|
|
|
|
Firefox Multiple Vulnerabilities
|
|
Secunia Advisory:
|
SA19631
|
|
|
Release Date:
|
2006-04-14
|
|
Last Update:
|
2006-06-07
|
|
Popularity:
|
80,847 views
|
|
|
Critical:
|
Highly critical
|
|
Impact:
|
Security Bypass
Cross Site Scripting
Spoofing
Exposure of sensitive information
DoS
System access
|
|
Where:
|
From remote
|
|
Solution Status:
|
Vendor Patch
|
|
| Software: | Mozilla Firefox 0.x
Mozilla Firefox 1.x
|
|
|
Subscribe:
|
Instant alerts on relevant vulnerabilities 
|
| | CVE reference: | CVE-2006-0748
CVE-2006-0749
CVE-2006-1529
CVE-2006-1530
CVE-2006-1531
CVE-2006-1723
CVE-2006-1724
CVE-2006-1725
CVE-2006-1726
CVE-2006-1727
CVE-2006-1728
CVE-2006-1729
CVE-2006-1730
CVE-2006-1731
CVE-2006-1732
CVE-2006-1733
CVE-2006-1734
CVE-2006-1735
CVE-2006-1736
CVE-2006-1737
CVE-2006-1738
CVE-2006-1739
CVE-2006-1740
CVE-2006-1741
CVE-2006-1742
CVE-2006-1790
CVE-2006-2782
|
|
Description:
Multiple vulnerabilities have been reported in Firefox, which can be exploited by malicious people to conduct cross-site scripting and phishing attacks, bypass certain security restrictions, disclose sensitive information, and potentially compromise a user's system.
1) An error exists where JavaScript can be injected into another page, which is currently loading. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site.
2) An error in the garbage collection in the JavaScript engine can be exploited to cause a memory corruption.
Successful exploitation may allow execution of arbitrary code.
3) A boundary error in the CSS border rendering implementation may be exploited to write past the end of an array.
4) An integer overflow in the handling of overly long regular expressions in JavaScript may be exploited to execute arbitrary JavaScript bytecode.
5) Two errors in the handling of "-moz-grid" and "-moz-grid-group" display styles may be exploited to execute arbitrary code.
6) An error in the "InstallTrigger.install()" method can be exploited to cause a memory corruption.
7) An unspecified error can be exploited to spoof the secure lock icon and the address bar by changing the location of a pop-up window in certain situations.
Successful exploitation requires that the "Entering secure site" dialog has been enabled (not enabled by default).
8) It is possible to trick users into downloading malicious files via the "Save image as..." menu option.
9) A JavaScript function created via an "eval()" call associated with a method of an XBL binding may be compiled with incorrect privileges. This can be exploited to execute arbitrary code.
10) An error where the "Object.watch()" method exposes the internal "clone parent" function object can be exploited to execute arbitrary JavaScript code with escalated privileges.
Successful exploitation allows execution of arbitrary code.
11) An error in the protection of the compilation scope of built-in privileged XBL bindings can be exploited to execute arbitrary JavaScript code with escalated privileges.
Successful exploitation allows execution of arbitrary code.
12) An unspecified error can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site via the window.controllers array.
13) An error in the processing of a certain sequence of HTML tags in "nsHTMLContentSink.cpp" can be exploited to cause a memory corruption.
Successful exploitation allows execution of arbitrary code.
14) An error in the "valueOf.call()" and "valueOf.apply()" methods can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site.
15) Some errors in the DHTML implementation can be exploited to cause a memory corruption.
Successful exploitation may allow execution of arbitrary code.
16) An integer overflow error in the processing of the CSS letter-spacing property can be exploited to cause a heap-based buffer overflow.
Successful exploitation allows execution of arbitrary code.
17) An error in the handling of file upload controls can be exploited to upload arbitrary files from a user's system by e.g. dynamically changing a text input box to a file upload control.
NOTE: This was originally fixed in versions 1.0.8 and 1.5.0.2. However, it is reportedly possible to bypass the added security check via an unspecified variant.
18) An unspecified error in the "crypto.generateCRMFRequest()" method can be exploited to execute arbitrary code.
19) An error in the handling of scripts in XBL controls can be exploited to gain chrome privileges via the "Print Preview" functionality.
20) An error in a security check in the "js_ValueToFunctionObject()" method can be exploited to execute arbitrary code via "setTimeout()" and "ForEach".
21) An error in the interaction between XUL content windows and the history mechanism can be exploited to trick users into interacting with a browser user interface which is not visible.
Successful exploitation may allow execution of arbitrary code.
22) An error in the processing of malformed tables in "RebuildConsideringRows()" can be exploited to cause a memory corruption.
