Skip to main content

Mozilla Firefox, SeaMonkey and Thunderbird Multiple Vulnerabilities

Last Update Date: 28 Jan 2011 Release Date: 22 Apr 2009 5478 Views

RISK: Medium Risk

Multiple vulnerabilities have been identified in Mozilla Firefox, SeaMonkey and Thunderbird, which could be exploited by attackers to bypass security restrictions, gain knowledge of sensitive information, cause a denial of service or compromise a vulnerable system.

1. Due to memory corruption errors in the JavaScript and browser engines when parsing malformed data, which could be exploited by attackers to crash a vulnerable application or execute arbitrary code.

2. Due to Unicode box drawing characters being allowed in Internationalized Domain Names (IDN), which could be exploited to conduct URL spoofing attacks.

3. Due to an error when using the "jar:" scheme to wrap a URI which serves a content with "Content-Disposition: attachment", which could allow an attacker to subvert sites using this mechanism to mitigate content injection attacks.

4. Due to an error when loading a Flash file via the "view-source:" scheme, which could be exploited to conduct cross-site request forgery attacks or read and write Local Shared Objects on a vulnerable system.

5. Due to an error when handling stylesheets, which could allow script injection attacks using XBL bindings.

6. Due to a same-origin validation error within "XMLHttpRequest" and "XPCNativeWrapper.toString", which could allow malicious web sites to read data from other domains.

7. Due to an error when handling MozSearch plugins, which could allow attackers to inject malicious code within the context of an arbitrary web site.

8. Due to POST data being incorrectly sent to the URL of the inner frame being saved as a file, which could potentially cause sensitive data to be sent to a site for which it was not intended.

9. Due to an error when processing "Refresh" headers containing a "javascript:" URI, which could allow attackers to inject malicious scripting code within the context of an arbitrary web site.


Impact

  • Denial of Service
  • Remote Code Execution
  • Security Restriction Bypass
  • Information Disclosure

System / Technologies affected

  • Mozilla Firefox versions prior to 3.0.9
  • Mozilla SeaMonkey versions prior to 1.1.17
  • Mozilla Thunderbird versions prior to 2.0.0.22

Solutions

Before installation of the software, please visit the software manufacturer web-site for more details.


Vulnerability Identifier


Source


Related Link