VUPEN Security - Mozilla Products Code Execution and Security Bypass Vulnerabilities / Exploit (Security Advisories)

	Contact \| Site en Français

Vulnerabilities & Threats

VUPEN Security Advisories

Linux Security Advisories

Malware Advisories

Security Research

Threat Watch Blog

Zero-Day Monitor

Search Engine

Mailing List & RSS

>> Mozilla Products Code Execution and Security Bypass Vulnerabilities

Title : Mozilla Products Code Execution and Security Bypass Vulnerabilities
VUPEN ID : VUPEN/ADV-2008-2661
CVE ID : CVE-2008-0016 - CVE-2008-3835 - CVE-2008-3836 - CVE-2008-3837 - CVE-2008-4058 - CVE-2008-4059 - CVE-2008-4060 - CVE-2008-4061 - CVE-2008-4062 - CVE-2008-4063 - CVE-2008-4064 - CVE-2008-4065 - CVE-2008-4066 - CVE-2008-4067 - CVE-2008-4068 - CVE-2008-4069
CWE ID : CWE-20 - CWE-22 - CWE-119 - CWE-200 - CWE-270
Rated as : Critical

Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2008-09-24

Exploits or PoC have been developed by VUPEN and are available through the VUPEN Exploits & PoCs Service.

Technical Description

Receive VUPEN Security alerts in a Text format

Receive VUPEN Security alerts in a PDF format

Receive VUPEN Security alerts in an XML format

Multiple vulnerabilities have been identified in Mozilla Firefox, SeaMonkey and Thunderbird, which could be exploited by attackers to bypass security restrictions, disclose sensitive information, cause a denial of service or take complete control of an affected system.

The first issue is caused by a stack overflow error when processing specially crafted UTF-8 URLs, which could be exploited by attackers to execute arbitrary code by tricking a user into following a malicious link.

The second vulnerability is caused by an error in the same-origin check performed via "nsXMLDocument::OnChannelRedirect()", which could allow attackers to execute JavaScript in the context of a different website.

The third issue is caused by input validation errors in feedWriter, which could be exploited to execute arbitrary scripts with chrome privileges.

The fourth vulnerability is caused by an error when performing drag-and-drop actions, which could allow attackers to force a user to download a file by moving the content window while the mouse was being clicked, causing an item to be dragged rather than clicked-on.

The fifth issue is caused by errors related to XPCnativeWrapper, which could allow attackers to execute arbitrary scripts with chrome privileges.

The sixth vulnerability is caused by memory corruption errors in the layout and JavaScript engines, and within the rendering of graphics, which could be exploited by attackers to crash a vulnerable application or execute arbitrary code.

The seventh issue is caused due to certain BOM characters being stripped from JavaScript code before execution, which could be exploited to bypass or evade script filters and perform cross site scripting attacks.

The eighth vulnerability is caused due to the HTML parser ignoring certain low surrogate characters if they were HTML-escaped, which could be exploited to bypass script filters and perform cross site scripting attacks.

The ninth issue is caused by errors within the "resource:" protocol, which could be exploited to conduct directory traversal attacks and disclose sensitive information.

The tenth vulnerability is caused by an error in the XBM decoder that allows random small chunks of uninitialized memory to be read, leading to information disclosure.

The eleventh issue is caused by a buffer overflow error in the handling of cancelled newsgroup messages, which could be exploited to execute arbitrary code via a malicious message.

Affected Products

Mozilla Firefox versions prior to 3.0.2
Mozilla Firefox versions prior to 2.0.0.17
Mozilla Thunderbird versions prior to 2.0.0.17
Mozilla SeaMonkey versions prior to 1.1.12

Solution

Upgrade to Mozilla Firefox version 3.0.2 or 2.0.0.17 :
http://www.mozilla.com/firefox/

Upgrade to Mozilla Thunderbird version 2.0.0.17 :
http://www.mozilla.com/thunderbird/

Upgrade to Mozilla SeaMonkey version 1.1.12 :
http://www.seamonkey-project.org/releases/

References

http://www.vupen.com/english/advisories/2008/2661
http://www.mozilla.org/security/announce/2008/mfsa2008-38.html
http://www.mozilla.org/security/announce/2008/mfsa2008-39.html
http://www.mozilla.org/security/announce/2008/mfsa2008-40.html
http://www.mozilla.org/security/announce/2008/mfsa2008-41.html
http://www.mozilla.org/security/announce/2008/mfsa2008-42.html
http://www.mozilla.org/security/announce/2008/mfsa2008-43.html
http://www.mozilla.org/security/announce/2008/mfsa2008-44.html
http://www.mozilla.org/security/announce/2008/mfsa2008-45.html
http://www.mozilla.org/security/announce/2008/mfsa2008-46.html

Credits

Vulnerabilities reported by Justin Schuh and Tom Cross (IBM X-Force), Peter Williams (IBM Watson Labs), moz_bug_r_a4, Paul Nickerson, Liu Die Yu, Olli Pettay, Jesse Ruderman, Igor Bukanov, Philip Taylor, Georgi Guninski, Antoine Labour, Bob Clary, Martijn Wargers, David Maciejak, Drew Yao, Dave Reed, Gareth Heyes, Boris Zbarsky and Billy Hoffman.

ChangeLog

2008-09-24 : Initial release
2008-09-27 : Updated Description

Vulnerability Management

Subscribe to VUPEN VNS and receive real-time alerts when new advisories or patches relevant to your systems and network configurations are available.

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form.

Vulnerability Alerting

Free 14-Day Trial

Latest News

>> 2009-07-06

Microsoft Windows 0-Day
Flaw Exploited in the Wild

>> 2009-06-10

VUPEN Security Research
Discovered Critical Flaws
in Adobe Acrobat and MS
Office Word

>> 2009-06-02

VUPEN Security Research
Discovered Critical Flaws
in ACDSee Products

>> 2009-05-22

VUPEN Discovered Two
Critical Vulnerabilities in
Novell GroupWise 8 / 7

More Informations