Secunia Logo
 Vulnerability IntelligenceVulnerability ScanningBlog - new entry!Corporate InformationOnline ShopCustomer Login  
 Secunia AdvisoriesSecunia ResearchBinary Analysis  
Home > Vulnerability Intelligence > Secunia Advisories > Mozilla / Firefox / Thunderbird Multiple Vulnerabilities
Secunia Advisories
Advisories
Search
Advisories by Product
Advisories by Vendor
Historic Advisories
Mailing Lists & RSS
Report Vulnerability
Contact Form
Business Solutions Restricted
Partner Solutions Restricted
About
 
Mozilla / Firefox / Thunderbird Multiple Vulnerabilities
Secunia Advisory: SA14407
Advisory Toolbox:
Issue ticket
Save in to-do list
Mark as handled
Exploit information
Download as PDF
Review actions
Add comment
Release Date: 2005-03-01
Last Update: 2006-05-04
Popularity: 33,506 views

Critical:
Moderately critical
Impact: Spoofing
Manipulation of data
Exposure of system information
Exposure of sensitive information
Privilege escalation
System access
Where: From remote
Solution Status: Vendor Patch

Software:Mozilla 0.x
Mozilla 1.0
Mozilla 1.1
Mozilla 1.2
Mozilla 1.3
Mozilla 1.4
Mozilla 1.5
Mozilla 1.6
Mozilla 1.7.x
Mozilla Firefox 0.x
Mozilla Firefox 1.x
Mozilla Thunderbird 0.x
Mozilla Thunderbird 1.0.x
Subscribe: Instant alerts on relevant vulnerabilities

CVE reference:CVE-2005-0255
CVE-2005-0578
CVE-2005-0584
CVE-2005-0587
CVE-2005-0588
CVE-2005-0589
CVE-2005-0590
CVE-2005-0592
CVE-2005-0593
Description:
Details have been released about several vulnerabilities in Firefox, Mozilla and Thunderbird. These can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges and by malicious people to conduct spoofing attacks, disclose and manipulate sensitive information, and potentially compromise a user's system.

1) The vulnerability is caused due to the temporary plugin directory being created insecurely. This can be exploited via symlink attacks to delete arbitrary directories with the privileges of the user running Mozilla or Firefox.

2) The problem is that an inactive tab can launch an HTTP authentication prompt, which appears to be displayed by a website in another tab. This may be exploited to trick a user into entering some sensitive information (e.g. user credentials).

This is similar to:
SA12712

3) An error in the handling of shortcut files (.lnk) can be exploited to overwrite arbitrary files by tricking a user into downloading a shortcut file twice.

4) The problem is that a XML document can include XSLT stylesheets from arbitrary sites, which may be exploited to disclose some sensitive information.

5) An error in the form fill feature (autocomplete) allows reading suggested values before they are chosen. This can be exploited to disclose some potentially sensitive input by tricking a user into arrowing through some autocompleted values.

6) A memory handling error in Mozilla string classes may allow overwriting of memory if the browser runs out of memory during string growth. This can potentially be exploited to execute arbitrary code.

7) The problem is that the hostname can be obfuscated in the installation confirmation dialog by including an overly long username and password. This can be exploited to trick users into accepting installations from untrusted sources.

Successful exploitation requires that the malicious website is allowed to request installations.

8) It is possible to cause a heap overflow due to an error when converting malformed UTF8 character sequences to Unicode. This may be exploited to cause a heap overflow and execute arbitrary code, however, general web content is not converted using the vulnerable code.

9) Various errors make it possible to show the "secure site" lock icon with certificate information belonging to a different site.

Solution:
Firefox:
Update to version 1.0.1.
http://www.mozilla.org/products/firefox/

Mozilla:
Update to version 1.7.6.
http://www.mozilla.org/products/mozilla1.x/

Thunderbird:
Update to version 1.0.2.
http://www.mozilla.org/products/thunderbird/

Provided and/or discovered by:
1) Tavis Ormandy
2) Christian Schmidt
3) Masayuki Nakano
4) Georgi Guninski
5) Matt Brubeck
6) Independently discovered by:
* Daniel de Wildt
* Gaël Delalleau
7) Phil Ringnalda
8) wind li
9) Mook, Doug Turner, Kohei Yoshino, M. Deaudelin

Changelog:
2005-03-02: Added CVE references.
2005-03-22: Mozilla 1.7.6 and Thunderbird 1.0.2 released. Updated "Solution" section.
2006-05-04: Updated affected software.

Original Advisory:
1) http://www.mozilla.org/security/announce/mfsa2005-28.html
2) http://www.mozilla.org/security/announce/mfsa2005-24.html
3) http://www.mozilla.org/security/announce/mfsa2005-21.html
4) http://www.mozilla.org/security/announce/mfsa2005-20.html
5) http://www.mozilla.org/security/announce/mfsa2005-19.html
6) http://www.mozilla.org/security/announce/mfsa2005-18.html
6) http://www.idefense.com/application/poi/display?id=200&type=vulnerabilities
7) http://www.mozilla.org/security/announce/mfsa2005-17.html
8) http://www.mozilla.org/security/announce/mfsa2005-15.html
9) http://www.mozilla.org/security/announce/mfsa2005-14.html

Other References:
SA12712:
http://secunia.com/advisories/12712/

Track this Secunia Advisory
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released.

Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.

About this Secunia Advisory
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.

Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
  
Latest Advisories

Today
New advisories: 6
New vulnerabilities: 7
Updated advisories: 9

Highly // 42 views
BitDefender Antivirus PDF Processing Memory Corruption Vulnerability
Moderately // 66 views
xt:Commerce SQL Injection Vulnerability
Less // 64 views
Softbiz Classifieds Script "msg" Cross-Site Scripting Vulnerability
Not // 82 views
Checkpoint VPN-1 Information Disclosure Vulnerability
Moderately // 122 views
Avaya CMS Solaris "sadmind" Buffer Overflow Vulnerability
Moderately // 127 views
EMC Control Center SAN Manager Multiple Vulnerabilities

20th Nov, 2008
New advisories: 24
New vulnerabilities: 48
Updated advisories: 33

Highly // 382 views
Alex Multiple Products File Upload Vulnerability
Moderately // 367 views
ClipShare "chid" SQL Injection Vulnerability
Moderately // 359 views
MauryCMS "c" SQL Injection Vulnerability
Less // 394 views
MyTopix "send" SQL Injection Vulnerability

Solutions | More...  

Send Feedback to Secunia
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com.

Ideas, suggestions, and other feedback are most welcome.

Most Popular - 3 Hours

1. EMC Control Center SAN Manager Multiple Vulnerabilities // 107 views
2. Avaya CMS Solaris "sadmind" Buffer Overflow Vulnerability // 105 views
3. Checkpoint VPN-1 Information Disclosure Vulnerability // 49 views
4. Softbiz Classifieds Script "msg" Cross-Site Scripting Vulnerability // 43 views
5. xt:Commerce SQL Injection Vulnerability // 43 views
6. Symantec Backup Exec for Windows Servers Multiple Vulnerabilities // 43 views
7. HP OpenView Network Node Manager Cross-Site Scripting Vulnerabilities // 35 views
8. imlib2 XPM Processing Buffer Overflow Vulnerability // 33 views
9. Alex Multiple Products File Upload Vulnerability // 33 views
10. MailScanner "trend-autoupdate" Insecure Temporary Files // 32 views



Contact | Terms & Conditions and Copyright | Report Vulnerability | Press | Jobs | About Secunia
Copyright Secunia 2002-2008