CERT-MU
AD-2012-04
Mozilla Firefox/ Thunderbird and SeaMonkey Multiple Vulnerabilities Original issue date: December 20, 2011 Updated: January 06, 2012
Severity Rating: High
Overview
Multiple vulnerabilities have been identified in Mozilla Firefox/ Thunderbird and Sea Monkey and they allow remote attackers to execute arbitrary code on vulnerable installations of Mozilla Firefox and cause denial of service conditions. Mozilla has issued an update to address these vulnerabilities.
Description
Multiple vulnerabilities have been identified in Mozilla Firefox/ Thunderbird and Sea Monkey. These vulnerabilities can be exploited by remote attackers to cause execution of arbitrary code on affected systems and cause a denial of service condition. The vulnerabilities exist because of the following errors:
- The browser engines of Mozilla Firefox, Thunderbird and Sea Monkey are vulnerable to several errors that can allow remote attackers to cause a memory and application crash or even cause execution of arbitrary code via vectors that trigger a compartment mismatch related to the nsDOMMessageEvent:: GetData function and other unknown vectors.
- The SVG implementation does not interact properly with DOMAttrModified event handlers and this can allow remote attackers to cause an out-of-bounds memory access or have other impact via vectors that involves removal of SVG elements.
- Mozilla Firefox, Thunderbird and Sea Monkey are vulnerable to an error such that it can allow remote attackers to use SVG animation accessKey events in the web page in order to capture keystrokes entered on that web page even if JavaScript is disabled.
- An error occurs and it can be exploited by remote attackers to cause a denial of service or have other impacts via an Ogg VIDEO element that is not handled properly after scaling.
- The YARR regular expression library is vulnerable and it can be exploited by remote attackers to cause a denial of service condition or execute arbitrary code via crafted Javascript.
Affected Systems
- Ubuntu Ubuntu Linux 11.10 i386
- Ubuntu Ubuntu Linux 11.10 amd64
- Ubuntu Ubuntu Linux 11.04 powerpc
- Ubuntu Ubuntu Linux 11.04 i386
- Ubuntu Ubuntu Linux 11.04 ARM
- Ubuntu Ubuntu Linux 11.04 amd64
- SuSE openSUSE 11.4
- SuSE openSUSE 11.3
- Red Hat Fedora 16
- Mozilla Thunderbird 8.0
- Mozilla SeaMonkey 2.5
- Mozilla Firefox 8.0.1
- Mozilla Firefox 8.0
- Mandriva Linux Mandrake 2011 x86_64
- Mandriva Linux Mandrake 2011
Other affected systems are available on: http://www.securityfocus.com/bid/51136/info
http://www.securityfocus.com/bid/51134/info
http://www.securityfocus.com/bid/51135/info
http://www.securityfocus.com/bid/51133/info Solution Users are advised to apply updates.
More information about the update is available on:
http://www.securityfocus.com/bid/51138/solution
http://www.securityfocus.com/bid/51136/solution
http://www.securityfocus.com/bid/51134/solution
http://www.securityfocus.com/bid/51135/solution
http://www.securityfocus.com/bid/51133/solution CVE Information
CVE-2011-3661 CVE-2011-3660
CVE-2011-3658
CVE-2011-3665
CVE-2011-3663 References Security Focus
http://www.securityfocus.com/bid/51138/info
http://www.securityfocus.com/bid/51136/info
http://www.securityfocus.com/bid/51134/info
http://www.securityfocus.com/bid/51135/info
http://www.securityfocus.com/bid/51133/info
Mozilla Foundation Security
http://www.mozilla.org/security/announce/2011/mfsa2011-53.html
http://www.mozilla.org/security/announce/2011/mfsa2011-55.html
http://www.mozilla.org/security/announce/2011/mfsa2011-56.html Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
E-mail:
Postal
address
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street
Port Louis
|
