About Us | Contact Us

 


 

VUPEN Free Resources
 
  VUPEN Security Advisories
 
  VUPEN Security Blog & News
  Zero-day Attacks Monitor
  Daily Security Mailinglist
  Explanation of Terms
  Advanced Search Engine
 
   

Mozilla SeaMonkey Code Execution and Security Bypass Vulnerabilities

VUPEN ID VUPEN/ADV-2010-0648
CVE ID CVE-2009-0689 - CVE-2009-2463 - CVE-2009-3072 - CVE-2009-3075 - CVE-2009-3376 - CVE-2009-3385 - CVE-2009-3983 - CVE-2010-0161 - CVE-2010-0163
 
CWE ID Available in VUPEN VNS Customer Area
CVSS V2 Available in VUPEN VNS Customer Area
Rated as Critical 
Impact Available in VUPEN VNS Customer Area
Authentication Level Available in VUPEN VNS Customer Area
Access Vector Available in VUPEN VNS Customer Area
Release Date 2010-03-18
Share Twitter LinkedIn Facebook Delicious Digg Slashdot

Technical Description

Multiple vulnerabilities have been identified in Mozilla SeaMonkey, which could be exploited by attackers to manipulate or disclose certain data, bypass security restrictions or compromise a vulnerable system.

The first issue is caused by an error when handling scriptable plugin content (e.g. Flash objects) embedded in an iframe inside a mail message, which could cause malicious contents to be loaded and executed when a user replies to or forwards the message.

The second vulnerability is caused by a memory corruption error related to SSPI authentication and Active Directory, which could be exploited to potentially execute arbitrary code.

The third issue is caused by a memory corruption error when indexing messages with certain MIME attachments, which could be exploited to potentially execute arbitrary code.

Various other vulnerabilities have been reported. For additional information, see : VUPEN/ADV-2009-1972 - VUPEN/ADV-2009-2585 - VUPEN/ADV-2009-3063 - VUPEN/ADV-2009-3064 - VUPEN/ADV-2009-3547

Affected Products

SeaMonkey versions prior to 1.1.19

Solution 

Upgrade to SeaMonkey version 1.1.19 :
http://www.mozilla.org/projects/seamonkey/

References

http://www.vupen.com/english/advisories/2010/0648
http://www.mozilla.org/security/announce/2010/mfsa2010-06.html
http://www.mozilla.org/security/announce/2010/mfsa2010-07.html
http://www.mozilla.org/security/announce/2009/mfsa2009-68.html
http://www.mozilla.org/security/announce/2009/mfsa2009-62.html
http://www.mozilla.org/security/announce/2009/mfsa2009-59.html
http://www.mozilla.org/security/announce/2009/mfsa2009-49.html
http://www.mozilla.org/security/known-vulnerabilities/seamonkey11.html#seamonkey1.1.19

Credits 

Vulnerabilities reported by Georgi Guninski, Paul Fisher, Ludovic Hirlimann, Carsten Book, Josh Soref, monarch2000, Takehiro Takahashi (IBM X-Force), Jesse Ruderman, Sid Stamm, Maksymilian Arciemowicz and Alin Rad Pop (Secunia), and ZDI.

Changelog 

2010-03-18 : Initial release

Feedback 

If you have additional information or corrections for this security advisory please submit them via our contact form.
 

Monthly Statistics 

 

 VUPEN Security Advisories By Criticality: Sep 2010


  Critical Risk

 : 18%

  High Risk		 : 5%

  Moderate Risk		 : 46%

  Low Risk		 : 31%

Get a real-time view of the vulnerabilities affecting your systems using the VUPEN VNS reporting capabilities.
 
 

Try VUPEN VNS 

 

 





© 2004-2010 VUPEN Security - Copyright - Privacy Policy