[PCWorks] Mozilla Firefox / SeaMonkey Multiple Vulnerabilities
- From: "Clint Hamilton-PCWorks Admin" <PCWorks@xxxxxxxxxxxxxxxxxxxxxxxx>
- To: "PCWorks@xxxxxxxxxxxxx" <pcworks@xxxxxxxxxxxxx>
- Date: Sat, 19 Mar 2011 22:55:29 -0500
TITLE:
Mozilla Firefox / SeaMonkey Multiple Vulnerabilities
Criticality level: Highly critical
Impact: Cross Site Scripting, Spoofing, DoS, System access
Where: From remote
Software:
Mozilla Firefox 3.5.x
Mozilla Firefox 3.6.x
Mozilla SeaMonkey 2.x
SECUNIA ADVISORY ID:
http://secunia.com/advisories/43550/
DESCRIPTION:
A weakness and some vulnerabilities have been reported in
Mozilla
Firefox and SeaMonkey, which can be exploited by malicious
people to
conduct spoofing attacks, cross-site request forgery attacks,
and
compromise a user's system.
1) Multiple errors in the browser engine can be exploited to
corrupt
memory and potentially execute arbitrary code.
2) An error when handling recursive calls to "eval()" within a
"try/catch" statement can lead to dialogs being displayed
incorrectly
and returning "true" when being closed. This can e.g. be
exploited to
gain escalated privileges by forcing a user into accepting
certain
dialogs.
3) A use-after-free error in the js3250.dll library when
processing
the "JSON.stringify()" method can be exploited to dereference
an
invalid pointer in a call to the "js_HasOwnProperty()"
function.
4) An error within the internal memory mapping of non-local
JavaScript variables can be exploited to cause a buffer
overflow and
potentially execute arbitrary code.
5) An error within the internal string mapping of the
JavaScript
engine related to an offset pointer when handling more than 64K
values can be exploited to cause an exception object to be read
from
invalid memory.
6) A use-after-free error related to JavaScript "Workers" can
be
exploited to dereference invalid memory and execute arbitrary
code.
7) An error when allocating memory for layout objects
displaying long
strings can be exploited to cause a memory corruption and
execute
arbitrary code.
Note: This may only affect the Windows platform.
8) The "ParanoidFragmentSink" class does not properly filter
"javascript:" URLs and inline JavaScript, which can be
exploited to
execute arbitrary JavaScript code.
Successful exploitation requires that e.g. an extension using
the
function to sanitise HTML code before embedding it in a chrome
document is installed.
9) An error when decoding certain JPEG images can be exploited
to
cause a buffer overflow and potentially execute arbitrary code.
Note: This does not affect the Mozilla Firefox 3.5 branch.
10) When a request initiated by the plugin received a redirect
response (307), the request including any custom headers is
incorrectly forwarded to the new location without notifying the
plugin, which can be used to e.g. bypass cross-site request
forgery
protections relying on custom headers.
SOLUTION:
Update to Mozilla Firefox version 3.5.17 or 3.6.14 and Mozilla
SeaMonkey version 2.0.12.
ORIGINAL ADVISORY:
1)
http://www.mozilla.org/security/announce/2011/mfsa2011-01.html
2)
http://www.mozilla.org/security/announce/2011/mfsa2011-02.html
3)
http://www.mozilla.org/security/announce/2011/mfsa2011-03.html
4)
http://www.mozilla.org/security/announce/2011/mfsa2011-04.html
5)
http://www.mozilla.org/security/announce/2011/mfsa2011-05.html
6)
http://www.mozilla.org/security/announce/2011/mfsa2011-06.html
7)
http://www.mozilla.org/security/announce/2011/mfsa2011-07.html
8)
http://www.mozilla.org/security/announce/2011/mfsa2011-08.html
9)
http://www.mozilla.org/security/announce/2011/mfsa2011-09.html
10)
http://www.mozilla.org/security/announce/2011/mfsa2011-10.html
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-11-103/
=========================
The list's FAQ's can be seen by sending an email to
PCWorks-request@xxxxxxxxxxxxx with FAQ in the subject line.
To unsubscribe, subscribe, set Digest or Vacation to on or off, go to
//www.freelists.org/list/pcworks . You can also send an email to
PCWorks-request@xxxxxxxxxxxxx with Unsubscribe in the subject line. Your
member list settings can be found at
//www.freelists.org/cgi-bin/lsg2.cgi/l=pcworks . Once logged in, you have
access to numerous other email options.
The list archives are located at //www.freelists.org/archives/pcworks/ .
All email posted to the list will be placed there in the event anyone needs to
look for previous posts.
-zxdjhu-
Other related posts:
