TITLE:
Firefox Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA19631
VERIFY ADVISORY:
http://secunia.c
om/advisories/19631/
CRITICAL:
Highly critical
IMPACT:
Security Bypass, Cross Site Scripting, Spoofing, Exposure of
sensitive information, DoS, System access
WHERE:
From remote
SOFTWARE:
Mozilla Firefox 0.x
http://secunia.com/p
roduct/3256/
Mozilla Firefox 1.x
http://secunia.com/p
roduct/4227/
DESCRIPTION:
Multiple vulnerabilities have been reported in Firefox,
which
can be
exploited by malicious people to conduct cross-site
scripting
and
phishing attacks, bypass certain security restrictions,
disclose
sensitive information, and potentially compromise a user's
system.
1) An error exists where JavaScript can be injected into
another
page, which is currently loading. This can be exploited to
execute
arbitrary HTML and script code in a user's browser session
in
context
of an arbitrary site.
2) An error in the garbage collection in the JavaScript
engine
can be
exploited to cause a memory corruption.
Successful exploitation may allow execution of arbitrary
code.
3) A boundary error in the CSS border rendering
implementation
may be
exploited to write past the end of an array.
4) An integer overflow in the handling of overly long
regular
expressions in JavaScript may be exploited to execute
arbitrary
JavaScript bytecode.
5) Two errors in the handling of "-moz-grid"
and
"-moz-grid-group"
display styles may be exploited to execute arbitrary code.
6) An error in the "InstallTrigger.install()"
method can be
exploited
to cause a memory corruption.
7) An unspecified error can be exploited to spoof the secure
lock
icon and the address bar by changing the location of a
pop-up
window
in certain situations.
Successful exploitation requires that the "Entering
secure
site"
dialog has been enabled (not enabled by default).
8) It is possible to trick users into downloading malicious
files via
the "Save image as..." menu option.
9) A JavaScript function created via an "eval()"
call
associated with
a method of an XBL binding may be compiled with incorrect
privileges.
This can be exploited to execute arbitrary code.
10) An error where the "Object.watch()" method
exposes the
internal
"clone parent" function object can be exploited
to execute
arbitrary
JavaScript code with escalated privileges.
Successful exploitation allows execution of arbitrary code.
11) An error in the protection of the compilation scope of
built-in
privileged XBL bindings can be exploited to execute
arbitrary
JavaScript code with escalated privileges.
Successful exploitation allows execution of arbitrary code.
12) An unspecified error can be exploited to execute
arbitrary
HTML
and script code in a user's browser session in context of
an
arbitrary site via the window.controllers array.
13) An error in the processing of a certain sequence of HTML
tags can
be exploited to cause a memory corruption.
Successful exploitation allows execution of arbitrary code.
14) An error in the "valueOf.call()" and
"valueOf.apply()"
methods
can be exploited to execute arbitrary HTML and script code
in a
user's browser session in context of an arbitrary site.
15) Some errors in the DHTML implementation can be exploited
to
cause
a memory corruption.
Successful exploitation may allow execution of arbitrary
code.
16) An integer overflow error in the processing of the CSS
letter-spacing property can be exploited to cause a
heap-based
buffer
overflow.
Successful exploitation allows execution of arbitrary code.
17) An error in the handling of file upload controls can be
exploited
to upload arbitrary files from a user's system by e.g.
dynamically
changing a text input box to a file upload control.
18) An unspecified error in the
"crypto.generateCRMFRequest()"
method
can be exploited to execute arbitrary code.
19) An error in the handling of scripts in XBL controls can
be
exploited to gain chrome privileges via the "Print
Preview"
functionality.
20) An error in a security check in the
"js_ValueToFunctionObject()"
method can be exploited to execute arbitrary code via
"setTimeout()"
and "ForEach".
21) An error in the interaction between XUL content windows
and
the
history mechanism can be exploited to trick users into
interacting
with a browser user interface which is not visible.
Successful exploitation may allow execution of arbitrary
code.
SOLUTION:
Update to versions 1.0.8 or 1.5.0.2.
http://www.mozilla.co
m/firefox/
ORIGINAL ADVISORY:
http://www.mozilla.org/security/announce/2006/mfsa
2006-09.html
http://www.mozilla.org/security/announce/2006/mfsa
2006-10.html
http://www.mozilla.org/security/announce/2006/mfsa
2006-11.html
http://www.mozilla.org/security/announce/2006/mfsa
2006-12.html
http://www.mozilla.org/security/announce/2006/mfsa
2006-13.html
http://www.mozilla.org/security/announce/2006/mfsa
2006-14.html
http://www.mozilla.org/security/announce/2006/mfsa
2006-15.html
http://www.mozilla.org/security/announce/2006/mfsa
2006-16.html
http://www.mozilla.org/security/announce/2006/mfsa
2006-17.html
http://www.mozilla.org/security/announce/2006/mfsa
2006-18.html
http://www.mozilla.org/security/announce/2006/mfsa
2006-19.html
http://www.mozilla.org/security/announce/2006/mfsa
2006-20.html
http://www.mozilla.org/security/announce/2006/mfsa
2006-22.html
http://www.mozilla.org/security/announce/2006/mfsa
2006-23.html
http://www.mozilla.org/security/announce/2006/mfsa
2006-24.html
http://www.mozilla.org/security/announce/2006/mfsa
2006-25.html
http://www.mozilla.org/security/announce/2006/mfsa
2006-28.html
http://www.mozilla.org/security/announce/2006/mfsa
2006-29.html
============= PCWorks Mailing List =================
Don't see your post? Check our posting guidelines &
make sure you've followed proper posting procedures,
http://pcworkers.com/r
ules.htm
Contact list owner <owner-pcworks imagicomm.com>
Unsubscribing and other changes: http://pcworkers.com
=====================================================
|