[ale] today's Mozilla vulnerabilities notice

Michael B. Trausch fd0man at gmail.com
Fri Jun 2 18:58:54 EDT 2006 

On Fri, June 2 2006 18:32, Jim Popovitch wrote:
> Anyone have the inside scoop/opinion/synopsis on the Mozilla
> vulnerabilities that were announced today?  I'm just curious as
> to what the issue(s) was.
>
> Tia,
>
> -Jim P.
>

The only information I have is here, from CERT:

>
> Message was signed by US-CERT Operations Key <us-cert at us-cert.gov> (Key
> ID: 0x77960E74). The signature is valid, but the key is untrusted.
>                           National Cyber Alert System
>
>                 Technical Cyber Security Alert TA06-153A
>
>
> Mozilla Products Contain Multiple Vulnerabilities
>
>    Original release date: June 2, 2006
>    Last revised: --
>    Source: US-CERT
>
>
> Systems Affected
>
>      * Mozilla SeaMonkey
>      * Firefox web browser
>      * Thunderbird email client
>
>    Any products based on Mozilla components, particularly Gecko, may also
>    be affected.
>
>
> Overview
>
>    The Mozilla web browser and derived products contain several
>    vulnerabilities, the most serious of which could allow a remote
>    attacker to execute arbitrary code on an affected system.
>
>
> I. Description
>
>    Several vulnerabilities have been reported in the Mozilla web browser
>    and derived products. More detailed information is available in the
>    individual vulnerability notes, including:
>
>
>    VU#237257 - Mozilla privilege escalation using addSelectionListener
>
>    A privilege escalation vulnerability exists in the Mozilla
>    addSelectionListener method. This may allow a remote attacker to
>    execute arbitrary code.
>
>
>    VU#421529 - Mozilla contains a buffer overflow vulnerability in
>    crypto.signText()
>
>    Mozilla products contain a buffer overflow in the crypto.signText()
>    method. This may allow a remote attacker to execute arbitrary code.
>
>
>    VU#575969 - Mozilla may process content-defined setters on object
>    prototypes with elevated privileges
>
>    Mozilla allows content-defined setters on object prototypes to execute
>    with elevated privileges. This may allow a remote attacker to execute
>    arbitrary code.
>
>
>    VU#243153 - Mozilla may associate persisted XUL attributes with an
>    incorrect URL
>
>    Mozilla can allow persisted XUL attributes to associate with the wrong
>    URL. This may allow a remote attacker to execute arbitrary code.
>
>
>    VU#466673 - Mozilla contains multiple memory corruption
>    vulnerabilities
>
>    Mozilla contains several memory corruption vulnerabilities. This may
>    allow a remote attacker to execute arbitrary code.
>
>
> II. Impact
>
>    The most severe impact of these vulnerabilities could allow a remote
>    attacker to execute arbitrary code with the privileges of the user
>    running the affected application. Other effects include a denial of
>    service or local information disclosure.
>
>
> III. Solution
>
> Upgrade
>
>    Upgrade to Mozilla Firefox 1.5.0.4, Mozilla Thunderbird 1.5.0.4, or
>    SeaMonkey 1.0.2.
>
> Disable JavaScript
>
>    These vulnerabilities can be mitigated by disabling JavaScript.
>
>
> Appendix A. References
>
>      * US-CERT Vulnerability Note VU#237257 -
>        <http://www.kb.cert.org/vuls/id/237257>
>
>      * US-CERT Vulnerability Note VU#421529 -
>        <http://www.kb.cert.org/vuls/id/421529>
>
>      * US-CERT Vulnerability Note VU#575969 -
>        <http://www.kb.cert.org/vuls/id/575969>
>
>      * US-CERT Vulnerability Note VU#243153 -
>        <http://www.kb.cert.org/vuls/id/243153>
>
>      * US-CERT Vulnerability Note VU#466673 -
>        <http://www.kb.cert.org/vuls/id/466673>
>
>      * Mozilla Foundation Security Advisories -
>        <http://www.mozilla.org/security/announce/>
>
>      * US-CERT Vulnerability Notes Related to June Mozilla Security
>        Advisories -
>        <http://www.kb.cert.org/vuls/byid?searchview&query=firefox_1504>
>
>      * Mozilla Foundation Security Advisories -
>       
> <http://www.mozilla.org/projects/security/known-vulnerabilities.html>
>
>      * Firefox - Rediscover the Web - <http://www.mozilla.com/firefox/>
>
>      * Thunderbird - Reclaim your inbox -
>        <http://www.mozilla.com/thunderbird/>
>
>      * The SeaMonkey Project -
>        <http://www.mozilla.org/projects/seamonkey/>
>
>      * Securing Your Web Browser -
>       
> <http://www.us-cert.gov/reading_room/securing_browser/browser_security.ht
>ml#Mozilla_Firefox>
>
>
>  ____________________________________________________________________
>
>    The most recent version of this document can be found at:
>
>      <http://www.us-cert.gov/cas/techalerts/TA06-153A.html>
>  ____________________________________________________________________
>
>    Feedback can be directed to US-CERT Technical Staff. Please send
>    email to <cert at cert.org> with "TA06-153A Feedback VU#237257" in the
>    subject.
>  ____________________________________________________________________
>
>    For instructions on subscribing to or unsubscribing from this
>    mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
>  ____________________________________________________________________
>
>    Produced 2006 by US-CERT, a government organization.
>
>    Terms of use:
>
>      <http://www.us-cert.gov/legal.html>
>  ____________________________________________________________________
>
>
> Revision History
>
>    Jun 2, 2006: Initial release
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available

More information about the Ale mailing list