Secunia

Community Login

Customer Login

Partner Login

Overview

Advisories

Research

Forums

Create Profile

Our Commitment

Database

Advisories by Product

Advisories by Vendor

Terminology

Report Vulnerability

Insecure Library Loading

Secunia Advisory SA10856

Mozilla Multiple Vulnerabilities

Secunia Advisory

SA10856

Release Date

2004-08-04

Last Update

2004-08-23

Popularity

24,781 views

Comments

0 comments

Criticality level

Moderately critical

Impact

Spoofing
Exposure of sensitive information
DoS
System access

Where

From remote

Authentication level

Available in Customer Area

Report reliability

Available in Customer Area

Solution Status

Vendor Patch

Systems affected

Available in Customer Area

Approve distribution

Available in Customer Area

Remediation status

Secunia CSI, Secunia PSI

Automated scanning

Secunia CSI, Secunia PSI

Software:

Mozilla Thunderbird 0.x

Secunia CVSS Score

Available in Customer Area

CVE Reference(s)

Description

The vendor has released details about some older vulnerabilities in Mozilla, Mozilla Firefox, and Thunderbird. These can potentially be exploited by malicious people to conduct spoofing attacks, compromise a vulnerable system, or cause a DoS (Denial of Service).

1) Malicious POP3 mail servers can cause an heap overflow in Mozilla and obtain system access.

2) A malicious page can appear to be encrypted and present the certificate of another site.

3) Mozilla doesn't verify if stored credentials should be used for a HTTPS or HTTP connection. This can potentially lead to the password being sent over an unencrypted HTTP connection.

4) Certificate name matching is done insecurely for non-FQDNs (Fully Qualified Domain Name), which may be used for spoofing attacks.

5) Malicious websites can interfere with the operations in other windows and cause a DoS. However, it is not possible to alter or read any data.

6) Users can be tricked into dragging text into obscured file upload controls, resulting in theft of a local file from a known location.

7) The PNG library (libpng) contains an out-of-bounds read vulnerability, which can be exploited by malicious people to cause a DoS.

Some other older issues were also reported.

These vulnerabilities reportedly affect versions prior to the following:
* Mozilla 1.7
* Firefox 0.9
* Thunderbird 0.7

NOTE: These issues have all been fixed by the vendor. However, the details have not been disclosed earlier.

Solution
The vulnerabilities have reportedly been fixed in:
Further details available in Customer Area

Provided and/or discovered by
1) zen-parse
2) Tolga Tarhan
3) Christopher Nebergall
4) Tim Dierks
5) Jesse Ruderman
6) Jesse Ruderman
7) Glenn Randers-Pehrson

Changelog
Further details available in Customer Area

Original Advisory
1) http://bugzilla.mozilla.org/show_bug.cgi?id=229374
2) http://bugzilla.mozilla.org/show_bug.cgi?id=240053
3) http://bugzilla.mozilla.org/show_bug.cgi?id=226278
4) http://bugzilla.mozilla.org/show_bug.cgi?id=234058
5) http://bugzilla.mozilla.org/show_bug.cgi?id=86028
6) http://bugzilla.mozilla.org/show_bug.cgi?id=206859
7) http://bugzilla.mozilla.org/show_bug.cgi?id=242915

Other references
Further details available in Customer Area

Deep Links
Links available in Customer Area

Do you have additional information related to this advisory?

Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this information to vuln@secunia.com

Subject: Mozilla Multiple Vulnerabilities

No posts yet

Secunia

Secunia Advisory SA10856

Mozilla Multiple Vulnerabilities

Do you have additional information related to this advisory?

You must be logged in to post a comment.

Secunia Customer Login

Not a customer already?