Mozilla Products Code Execution and Security Bypass Vulnerabilities
RISK: Medium Risk
Multiple vulnerabilitieshave been identified in Mozilla Firefox, Thunderbird and SeaMonkey, which could be exploited by attackers to manipulate or disclose certain data, bypass security restrictions or compromise a vulnerable system.
1. Due to memory corruption errors in the JavaScript and browser engines when parsing malformed data, which could be exploited by attackers to crash a vulnerable browser or execute arbitrary code.
2. Due to a heap corruption error in the implementation of Web Workers, which could be exploited to crash a vulnerable browser or execute arbitrary code.
3. Due to a use-after-free error in the HTML parser, which could be exploited to crash a vulnerable browser or execute arbitrary code.
4. Due to an error related to "dialogArguments()" calls, which could be exploited to conduct cross domain scripting attacks.
5. Due to an error when processing a SVG document embedded into another document with a specially crafted "Content-Type", which could be exploited to conduct cross domain scripting attacks.
Impact
- Remote Code Execution
- Security Restriction Bypass
System / Technologies affected
- Mozilla Firefox versions prior to 3.6
- Mozilla Firefox versions prior to 3.5.8
- Mozilla Firefox versions prior to 3.0.18
- Mozilla Thunderbird versions prior to 3.0.2
- Mozilla SeaMonkey versions prior to 2.0.3
Solutions
Before installation of the software, please visit the software manufacturer web-site for more details.
- Upgrade to Mozilla Firefox version 3.6, 3.5.8 or 3.0.18 :
- http://www.mozilla.com/firefox/ - Upgrade to Mozilla Thunderbird version 3.0.2 :
- http://www.mozilla.com/thunderbird - Upgrade to Mozilla SeaMonkey version 2.0.3 :
- http://www.mozilla.org/projects/seamonkey/
Vulnerability Identifier
Source
Related Link
- http://www.vupen.com/english/advisories/2010/0405
- http://secunia.com/advisories/38657/
- http://secunia.com/advisories/38656/
- http://secunia.com/advisories/37242/
- http://www.mozilla.org/security/announce/2010/mfsa2010-05.html
- http://www.mozilla.org/security/announce/2010/mfsa2010-04.html
- http://www.mozilla.org/security/announce/2010/mfsa2010-03.html
- http://www.mozilla.org/security/announce/2010/mfsa2010-02.html
- http://www.mozilla.org/security/announce/2010/mfsa2010-01.html
Share with