Skip to main content

Mozilla Products Multiple Vulnerabilities

Last Update Date: 28 Jan 2011 Release Date: 17 Dec 2009 5435 Views

RISK: Medium Risk

Multiple vulnerabilities have been identified in Mozilla Firefox, SeaMonkey and Thunderbird which could be exploited by attackers to manipulate or disclose certain data, bypass security restrictions or compromise a vulnerable system.

1. A memory corruption errors in the JavaScript and browser engines when parsing malformed data, which could be exploited by attackers to crash a vulnerable browser or execute arbitrary code.

2. Due to memory corruption errors in liboggplay when processing malformed audio and video data, which could be exploited to crash a vulnerable browser or execute arbitrary code.

3. Due to integer overflow and input validation errors in the Theora video library (libtheora) when processing malformed data, which could be exploited to crash a vulnerable browser or execute arbitrary code.

4. An error in the NTLM implementation, which could allow reflection attacks in which NTLM credentials from one application could be forwarded to another arbitary application via the browser.

5. The errors when processing the "document.location" property, which could allow attackers to spoof the URL in the location bar or display the SSL indicator near the location bar while visiting an insecure web page.

6. An error when handling the "window.opener" property, which could allow attackers to execute arbitrary JavaScript code with chrome privileges.

7. Due to "GeckoActiveXObject" generating different exception messages based on whether or not the requested COM object's ProgID is present in the system registry, which could allow attackers to enumerate a list of COM objects installed on a system.


Impact

  • Remote Code Execution
  • Security Restriction Bypass
  • Information Disclosure

System / Technologies affected

  • Mozilla Firefox versions prior to 3.5.6
  • Mozilla Firefox versions prior to 3.0.16
  • Mozilla SeaMonkey versions prior to 2.0.1
  • Mozilla Thunderbird versions 3.x

Solutions

Before installation of the software, please visit the software manufacturer web-site for more details.

Upgrade to Mozilla Firefox version 3.5.6 or 3.0.16 :
http://www.mozilla.com/firefox/

Upgrade to Mozilla SeaMonkey version 2.0.1 :
http://www.mozilla.org/projects/seamonkey/

Mozilla Thunderbird versions 3.x
There is no patch available for this vulnerability currently.


Vulnerability Identifier


Source


Related Link