[windows2000] Re: Cert Multiple vulnerabilities in Mozilla products
- From: Greg Reese <gareese@xxxxxxxxx>
- To: windows2000@xxxxxxxxxxxxx
- Date: Mon, 20 Sep 2004 16:10:55 -0400
there will be more if this as it gets more popular. It is nice to
know the preview release of firefox is already fixed. I have had it
on a test server the past few days. Time to move it live I guess. I
have not had any issues with it.
Greg
On Mon, 20 Sep 2004 15:41:35 -0400, Jim Kenzig http://thin.net
<jimkenz@xxxxxxxxxxxxxx> wrote:
> Thought you were safe because you didn't use IE? Think again!
> JK
>
> Multiple vulnerabilities in Mozilla products
> Original release date: September 17, 2004
> Last revised: --
> Source: US-CERT
>
> Systems Affected
> Mozilla software, including the following:
> Mozilla web browser, email and newsgroup client
> Firefox web browser
> Thunderbird email client
>
> Overview
> Several vulnerabilities exist in the Mozilla web browser and derived
> products, the most serious of which could allow a remote attacker to execute
> arbitrary code on an affected system.
>
> I. Description
> Several vulnerabilities have been reported in the Mozilla web browser and
> derived products. More detailed information is available in the individual
> vulnerability notes:
> VU#414240 <http://www.kb.cert.org/vuls/id/414240> - Mozilla Mail vulnerable
> to buffer overflow via writeGroup() function in nsVCardObj.cpp
> Mozilla Mail contains a stack overflow vulnerability in the display routines
> for VCards. By sending an email message with a crafted VCard, a remote
> attacker may be able to execute arbitrary code on the victim's machine with
> the privileges of the current user. This can be exploited in the preview
> mode as well.
> VU#847200 <http://www.kb.cert.org/vuls/id/847200> - Mozilla contains integer
> overflows in bitmap image decoder
> A vulnerability in the way Mozilla and its derived programs handle certain
> bitmap images could allow a remote attacker to execute arbitrary code on a
> vulnerable system.
> VU#808216 <http://www.kb.cert.org/vuls/id/808216> - Mozilla contains heap
> overflow in UTF8 conversion of hostname portion of URLs
> A vulnerability in the way Mozilla and its derived programs handle certain
> malformed URLs could allow a remote attacker to execute arbitrary code on a
> vulnerable system.
> VU#125776 <http://www.kb.cert.org/vuls/id/125776> - Multiple buffer
> overflows in Mozilla POP3 protocol handler
> There are multiple buffer overflow vulnerabilities in the Mozilla POP3
> protocol handler that could allow a malicious POP3 server to execute
> arbitrary code on the affected system.
> VU#327560 <http://www.kb.cert.org/vuls/id/327560> - Mozilla "send page"
> feature contains a buffer overflow vulnerability
> There is a buffer overflow vulnerability in the Mozilla "send page" feature
> that could allow a remote attacker to execute arbitrary code.
> VU#651928 <http://www.kb.cert.org/vuls/id/651928> - Mozilla allows arbitrary
> code execution via link dragging
> A vulnerability affecting Mozilla web browsers may allow violation of
> cross-domain scripting policies and possibly execute code originating from a
> remote source.
>
> II. Impact
> These vulnerabilities could allow a remote attacker to execute arbitrary
> code with the privileges of the user running the affected application.
> VU#847200 <http://www.kb.cert.org/vuls/id/847200> could also allow a remote
> attacker to crash an affected application.
>
> III. Solution
> Upgrade to a patched version
> Mozilla has released versions of the affected software that contain patches
> for these issues:
> Mozilla 1.7.3 <http://www.mozilla.org/products/mozilla1.x/>
> Firefox Preview Release <http://www.mozilla.org/products/firefox/>
> Thunderbird 0.8 <http://www.mozilla.org/products/thunderbird/>
> Users are strongly encouraged to upgrade to one of these versions.
>
> Appendix A. References
> Mozilla Security Advisory -
> <<http://www.mozilla.org/projects/security/known-vulnerabilities.html>>
> Mozilla 1.7.2 non-ascii hostname heap overrun, Gaël Delalleau -
> <<http://www.zencomsec.com/advisories/mozilla-1.7.2-UTF8link.txt>>
> Security Audit of Mozilla's .bmp image parsing, Gaël Delalleau -
> <<http://www.zencomsec.com/advisories/mozilla-1.7.2-BMP.txt>>
> Security Audit of Mozilla's POP3 client protocol, Gaël Delalleau -
> <<http://www.zencomsec.com/advisories/mozilla-1.7.2-POP3.txt>>
> US-CERT Vulnerability Note VU#414240 -
> <<http://www.kb.cert.org/vuls/id/414240>>
> US-CERT Vulnerability Note VU#847200 -
> <<http://www.kb.cert.org/vuls/id/847200>>
> US-CERT Vulnerability Note VU#808216 -
> <<http://www.kb.cert.org/vuls/id/808216>>
> US-CERT Vulnerability Note VU#125776 -
> <<http://www.kb.cert.org/vuls/id/125776>>
> US-CERT Vulnerability Note VU#327560 -
> <<http://www.kb.cert.org/vuls/id/327560>>
> US-CERT Vulnerability Note VU#651928 -
> <<http://www.kb.cert.org/vuls/id/651928>>
>
> Mozilla has assigned credit for reporting of these issue to the following:
> VU#414240: Georgi Guninski
> VU#847200: Gaël Delalleau
> VU#808216: Gaël Delalleau and Mats Palmgren
> VU#125776: Gaël Delalleau
> VU#327560: Georgi Guninski
> VU#651928: Jesse Ruderman
>
> Feedback can be directed to the US-CERT Technical Staff
> <mailto:cert@xxxxxxxx?subject=TA04-261A%20Feedback%20VU%23414240%20VU%238472
> 00%20VU%23808216%20VU%23125776%20VU%23327560%20VU%23651928>.
>
> Copyright 2004 Carnegie Mellon University. Terms of use
> <http://www.us-cert.gov/legal.html>
>
> Revision History
> Sep 17, 2004: Initial release
> ********************************************************
> This Weeks Sponsor StressedPuppy.com Games
> Feeling stressed out? Check out our games to
> relieve your stress.
> http://www.StressedPuppy.com
> ********************************************************
> To Unsubscribe, set digest or vacation
> mode or view archives use the below link.
>
> http://thethin.net/win2000list.cfm
>
********************************************************
This Weeks Sponsor StressedPuppy.com Games
Feeling stressed out? Check out our games to
relieve your stress.
http://www.StressedPuppy.com
********************************************************
To Unsubscribe, set digest or vacation
mode or view archives use the below link.
http://thethin.net/win2000list.cfm
Other related posts:
