652", "CVE-2011-3653", "CVE-2011-3654", "CVE-2011-3655"); script_name(english:"openSUSE Security Update : seamonkey (openSUSE-SU-2011:1290-1)"); script_summary(english:"Check for the seamonkey-5487 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "SeaMonkey was upgraded to version 2.5 in order to fix the following security problems : dbg114-seamonkey-5487 new_updateinfo seamonkey-5487 MFSA 2011-47/CVE-2011-3648 (bmo#690225) Potential XSS against sites using Shift-JIS dbg114-seamonkey-5487 new_updateinfo seamonkey-5487 MFSA 2011-48/CVE-2011-3651/CVE-2011-3652/CVE-2011-3654 Miscellaneous memory safety hazards dbg114-seamonkey-5487 new_updateinfo seamonkey-5487 MFSA 2011-49/CVE-2011-3650 (bmo#674776) Memory corruption while profiling using Firebug dbg114-seamonkey-5487 new_updateinfo seamonkey-5487 MFSA 2011-52/CVE-2011-3655 (bmo#672182) Code execution via NoWaiverWrapper" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=728520" ); script_set_attribute( attribute:"see_also", value:"https://lists.opensuse.org/opensuse-updates/2011-12/msg00000.html" ); script_set_attribute( attribute:"solution", value:"Update the affected seamonkey packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:seamonkey"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:seamonkey-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:seamonkey-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:seamonkey-dom-inspector"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:seamonkey-irc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:seamonkey-translations-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:seamonkey-translations-other"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:seamonkey-venkman"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.4"); script_set_attribute(attribute:"patch_publication_date", value:"2011/11/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE11\.4)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.4", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE11.4", reference:"seamonkey-2.5-0.2.1") ) flag++; if ( rpm_check(release:"SUSE11.4", reference:"seamonkey-debuginfo-2.5-0.2.1") ) flag++; if ( rpm_check(release:"SUSE11.4", reference:"seamonkey-debugsource-2.5-0.2.1") ) flag++; if ( rpm_check(release:"SUSE11.4", reference:"seamonkey-dom-inspector-2.5-0.2.1") ) flag++; if ( rpm_check(release:"SUSE11.4", reference:"seamonkey-irc-2.5-0.2.1") ) flag++; if ( rpm_check(release:"SUSE11.4", reference:"seamonkey-translations-common-2.5-0.2.1") ) flag++; if ( rpm_check(release:"SUSE11.4", reference:"seamonkey-translations-other-2.5-0.2.1") ) flag++; if ( rpm_check(release:"SUSE11.4", reference:"seamonkey-venkman-2.5-0.2.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "seamonkey / seamonkey-dom-inspector / seamonkey-irc / etc"); }NASL family Windows NASL id MOZILLA_THUNDERBIRD_80.NASL description The installed version of Thunderbird is earlier than 8.0 and thus, is potentially affected by the following security issues : - Certain invalid sequences are not handled properly in last seen 2020-06-01 modified 2020-06-02 plugin id 56753 published 2011-11-09 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/56753 title Mozilla Thunderbird < 8.0 Multiple Vulnerabilities NASL family SuSE Local Security Checks NASL id SUSE_MOZILLA-NSS-7842.NASL description This update to version 3.13.1 of mozilla-nss fixes the following issues : - Explicitly distrust DigiCert Sdn. Bhd (bmo#698753) - Better SHA-224 support (bmo#647706) - Fix a regression (causing hangs in some situations) introduced in 3.13 (bmo#693228) - SSL 2.0 is disabled by default - A defense against the SSL 3.0 and TLS 1.0 CBC chosen plaintext attack demonstrated by Rizzo and Duong (CVE-2011-3389) has been enabled by default. Set the SSL_CBC_RANDOM_IV SSL option to PR_FALSE to disable it. - Support SHA-224 - Add PORT_ErrorToString and PORT_ErrorToName to return the error message and symbolic name of an NSS error code - Add NSS_GetVersion to return the NSS version string - Add experimental support of RSA-PSS to the softoken only - NSS_NoDB_Init does not try to open /pkcs11.txt and /secmod.db anymore (bmo#641052) last seen 2020-06-01 modified 2020-06-02 plugin id 57226 published 2011-12-13 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/57226 title SuSE 10 Security Update : mozilla-nss (ZYPP Patch Number 7842) (BEAST) NASL family Windows NASL id MOZILLA_FIREFOX_80.NASL description The installed version of Firefox is earlier than 8.0 and thus, is potentially affected by the following security issues : - Certain invalid sequences are not handled properly in last seen 2020-06-01 modified 2020-06-02 plugin id 56751 published 2011-11-09 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/56751 title Firefox < 8.0 Multiple Vulnerabilities NASL family SuSE Local Security Checks NASL id OPENSUSE-2011-9.NASL description Mozilla Firefox and Thunderbird were updated to version 8.0 which fixes several security vulnerabilities : - MFSA 2011-52 - Code execution via NoWaiverWrapper (CVE-2011-3655) - MFSA 2011-51 - Cross-origin image theft on Mac with integrated Intel GPU (CVE-2011-3653) - MFSA 2011-50 - Cross-origin data theft using canvas and Windows D2D (CVE-2011-3649) - MFSA 2011-49 - Memory corruption while profiling using Firebug (CVE-2011-3650) - MFSA 2011-48 - Miscellaneous memory safety hazards (rv:8.0) (CVE-2011-3651, CVE-2011-3652, CVE-2011-3654) - MFSA 2011-47 - Potential XSS against sites using Shift-JIS (CVE-2011-3648) last seen 2020-06-01 modified 2020-06-02 plugin id 74542 published 2014-06-13 reporter This script is Copyright (C) 2014-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/74542 title openSUSE Security Update : firefox / thunderbird (openSUSE-2011-9) NASL family SuSE Local Security Checks NASL id SUSE_11_MOZILLAFIREFOX-111114.NASL description Mozilla Firefox has been updated to version 1.9.2.24 (bnc#728520) to fix the following security issues : - (bmo#680880) loadSubScript unwraps XPCNativeWrapper scope parameter. (MFSA 2011-46 / CVE-2011-3647) - (bmo#690225) Potential XSS against sites using Shift-JIS. (MFSA 2011-47 / CVE-2011-3648) - (bmo#674776) Memory corruption while profiling using Firebug. (MFSA 2011-49 / CVE-2011-3650) last seen 2020-06-01 modified 2020-06-02 plugin id 57084 published 2011-12-13 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/57084 title SuSE 11.1 Security Update : Mozilla Firefox (SAT Patch Number 5429) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201301-01.NASL description The remote host is affected by the vulnerability described in GLSA-201301-01 (Mozilla Products: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Mozilla Firefox, Thunderbird, SeaMonkey, NSS, GNU IceCat, and XULRunner. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could entice a user to view a specially crafted web page or email, possibly resulting in execution of arbitrary code or a Denial of Service condition. Furthermore, a remote attacker may be able to perform Man-in-the-Middle attacks, obtain sensitive information, bypass restrictions and protection mechanisms, force file downloads, conduct XML injection attacks, conduct XSS attacks, bypass the Same Origin Policy, spoof URL’s for phishing attacks, trigger a vertical scroll, spoof the location bar, spoof an SSL indicator, modify the browser’s font, conduct clickjacking attacks, or have other unspecified impact. A local attacker could gain escalated privileges, obtain sensitive information, or replace an arbitrary downloaded file. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 63402 published 2013-01-08 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/63402 title GLSA-201301-01 : Mozilla Products: Multiple vulnerabilities (BEAST) NASL family SuSE Local Security Checks NASL id SUSE_11_3_SEAMONKEY-111130.NASL description SeaMonkey was upgraded to version 2.5 in order to fix the following security problems : - MFSA 2011-47/CVE-2011-3648 (bmo#690225) Potential XSS against sites using Shift-JIS - MFSA 2011-48/CVE-2011-3651/CVE-2011-3652/CVE-2011-3654 Miscellaneous memory safety hazards - MFSA 2011-49/CVE-2011-3650 (bmo#674776) Memory corruption while profiling using Firebug - MFSA 2011-52/CVE-2011-3655 (bmo#672182) Code execution via NoWaiverWrapper last seen 2020-06-01 modified 2020-06-02 plugin id 75743 published 2014-06-13 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75743 title openSUSE Security Update : seamonkey (openSUSE-SU-2011:1290-1) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_6C8AD3E80A3011E195804061862B8C22.NASL description The Mozilla Project reports : MFSA 2011-46 loadSubScript unwraps XPCNativeWrapper scope parameter (1.9.2 branch) MFSA 2011-47 Potential XSS against sites using Shift-JIS MFSA 2011-48 Miscellaneous memory safety hazards (rv:8.0) MFSA 2011-49 Memory corruption while profiling using Firebug MFSA 2011-50 Cross-origin data theft using canvas and Windows D2D MFSA 2011-51 Cross-origin image theft on Mac with integrated Intel GPU MFSA 2011-52 Code execution via NoWaiverWrapper last seen 2020-06-01 modified 2020-06-02 plugin id 56762 published 2011-11-10 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/56762 title FreeBSD : mozilla -- multiple vulnerabilities (6c8ad3e8-0a30-11e1-9580-4061862b8c22)
Oval
| accepted | 2014-10-06T04:01:02.608-04:00 | ||||||||||||||||||||||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||||||||||||||||||||||
| contributors |
| ||||||||||||||||||||||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||||||||||||||||||||||
| description | Mozilla Firefox 7.0 and Thunderbird 7.0, when the Direct2D (aka D2D) API is used on Windows in conjunction with the Azure graphics back-end, allow remote attackers to bypass the Same Origin Policy, and obtain sensitive image data from a different domain, by inserting this data into a canvas. NOTE: this issue exists because of a CVE-2011-2986 regression. | ||||||||||||||||||||||||||||||||||||||||
| family | windows | ||||||||||||||||||||||||||||||||||||||||
| id | oval:org.mitre.oval:def:14025 | ||||||||||||||||||||||||||||||||||||||||
| status | accepted | ||||||||||||||||||||||||||||||||||||||||
| submitted | 2011-11-25T18:27:12.000-05:00 | ||||||||||||||||||||||||||||||||||||||||
| title | Mozilla Firefox 7.0 and Thunderbird 7.0, when the Direct2D (aka D2D) API is used on Windows in conjunction with the Azure graphics back-end, allow remote attackers to bypass the Same Origin Policy, and obtain sensitive image data from a different domain, by inserting this data into a canvas. NOTE: this issue exists because of a CVE-2011-2986 regression. | ||||||||||||||||||||||||||||||||||||||||
| version | 32 |
References
- https://bugzilla.mozilla.org/show_bug.cgi?id=655836
- http://www.mozilla.org/security/announce/2011/mfsa2011-50.html
- http://lists.opensuse.org/opensuse-security-announce/2011-11/msg00020.html
- http://www.securityfocus.com/bid/50591
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14025