| |
CERT-MU AD-2010-12
Multiple Vulnerabilities in Mozilla Products
Original issue date: 05 July, 2010
Overview
Multiple vulnerabilities have been reported in Mozilla Firefox, SeaMonkey and Thunderbird, which could allow a remote attacker to bypass certain security restrictions, disclose potentially sensitive information, manipulate certain data, execute an arbitrary code, causes denial of service condition or potentially compromise an affected system.
Description
- Multiple Memory Corruption Vulnerabilities
Multiple memory corruption vulnerabilities have been reported in the JavaScript and browser engines when parsing malformed data in Mozilla Firefox, SeaMonkey and Thunderbird. A remote attacker could exploit these vulnerabilities via a specially crafted web page to trigger a memory corruption error. Successful exploitation of these vulnerabilities could allow a remote attacker to execute an arbitrary code or cause denial of service condition.
- nsCycleCollector::MarkRoots()Use-after-freeVulnerability
This vulnerability is caused due to an Use-after-free error in frame construction process for menu in the nsCycleCollector::MarkRoots function in Mozilla Firefox and SeaMonkey. A remote attacker could exploit this vulnerability via a specially crafted HTML page to trigger an invalid pointer usage error.
Successful exploitation of this vulnerability could allow a remote attacker to execute an arbitrary code.
- Freed object reuse across plugin instances Vulnerability
This vulnerability is caused due to a use-after-free error in the handling of object references among multiple plugin instances in Mozilla Firefox and SeaMonkey. A remote attacker could exploit this vulnerability via a specially crafted HTML page involving multiple plugin instances to trigger an invalid pointer usage error. Successful exploitation of this vulnerability could allow a remote attacker to execute an arbitrary code.
- nsGenericDOMDataNode::SetTextInternal Heap buffer overflow Vulnerability
This vulnerability is caused due to an integer overflow error in "nsGenericDOMDataNode::SetTextInternal" within the handling of text values for certain types of DOM nodes in Mozilla Firefox , SeaMonkey and Thunderbird. A remote attacker could exploit this vulnerability via a specially crafted DOM node with a long text value to trigger a heap-based buffer overflow error. Successful exploitation of this vulnerability could allow a remote attacker to execute an arbitrary code or cause denial of service condition.
- XSLT Node Sorting Integer Overflow Vulnerability
This vulnerability is caused due to an integer overflow error in a XSLT node sorting routine in Mozilla Firefox , SeaMonkey and Thunderbird. A remote attacker could exploit this vulnerability via a specially crafted XSLT node containing an overly large text value to trigger a buffer overflow error. Successful exploitation of this vulnerability could allow a remote attacker to execute an arbitrary code or cause denial of service condition.
- HTTP "Content-Disposition: attachment" header XSS Vulnerability
This vulnerability is caused due to an improper handling of events in which both "Content-Disposition: attachment" and "Content-Type: multipart" are present in HTTP headers in Mozilla Firefox and SeaMonkey. A remote attacker could exploit this vulnerability via a specially crafted "Content-Disposition: attachment" HTTP header value and "Content-Type: multipart" value to bypass certain security features. Successful exploitation of this vulnerability could allow a remote attacker to conduct cross-site scripting (XSS) attacks.
- Re-use of freed object due to scope confusion Vulnerability
This vulnerability is caused due to improper management of the scopes of DOM nodes that are moved from one document to another in Mozilla Firefox. A remote attacker could exploit this vulnerability via unspecified vectors involving improper interaction with garbage collection to execute arbitrary code.
- focus() behavior keystrokes stealing Vulnerability
This vulnerability is caused due to an error in JavaScript implementation, in which focus() could be used to change a user's cursor focus while they are typing, potentially directing their keyboard input to an unintended location in Mozilla Firefox and SeaMonkey. A remote attacker could exploit this vulnerability via a specially crafted webpage to disclose potentially sensitive information.
- JavaScript Engine 'Math.Random()' Cross Domain Information Disclosure Vulnerability
This vulnerability is caused due to an error in the implementation of "Math.random()" function in JavaScript implementation, which uses a random number generator that is seeded only once per browser session in Mozilla Firefox and SeaMonkey. A remote attacker could exploit this vulnerability to potentially disclose/track sensitive users information across different web sites.
Software Affected
- Mozilla Firefox versions 3.5.x prior to 3.5.10
- Mozilla Firefox versions 3.6.x prior to 3.6.4
- Mozilla SeaMonkey Versions prior to 2.0.5
- Mozilla Thunderbird versions prior to 3.0.5
Impact
Severity Rating: High
Solution
Upgrade to Mozilla Firefox version 3.5.10 or 3.6.4 or later
http://www.mozilla.com/firefox/
Upgrade to Mozilla SeaMonkey version 2.0.5
http://www.mozilla.org/projects/seamonkey/
Upgrade to Mozilla Thunderbird version 3.0.5
http://www.mozilla.com/thunderbird
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind
Vendor Information
Mozilla
http://www.mozilla.com/en-US/
CVE Name
CVE-2008-5913
CVE-2010-0183
CVE-2010-1121
CVE-2010-1125
CVE-2010-1196
CVE-2010-1197
CVE-2010-1198
CVE-2010-1199
CVE-2010-1200
CVE-2010-1201
CVE-2010-1202
CVE-2010-1203
References
Mozilla
http://www.mozilla.org/security/announce/2010/mfsa2010-25.html
http://www.mozilla.org/security/announce/2010/mfsa2010-26.html
http://www.mozilla.org/security/announce/2010/mfsa2010-27.html
http://www.mozilla.org/security/announce/2010/mfsa2010-28.html
http://www.mozilla.org/security/announce/2010/mfsa2010-29.html
http://www.mozilla.org/security/announce/2010/mfsa2010-30.html
http://www.mozilla.org/security/announce/2010/mfsa2010-31.html
http://www.mozilla.org/security/announce/2010/mfsa2010-32.html
http://www.mozilla.org/security/announce/2010/mfsa2010-33.html
Bugzilla
https://bugzilla.mozilla.org/buglist.cgi?bug_id=484890,509839,
531176,534768,551661,553938,551233
https://bugzilla.mozilla.org/show_bug.cgi?id=524921
https://bugzilla.mozilla.org/buglist.cgi?bug_id=424558,526449,561031,561592<09-Jul-2011ist.cgi?bug_id=557946,546611" target="_blank">https://bugzilla.mozilla.org/buglist.cgi?bug_id=557946,546611
https://bugzilla.mozilla.org/show_bug.cgi?id=557174
https://bugzilla.mozilla.org/show_bug.cgi?id=532246
https://bugzilla.mozilla.org/show_bug.cgi?id=534666
https://bugzilla.mozilla.org/show_bug.cgi?id=554255
https://bugzilla.mozilla.org/show_bug.cgi?id=545755
Secunia
http://secunia.com/advisories/40309/
SecurityFocus
http://www.securityfocus.com/bid/41050
http://www.securityfocus.com/bid/33276/
SecurityTracker
http://securitytracker.com/alerts/2010/Jun/1024138.html
http://securitytracker.com/alerts/2010/Jun/1024139.html
ISS XForece
http://xforce.iss.net/xforce/xfdb/59659
http://xforce.iss.net/xforce/xfdb/59665
http://xforce.iss.net/xforce/xfdb/59666
http://xforce.iss.net/xforce/xfdb/59667
|
|
