Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

   


   


   

















      :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: [SA26288] Mozilla Products Addon Chrome-Loaded "about:blank" Cross-Context Scripting



>
> TITLE:
> Mozilla Products Addon Chrome-Loaded "about:blank" Cross-Context
> Scripting
>
> SECUNIA ADVISORY ID:
> SA26288
>
> VERIFY ADVISORY:
> http://secunia.com/advisories/26288/
>
> CRITICAL:
> Moderately critical
>
> IMPACT:
> Cross Site Scripting, System access
>
> WHERE:
> From remote
>
> REVISION:
> 1.1 originally posted 2007-07-31
>
> SOFTWARE:
> Mozilla Firefox 2.0.x
> http://secunia.com/product/12434/
> Mozilla SeaMonkey 1.1.x
> http://secunia.com/product/14383/
> Mozilla Thunderbird 2.x
> http://secunia.com/product/14070/
>
> DESCRIPTION:
> A vulnerability has been reported in Mozilla products, which
> potentially can be exploited by malicious people to compromise a
> user's system.
>
> The vulnerability is caused due to an error within the handling of
> "about:blank" pages loaded by chrome in an addon. This can be
> exploited to execute script code under chrome privileges by e.g.
> clicking on a link opened in an "about:blank" window created and
> populated in a certain ways by an addon.
>
> Successful exploitation requires that certain addons are installed.
>
> The vulnerability is reported in the following products and
> versions:
> * Firefox 2.0.0.5
> * Thunderbird 2.0.0.5
> * SeaMonkey 1.1.3
>
> SOLUTION:
> Update to the latest versions:
>
> Firefox:
> Update to version 2.0.0.6.
> http://www.mozilla.com/en-US/firefox/
>
> Thunderbird:
> Fixed in the upcoming version 2.0.0.6.
> http://www.mozilla.com/en-US/thunderbird/
>
> SeaMonkey:
> Fixed in the upcoming version 1.1.4.
> http://www.mozilla.org/projects/seamonkey/
>
> NOTE: With version 2.0.0.6, changes that prevent exploitation of a
> URI handling vulnerability in Microsoft Windows were applied to
> Firefox and Thunderbird.
>
> For more information:
> SA26201
>
> PROVIDED AND/OR DISCOVERED BY:
> moz_bug_r_a4
>
> CHANGELOG:
> 2007-07-31: Updated "Description". Added link to vendor advisory.
>
> ORIGINAL ADVISORY:
> http://www.mozilla.org/security/announce/2007/mfsa2007-26.html
> http://www.mozilla.org/security/announce/2007/mfsa2007-27.html
> https://bugzilla.mozilla.org/show_bug.cgi?id=388121
>
> OTHER REFERENCES:
> SA26201:
> http://secunia.com/advisories/26201/
>



 




Copyright © Lexa Software, 1996-2009.