Successful exploitation allows execution of arbitrary code.
Solution:
Update to versions 1.0.8 or 1.5.0.2.
http://www.mozilla.com/firefox/
17) Update to version 1.5.0.4.
http://www.mozilla.com/firefox/
Provided and/or discovered by:
1, 9, 10, 12, 18, 20) shutdown
2) Igor Bukanov
3) Bernd Mielke
4) Alden D'Souza
5) Martijn Wargers
6) Bob Clary
7) Tristor
8) Michael Krax
11, 14, 21) moz_bug_r_a4
13, 16, 22) Discovered by anonymous and reported via TippingPoint and the Zero Day Initiative.
17) Claus Jørgensen and Jesse Ruderman
Additional information provided by Chuck McAuley.
19) Georgi Guninski
Changelog:
2006-04-17: Added information provided by TippingPoint and the Zero Day Initiative.
2006-04-18: Added links to US-CERT vulnerability notes.
2006-04-19: Added CVE reference.
2006-04-24: Vendor releases information about additional vulnerability. Added vulnerability #22 and CVE reference.
2006-04-26: Added information provided by TippingPoint and the Zero Day Initiative.
2006-06-02: New version released. Added information about that the added security check in #17 can be bypassed. Updated "Description" and "Solution" sections.
2006-06-07: Added CVE reference.
Original Advisory:
Mozilla:
http://www.mozilla.org/security/announce/2006/mfsa2006-09.html
http://www.mozilla.org/security/announce/2006/mfsa2006-10.html
http://www.mozilla.org/security/announce/2006/mfsa2006-11.html
http://www.mozilla.org/security/announce/2006/mfsa2006-12.html
http://www.mozilla.org/security/announce/2006/mfsa2006-13.html
http://www.mozilla.org/security/announce/2006/mfsa2006-14.html
http://www.mozilla.org/security/announce/2006/mfsa2006-15.html
http://www.mozilla.org/security/announce/2006/mfsa2006-16.html
http://www.mozilla.org/security/announce/2006/mfsa2006-17.html
http://www.mozilla.org/security/announce/2006/mfsa2006-18.html
http://www.mozilla.org/security/announce/2006/mfsa2006-19.html
http://www.mozilla.org/security/announce/2006/mfsa2006-20.html
http://www.mozilla.org/security/announce/2006/mfsa2006-22.html
http://www.mozilla.org/security/announce/2006/mfsa2006-23.html
http://www.mozilla.org/security/announce/2006/mfsa2006-24.html
http://www.mozilla.org/security/announce/2006/mfsa2006-25.html
http://www.mozilla.org/security/announce/2006/mfsa2006-27.html
http://www.mozilla.org/security/announce/2006/mfsa2006-28.html
http://www.mozilla.org/security/announce/2006/mfsa2006-29.html
http://www.mozilla.org/security/announce/2006/mfsa2006-41.html
TippingPoint and the Zero Day Initiative:
http://www.zerodayinitiative.com/advisories/ZDI-06-009.html
http://www.zerodayinitiative.com/advisories/ZDI-06-010.html
http://www.zerodayinitiative.com/advisories/ZDI-06-011.html
Other References:
US-CERT VU#179014:
http://www.kb.cert.org/vuls/id/179014
US-CERT VU#252324:
http://www.kb.cert.org/vuls/id/252324
US-CERT VU#329500:
http://www.kb.cert.org/vuls/id/329500
US-CERT VU#350262:
http://www.kb.cert.org/vuls/id/350262
US-CERT VU#488774:
http://www.kb.cert.org/vuls/id/488774
US-CERT VU#492382:
http://www.kb.cert.org/vuls/id/492382
US-CERT VU#736934:
http://www.kb.cert.org/vuls/id/736934
US-CERT VU#813230:
http://www.kb.cert.org/vuls/id/813230
US-CERT VU#842094:
http://www.kb.cert.org/vuls/id/842094
US-CERT VU#932734:
http://www.kb.cert.org/vuls/id/932734
US-CERT VU#935556:
http://www.kb.cert.org/vuls/id/935556
US-CERT VU#968814:
http://www.kb.cert.org/vuls/id/968814
|
|
|
Track this Secunia Advisory
|
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released.
Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.
|
|
|
About this Secunia Advisory
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
|
|
Today
|
New advisories:
|
19 |
|
New vulnerabilities:
|
31 |
|
Updated advisories:
|
28 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
 Solutions | More...
|
|
|
|
Send Feedback to Secunia
|
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com.
Ideas, suggestions, and other feedback are most welcome.
|
|
|
|
|
|
|
