Notices
NSC-060602: Mozilla Multiple Vulnerabilities
National Cyber Alert System
Technical Cyber Security Alert TA06-153A
Original release date: June 2, 2006
Last revised: --
Source: US-CERT
Systems Affected
* Mozilla SeaMonkey
* Firefox web browser
* Thunderbird email client
Any products based on Mozilla components, particularly Gecko, may also
be affected.
Overview
The Mozilla web browser and derived products contain several
vulnerabilities, the most serious of which could allow a remote
attacker to execute arbitrary code on an affected system.
I. Description
Several vulnerabilities have been reported in the Mozilla web browser
and derived products. More detailed information is available in the
individual vulnerability notes, including:
VU#237257 - Mozilla privilege escalation using addSelectionListener
A privilege escalation vulnerability exists in the Mozilla
addSelectionListener method. This may allow a remote attacker to
execute arbitrary code.
VU#421529 - Mozilla contains a buffer overflow vulnerability in
crypto.signText()
Mozilla products contain a buffer overflow in the crypto.signText()
method. This may allow a remote attacker to execute arbitrary code.
VU#575969 - Mozilla may process content-defined setters on object
prototypes with elevated privileges
Mozilla allows content-defined setters on object prototypes to execute
with elevated privileges. This may allow a remote attacker to execute
arbitrary code.
VU#243153 - Mozilla may associate persisted XUL attributes with an
incorrect URL
Mozilla can allow persisted XUL attributes to associate with the wrong
URL. This may allow a remote attacker to execute arbitrary code.
VU#466673 - Mozilla contains multiple memory corruption
vulnerabilities
Mozilla contains several memory corruption vulnerabilities. This may
allow a remote attacker to execute arbitrary code.
II. Impact
The most severe impact of these vulnerabilities could allow a remote
attacker to execute arbitrary code with the privileges of the user
running the affected application. Other effects include a denial of
service or local information disclosure.
III. Solution
Upgrade
Upgrade to Mozilla Firefox 1.5.0.4, Mozilla Thunderbird 1.5.0.4, or
SeaMonkey 1.0.2.
Disable JavaScript
These vulnerabilities can be mitigated by disabling JavaScript.
Appendix A. References
* US-CERT Vulnerability Note VU#237257 -
<http://www.kb.cert.org/vuls/id/237257>
* US-CERT Vulnerability Note VU#421529 -
<http://www.kb.cert.org/vuls/id/421529>
* US-CERT Vulnerability Note VU#575969 -
<http://www.kb.cert.org/vuls/id/575969>
* US-CERT Vulnerability Note VU#243153 -
<http://www.kb.cert.org/vuls/id/243153>
* US-CERT Vulnerability Note VU#466673 -
<http://www.kb.cert.org/vuls/id/466673>
* Mozilla Foundation Security Advisories -
<http://www.mozilla.org/security/announce/>
* US-CERT Vulnerability Notes Related to June Mozilla Security
Advisories -
<http://www.kb.cert.org/vuls/byid?searchview&query=firefox_1504>
* Mozilla Foundation Security Advisories -
<http://www.mozilla.org/projects/security/known-vulnerabilities.html>
* Firefox - Rediscover the Web - <http://www.mozilla.com/firefox/>
* Thunderbird - Reclaim your inbox -
<http://www.mozilla.com/thunderbird/>
* The SeaMonkey Project -
<http://www.mozilla.org/projects/seamonkey/>
* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/browser_security.html#Mozilla_Firefox>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-153A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-153A Feedback VU#237257" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
Jun 2, 2006: Initial release