|
|
>> Mozilla Products Multiple Memory Corruption and Security Bypass Issues
|
Multiple vulnerabilities were identified in Mozilla Suite, Mozilla Firefox and Thunderbird, which may be exploited by remote attackers to take complete control of an affected system or bypass security restrictions.
The first issue is due to errors in the JavaScript engine that fails to properly protect certain temporary variables during garbage collection, which could be exploited by malicious web sites to cause a memory corruption and potentially execute arbitrary commands.
The second flaw is due to a memory corruption error when dynamically changing the style of an element from "position:relative" to "position:static", which could be exploited by remote attackers to compromise a vulnerable system.
The third vulnerability is due to an error when handling large history information passed the the "history.dat" file (e.g. an overly large title), which could be exploited via a specially crafted Web page to cause a vulnerable application to crash or consume a large amount of system resources. For additional information, see : VUPEN/ADV-2005-2805
The fourth issue is due to a memory corruption error when calling the "QueryInterface" method of the built-in Location and Navigator objects, which could be exploited by remote attackers to execute arbitrary commands.
The fifth flaw is due to an error in the "XULDocument.persist()" function that does not properly validate the attribute name, which could be exploited by attackers to execute arbitrary JavaScript commands with the permissions of the browser by injecting XML into "localstore.rdf".
The sixth vulnerability is due to integer overflow errors in the E4X, SVG, and Canvas features, which could be exploited by malicious web sites to execute arbitrary commands.
The seventh issue is due to an error in the XML parser, which could be exploited by remote attackers to crash a vulnerable application and potentially incorporate private data into the DOM of an XML document.
The eighth flaw is due to an error in the E4X implementation that exposes the internal "AnyName" object to web content, which could be exploited by malicious web sites to bypass security restrictions.
Affected Products
Mozilla Firefox version 1.5 and prior
Mozilla Suite version 1.7.12 and prior
Mozilla Thunderbird version 1.5 and prior
Mozilla SeaMonkey versions prior to 1.0
Solution
Upgrade to Firefox 1.5.0.1 or SeaMonkey 1.0 :
http://www.mozilla.org/products/
Disable JavaScript in Thunderbird and Mozilla Suite.
References
http://www.vupen.com/english/advisories/2006/0413
http://www.mozilla.org/security/announce/mfsa2006-01.html
http://www.mozilla.org/security/announce/mfsa2006-02.html
http://www.mozilla.org/security/announce/mfsa2006-03.html
http://www.mozilla.org/security/announce/mfsa2006-04.html
http://www.mozilla.org/security/announce/mfsa2006-05.html
http://www.mozilla.org/security/announce/mfsa2006-06.html
http://www.mozilla.org/security/announce/mfsa2006-07.html
http://www.mozilla.org/security/announce/mfsa2006-08.html
Credits
Vulnerabilities reported by Igor Bukanov, Martijn Wargers, ZIPLOCK, Georgi Guninski, moz_bug_r_a4, Johnny Stenback and Brendan Eich.
ChangeLog
2006-02-02 : Initial release
2006-02-07 : Exploit released
Vulnerability Management
Subscribe to VUPEN VNS and receive real-time e-mail and SMS alerts when new advisories or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form. | |
|
