Mozilla Products Multiple Vulnerabilities
RISK: Medium Risk
Multiple vulnerabilities have been identified in Mozilla Firefox, SeaMonkey and Thunderbird, which could be exploited by attackers to bypass security restrictions, disclose sensitive information, cause a denial of service or take complete control of an affected system.
1. A stack overflow error when processing specially crafted UTF-8 URLs, which could be exploited by attackers to execute arbitrary code by tricking a user into following a malicious link.
2. An error in the same-origin check performed via "nsXMLDocument::OnChannelRedirect()", which could allow attackers to execute JavaScript in the context of a different website.
3. Input validation errors in feedWriter, which could be exploited to execute arbitrary scripts with chrome privileges.
4. An error when performing drag-and-drop actions, which could allow attackers to force a user to download a file by moving the content window while the mouse was being clicked, causing an item to be dragged rather than clicked-on.
5. Errors related to XPCnativeWrapper, which could allow attackers to execute arbitrary scripts with chrome privileges.
6. Memory corruption errors in the layout and JavaScript engines, and within the rendering of graphics, which could be exploited by attackers to crash a vulnerable application or execute arbitrary code.
7. Due to certain BOM characters being stripped from JavaScript code before execution, which could be exploited to bypass or evade script filters and perform cross site scripting attacks.
8. Due to the HTML parser ignoring certain low surrogate characters if they were HTML-escaped, which could be exploited to bypass script filters and perform cross site scripting attacks.
9. Errors within the "resource:" protocol, which could be exploited to conduct directory traversal attacks and disclose sensitive information.
10. An error in the XBM decoder that allows random small chunks of uninitialized memory to be read, leading to information disclosure.
System / Technologies affected
- Mozilla Firefox versions prior to 3.0.2
- Mozilla Firefox versions prior to 2.0.0.17
- Mozilla Thunderbird versions prior to 2.0.0.17
- Mozilla SeaMonkey versions prior to 1.1.12
Solutions
Before installation of the software, please visit the software manufacturer web-site for more details.
- Upgrade to Mozilla Firefox version 3.0.2 or 2.0.0.17 :
http://www.mozilla.com/firefox/
- Upgrade to Mozilla Thunderbird version 2.0.0.17 :
http://www.mozilla.com/thunderbird/
- Upgrade to Mozilla SeaMonkey version 1.1.12 :
http://www.seamonkey-project.org/releases/
Vulnerability Identifier
- CVE-2008-0016
- CVE-2008-3835
- CVE-2008-3836
- CVE-2008-3837
- CVE-2008-4058
- CVE-2008-4059
- CVE-2008-4060
- CVE-2008-4061
- CVE-2008-4062
- CVE-2008-4063
- CVE-2008-4064
- CVE-2008-4065
- CVE-2008-4066
- CVE-2008-4067
- CVE-2008-4068
- CVE-2008-4069
Source
Related Link
Share with