(Apparently Secunia saw their mistake confusing FF with Tbird and sent this one for FF....) TITLE: Mozilla Firefox Multiple Vulnerabilities Criticality level: Highly critical Impact: Security Bypass, Exposure of sensitive information, System access Where: From remote VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/40309/ RELEASE DATE: 2010-06-29 DESCRIPTION: Some vulnerabilities have been reported in Mozilla Firefox, which can be exploited by malicious people to disclose sensitive information, bypass certain security restrictions, or to compromise a user's system. 1) Multiple errors in the browser engine can be exploited to corrupt memory and potentially execute arbitrary code. 2) An error in the handling of multipart/x-mixed-replace resources can be exploited to corrupt memory and potentially execute arbitrary code. This vulnerability only affects version 3.5.x. 3) Multiple errors in the Javascript engine can be exploited to corrupt memory and potentially execute arbitrary code. 4) Multiple errors in the Javascript engine can be exploited to corrupt memory and potentially execute arbitrary code. These errors only affect version 3.6.x. 5) A use-after-free error exists in "nsCycleCollector::MarkRoots()", which can result in the use of an invalid pointer and allows execution of arbitrary code. 6) A use-after-free error in the handling of object references among multiple plugin instances can be exploited to trigger the use of an invalid pointer and execute arbitrary code. 7) An integer overflow error exists in "nsGenericDOMDataNode::SetTextInternal" within the handling of text values for certain types of DOM nodes. This can be exploited to cause a heap-based buffer overflow via overly large strings. 8) An integer overflow error in a XSLT node sorting routine can be exploited to cause a buffer overflow and potentially execute arbitrary code via a node containing an overly large text value. 9) A weakness is caused due to "focus()" allowing to direct user input to unintended locations, e.g. an embedded iframe from another domain. 10) The HTTP "Content-Disposition: attachment" header is ignored when "Content-Type: multipart" is also present. This can result in security features being bypassed in sites that allow users to upload arbitrary files and specify a "Content-Type" but rely on "Content-Disposition: attachment" to prevent the content from being displayed inline. 11) A weakness exists due to the pseudo-random number generator being seeded only once per browsing session, which can be exploited to disclose the value used to seed "Math.random()" and potentially identify and track users across different web sites. SOLUTION: Update to version 3.5.10 or 3.6.4. ORIGINAL ADVISORY: Mozilla Foundation: http://www.mozilla.org/security/announce/2010/mfsa2010-26.html http://www.mozilla.org/security/announce/2010/mfsa2010-27.html http://www.mozilla.org/security/announce/2010/mfsa2010-28.html http://www.mozilla.org/security/announce/2010/mfsa2010-29.html http://www.mozilla.org/security/announce/2010/mfsa2010-30.html http://www.mozilla.org/security/announce/2010/mfsa2010-31.html http://www.mozilla.org/security/announce/2010/mfsa2010-32.html http://www.mozilla.org/security/announce/2010/mfsa2010-33.html ========================= The list's FAQ's can be seen by sending an email to PCWorks-request@xxxxxxxxxxxxx with FAQ in the subject line. To unsubscribe, subscribe, set Digest or Vacation to on or off, go to //www.freelists.org/list/pcworks . You can also send an email to PCWorks-request@xxxxxxxxxxxxx with Unsubscribe in the subject line. Your member list settings can be found at //www.freelists.org/cgi-bin/lsg2.cgi/l=pcworks . Once logged in, you have access to numerous other email options. The list archives are located at //www.freelists.org/archives/pcworks/ . All email posted to the list will be placed there in the event anyone needs to look for previous posts. -zxdjhu-