Mozilla Products Code Execution and Security Bypass Vulnerabilities

Last Update Date: 28 Jan 2011 Release Date: 18 Dec 2008 5668 Views

RISK: Medium Risk

Medium Risk

Multiple vulnerabilities have been identified in Mozilla Firefox, SeaMonkey and Thunderbird, which could be exploited by attackers to bypass security restrictions, disclose sensitive information, cause a denial of service or take complete control of an affected system.

1. A memory corruption errors in the browser and JavaScript engines when parsing malformed data, which could be exploited by attackers to crash a vulnerable application or execute arbitrary code.

2. A same-origin validation error within XBL bindings, which could allow malicious web sites to read data from other domains.

3. An input validation errors in the feed preview, which could be exploited to execute arbitrary JavaScript with chrome privileges.

4. an error when processing the "persist" attribute in XUL elements, which can be used to store cookie-like information on a user's computer which could later be read by a malicious website.

5. an error when a XMLHttpRequest is made to a same-origin resource which 302 redirects to a resource in a different domain, which could cause the response from the cross-domain resource to be readable by the site issuing the XHR.

6. an error when loading a same-domain JavaScript URL which redirects to an off-domain target resource containing data which is not parsable as JavaScript, which cause the application to reveal some of the file context via the window.onerror DOM API.

7. an error when handling certain control characters placed at the beginning of a URL, which would lead to incorrect parsing resulting and cause the parser to output a malformed URL.

8. Due to escaped null characters being ignored by the CSS parser, which could be exploited to bypass script sanitization routines in web applications.

9. A same-origin validation error when attaching an XBL binding to an unloaded document, which can be exploited to execute arbitrary JavaScript within the context of a different website.

10. An input validation error in the session-restore feature, which could be exploited to conduct cross site scripting attacks.

Impact

  • Denial of Service
  • Remote Code Execution
  • Security Restriction Bypass
  • Information Disclosure

System / Technologies affected

  • Mozilla Firefox versions prior to 3.0.5
  • Mozilla Firefox versions prior to 2.0.0.19
  • Mozilla Thunderbird versions prior to 2.0.0.19
  • Mozilla SeaMonkey versions prior to 1.1.14

Solutions

Before installation of the software, please visit the software manufacturer web-site for more details.

Vulnerability Identifier

Source

Related Link

Share with

Previous

Opera Browser Code Execution and Security Bypass Vulnerabilities

18 Dec 2008 5311 Views

Next

BitDefenderfor Linux PE File Handling Memory Corruption Vulnerability

22 Dec 2008 5360 Views

We use cookies to give you the best possible experience on our website. By continuing to browse this site, you give consent for cookies to be used. For more details please read our Cookie Policy.

PRIVACY POLICY