Home

Mozilla Unicode URL Stack Overflow

Notification Type:	IBM Internet Security Systems Protection Advisory
Notification Date:	September 24, 2008
Notification Version:	1.0

Name:	Mozilla Unicode URL Stack Overflow
Public disclosure/ In the wild date:	September 23, 2008 (vuln disclosure)
Aliases:	Mozilla Foundation Security Advisory 2008-37
CVE:	CVE-2008-0016
Description:	Multiple Mozilla products are vulnerable to a stack buffer overflow allowing remote code execution by enticing a user to click on a specially-crafted URL.
Discoverer:	Justin Schuh and Tom Cross of the IBM X-Force and Peter Williams of IBM Watson Labs

ISS Coverage

Product	Content Version
Proventia Network IDS Proventia Network IPS Proventia Network MFS Proventia Server (Linux) RealSecure Network RealSecure Server Sensor	28.060
Proventia Desktop Proventia Server IPS (Windows)	2200

Propagation Techniques	ISS Protection	Available
remote exploit	HTML_URL_Unicode_Stack_Overflow	May 13, 2008

Detailed Description

Business Impact:	Compromise of machines using affected versions of Firefox or other Mozilla-based applications may lead to exposure of confidential information, loss of productivity, and further compromise. An attacker must cause the victim user to browse to a malicious web page, click a link in a malicious email, or similar operation in order to perform a successful attack. Successful exploitation grants an attacker the privileges of the victim. Although Firefox is one of the most popular browsers in use today, one mitigating factor is that this vulnerability does not affect the 3.x version of Mozilla Firefox, the most recent major version. A joint study between IBM and Google estimated that over 80% of all Mozilla Firefox users have the most recent version and update within three days of new version releases. Firefox 3.0 was released on June, 17, 2008.
CVSS (for XFID 25840-25843):	Base Score:		9.3
		Access Vector:	Network
		Access Complexity:	Medium
		Authentication:	None
		Confidentiality Impact:	Complete
		Integrity Impact:	Complete
		Availability Impact:	Complete

	Adjusted Temporal Score:		6.9
		Exploitability:	Unproven
		Remediation Level:	Official-Fix
		Report Confidence:	Confirmed
Affected Products:	Mozilla Firefox and Mozilla SeaMonkey. See references for details.
Technical Description:	Multiple Mozilla products are vulnerable to a stack-based buffer overflow, caused by improper bounds checking of unicode characters in a URL. A remote attacker could overflow a buffer and execute arbitrary code on the system with privileges of the victim.
Remediation:	Patches are available for this issue. See References for details.

References

XFDB:	http://xforce.iss.net/xforce/xfdb/42088
Mozilla:	http://www.mozilla.org/security/announce/2008/mfsa2008-37.html

Revision History

1.0	Initial publication.

About IBM Internet Security Systems
IBM Internet Security Systems is the trusted security advisor to thousands of the world's leading businesses and governments, providing pre-emptive protection for networks, desktops and servers. An established leader in security since 1994, the IBM Proventia® integrated security platform is designed to automatically protect against both known and unknown threats, helping to keep networks up and running and shielding customers from online attacks before they impact business assets. IBM Internet Security Systems products and services are based on the proactive security intelligence of its X-Force® research and development team – the unequivocal world authority in vulnerability and threat research. The Internet Security Systems product line is also complemented by comprehensive Managed Security Services and Professional Security Services. For more information, visit the Internet Security Systems Web site at www.iss.net or call 800-776-2362.