Skip to main content

Mozilla Products Remote Code Execution Vulnerabilities

Last Update Date: 28 Jan 2011 Release Date: 3 Jul 2008 5247 Views

RISK: Medium Risk

Multiple vulnerabilities have been identified in Mozilla Firefox, Thunderbird and SeaMonkey, which could be exploited by attackers to bypass security restrictions, disclose sensitive information, cause a denial of service or take complete control of an affected system.

1. Due to memory corruption errors in the browser and JavaScript engines when parsing malformed data, which could be exploited by attackers to crash a vulnerable application or execute arbitrary code.

2. Due to a same-origin validation error when processing certain JavaScript data, which could be exploited to conduct cross site scripting attacks.

3. Due to an error when handling signed JARs, which could be exploited to inject arbitrary JavaScript code.

4. Due to an error when handling fastload files, which could be exploited to load Chrome script.

5. Due to an error related to "mozIJSSubScriptLoader.loadSubScript()", which could be exploited to execute arbitrary code.

6. Due to an error when handling originalTarget events and DOM Range, which could be exploited to upload arbitrary files.

7. Due to an error within Java LiveConnect on Mac OS X, which could be exploited to create arbitrary socket connections.

8. Due to an uninitialized memory access when handling a malformed ".properties" file.

9. Due to an input validation error when processing file location URLs in directory listings.

10. Due to an error when handling "alt names" used by peer-trusted certs, which could be exploited to conduct spoofing attacks.

11. Due to an error when handling Windows URL shortcuts, which could be exploited to run a remote site as a local file.

12. Due to a memory corruption error in the block reflow, which could be exploited to crash an affected browser or execute arbitrary code.


Impact

  • Denial of Service
  • Remote Code Execution
  • Security Restriction Bypass
  • Information Disclosure

System / Technologies affected

  • Mozilla Firefox versions prior to 2.0.0.15
  • Mozilla Thunderbird versions prior to 2.0.0.15
  • Mozilla SeaMonkey versions prior to 1.1.11

Solutions

Before installation of the software, please visit the software manufacturer web-site for more details.


Vulnerability Identifier


Source


Related Link