ПРОЕКТЫ 


  АРХИВ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  СТАТЬИ 


  ПЕРСОНАЛЬНОЕ 


  ПРОГРАММЫ 



ПИШИТЕ
ПИСЬМА














     АРХИВ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: [SA19873] Mozilla Firefox Multiple Vulnerabilities



> 
> TITLE:
> Mozilla Firefox Multiple Vulnerabilities
> 
> SECUNIA ADVISORY ID:
> SA19873
> 
> VERIFY ADVISORY:
> http://secunia.com/advisories/19873/
> 
> CRITICAL:
> Highly critical
> 
> IMPACT:
> Cross Site Scripting, DoS, System access
> 
> WHERE:
> From remote
> 
> SOFTWARE:
> Mozilla Firefox 1.x
> http://secunia.com/product/4227/
> Mozilla Firefox 0.x
> http://secunia.com/product/3256/
> 
> DESCRIPTION:
> Multiple vulnerabilities have been reported in Mozilla Firefox, which
> can be exploited by malicious people to conduct cross-site scripting
> attacks or compromise a user's system.
> 
> 1) An error within the handling of JavaScript references to frames
> and windows may in certain circumstances result in the reference not
> being properly cleared and allows execution of arbitrary code.
> 
> The vulnerability only affects the 1.5 branch.
> 
> 2) An error within the handling of Java references to properties of
> the window.navigator object allows execution of arbitrary code if a
> web page replaces the navigator object before starting Java.
> 
> The vulnerability only affects the 1.5 branch.
> 
> 3) A memory corruption error within the handling of simultaneously
> happening XPCOM events results in the use of a deleted timer object
> and allows execution of arbitrary code.
> 
> The vulnerability only affects the 1.5 branch.
> 
> 4) Insufficient access checks on standard DOM methods of the
> top-level document object (e.g. "document.getElementById()") can be
> exploited by a malicious web site to execute arbitrary script code in
> the context of another site.
> 
> The vulnerability only affects the 1.5 branch.
> 
> 5) A race condition where JavaScript garbage collection deletes a
> temporary variable still being used in the creation of a new Function
> object may allow execution of arbitrary code.
> 
> The vulnerability only affects the 1.5 branch.
> 
> 6) Various errors in the JavaScript engine during garbage collection
> where used pointers are deleted and integer overflows when handling
> long strings e.g. passed to the "toSource()" methods of the Object,
> Array, and String objects may allow execution of arbitrary code.
> 
> 7) Named JavaScript functions have a parent object created using the
> standard "Object()" constructor, which can be redefined by script.
> This can be exploited to run script code with elevated privileges if
> the "Object()" constructor returns a reference to a privileged
> object.
> 
> 8) An error within the handling of PAC script can be exploited by a
> malicious Proxy AutoConfig (PAC) server to execute script code with
> escalated privileges by setting the FindProxyForURL function to the
> eval method on a privileged object that has leaked into the PAC
> sandbox.
> 
> 9) An error within the handling of scripts granted the
> "UniversalBrowserRead" privilege can be exploited to execute script
> code with escalated privileges equivalent to "UniversalXPConnect".
> 
> 10) An error can be exploited to execute arbitary script code in
> context of another site by using the
> "XPCNativeWrapper(window).Function(...)" construct, which creates a
> function that appears to belong to another site.
> 
> The vulnerability only affects the 1.5 branch.
> 
> 11) A memory corruption error when calling
> "nsListControlFrame::FireMenuItemActiveEvent()", some potential
> string class buffer overflows, a memory corruption error when
> anonymous box selectors are outside of UA stylesheets, references to
> removed nodes, errors involving table row and column groups, and an
> error in "crypto.generateCRMFRequest" callback may potentially be
> exploited to execute arbitrary code.
> 
> 12) An error within the handling of "chrome:" URI's can be exploited
> to reference remote files that can run scripts with full privileges.
> 
> SOLUTION:
> Update to version 1.5.0.5.
> http://www.mozilla.com/firefox/
> 
> PROVIDED AND/OR DISCOVERED BY:
> 1) Thilo Girmann
> 2) Discovered by an anonymous person and reported via ZDI.
> 3) Carsten Eiram, Secunia Research.
> 4) Thor Larholm
> 5) H. D. Moore
> 6) Igor Bukanov, shutdown, and Georgi Guninski.
> 7) moz_bug_r_a4
> 8) moz_bug_r_a4
> 9) shutdown
> 10) shutdown
> 11) Mozilla Developers
> 12) Benjamin Smedberg, Mozilla.
> 
> ORIGINAL ADVISORY:
> Mozilla.org:
> http://www.mozilla.org/security/announce/2006/mfsa2006-44.html
> http://www.mozilla.org/security/announce/2006/mfsa2006-45.html
> http://www.mozilla.org/security/announce/2006/mfsa2006-46.html
> http://www.mozilla.org/security/announce/2006/mfsa2006-47.html
> http://www.mozilla.org/security/announce/2006/mfsa2006-48.html
> http://www.mozilla.org/security/announce/2006/mfsa2006-50.html
> http://www.mozilla.org/security/announce/2006/mfsa2006-51.html
> http://www.mozilla.org/security/announce/2006/mfsa2006-52.html
> http://www.mozilla.org/security/announce/2006/mfsa2006-53.html
> http://www.mozilla.org/security/announce/2006/mfsa2006-54.html
> http://www.mozilla.org/security/announce/2006/mfsa2006-55.html
> http://www.mozilla.org/security/announce/2006/mfsa2006-56.html
> 
> Secunia Research:
> http://secunia.com/secunia_research/2006-53/
> 
> ZDI:
> http://www.zerodayinitiative.com/advisories/ZDI-06-025.html




 




Copyright © Lexa Software, 1996-2009.