|
|
>> Mozilla Products Code Execution and Security Bypass Vulnerabilities
|
Multiple vulnerabilities have been identified in Mozilla Firefox, SeaMonkey and Thunderbird, which could be exploited by attackers to bypass security restrictions, disclose sensitive information, cause a denial of service or take complete control of an affected system.
The first issue is caused by an error when using the canvas element in conjunction with an HTTP redirect, which could be exploited by attackers to bypass same-origin restrictions and gain access to content in other domains, or enumerate the software installed on a vulnerable system.
The second vulnerability is caused due insufficient checks being performed to test whether the Flash module was properly dynamically unloaded, which could be exploited to cause a malicious SWF file to access arbitrary memory addresses and execute arbitrary code.
The third issue is caused by an error when tampering with the window.__proto__.__proto__ object, which could be exploited to cause the browser to place a lock on a non-native object, leading to a crash or code execution.
The fourth issue is caused due to "file:" URIs being given chrome privileges when opened in the same tab as a chrome page or a privileged "about:" page, which could be exploited to execute malicious JavaScript with chrome privileges but requires the attacker to place the malicious code locally on the vulnerable system.
The fifth vulnerability is caused by memory corruption errors in the layout and JavaScript engines, and within the rendering of graphics, which could be exploited by attackers to crash a vulnerable application or execute arbitrary code.
The sixth vulnerability is caused by an error in the browser's session restore feature, which can be exploited to bypass the same-origin policy and execute JavaScript in the context of another site, or execute code with chrome privileges.
The seventh vulnerability is caused by a buffer overflow error when parsing the http-index-format MIME type, which could be exploited to execute arbitrary code.
The eighth issue is caused by an error in Mozilla's DOM constructing code when certain properties of a file input element are modified before it has finished initializing.
The ninth vulnerability is caused by an error in the same-origin check in "nsXMLHttpRequest::NotifyEventListeners()" function, which could be exploited by attackers to execute JavaScript in the context of a different website.
The tenth issue is caused by an unspecified related to the use of the "-moz-binding" CSS property, which can be exploited to bypass security checks which validate codebase principals.
The eleventh vulnerability is caused by an input validation error when parsing the default namespace in an E4X document, which could be exploited to inject data.
The twelfth issue is caused by an error when forwarding a malicious email "in-line" to a recipient who has enabled JavaScript, which could cause comments added by the forwarder to be accessed by scripts in the message and potentially revealed to the original malicious author if that message has also been allowed to load remote content.
Affected Products
Mozilla Firefox versions prior to 3.0.4
Mozilla Firefox versions prior to 2.0.0.18
Mozilla Thunderbird versions prior to 2.0.0.18
Mozilla SeaMonkey versions prior to 1.1.13
Solution
Upgrade to Firefox version 3.0.4 or 2.0.0.18 :
http://www.mozilla.com/firefox/
Upgrade to SeaMonkey version 1.1.13 :
http://www.seamonkey-project.org/
Upgrade to Thunderbird version 2.0.0.18 :
http://www.mozilla.com/thunderbird/
References
http://www.vupen.com/english/advisories/2008/3146
http://www.mozilla.org/security/announce/2008/mfsa2008-59.html
http://www.mozilla.org/security/announce/2008/mfsa2008-58.html
http://www.mozilla.org/security/announce/2008/mfsa2008-57.html
http://www.mozilla.org/security/announce/2008/mfsa2008-56.html
http://www.mozilla.org/security/announce/2008/mfsa2008-55.html
http://www.mozilla.org/security/announce/2008/mfsa2008-54.html
http://www.mozilla.org/security/announce/2008/mfsa2008-53.html
http://www.mozilla.org/security/announce/2008/mfsa2008-52.html
http://www.mozilla.org/security/announce/2008/mfsa2008-51.html
http://www.mozilla.org/security/announce/2008/mfsa2008-50.html
http://www.mozilla.org/security/announce/2008/mfsa2008-48.html
http://www.mozilla.org/security/announce/2008/mfsa2008-47.html
Credits
Vulnerabilities reported by Liu Die Yu, Georgi Guninski, Michal Zalewski, Chris Evans, TippingPoint ZDI, Jesse Ruderman, Luke Bryan, Martijn Wargers, Bob Clary, Daniel Veditz, Joachim Kuebart, David Bloom, moz_bug_r_a4, Justin Schuh, ling and wushi (team509), and Collin Jackson.
ChangeLog
2008-11-13 : Initial release
2008-11-19 : Updated Description
Vulnerability Management
Subscribe to VUPEN VNS and receive real-time alerts when new advisories or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form. | |
|
