US-CERT Technical Cyber Security Alert TA06-038A -- Multiple Vulnerabilities in Mozilla Products

08/02/06, US-CERT Technical Cyber Security Alert TA06-038A -- Multiple Vulnerabilities in Mozilla Products
From: CERT Advisory <cert-advisory@cert.org>

Generated by MHonArc

CSIM Logo WelcomeCourses
Faculty, Student, Staff
Projects and reports
Conferences, workshop and seminars
Laboratories and reasearch facilities
Information related to CSIM
Information non-related to CSIM
Address, map, phone, etc.
Search

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


To: cert-advisory@cert.org
Subject: US-CERT Technical Cyber Security Alert TA06-038A -- Multiple Vulnerabilities in Mozilla Products
From: CERT Advisory <cert-advisory@cert.org>
Date: Tue, 7 Feb 2006 13:48:55 -0500
List-archive: <http://www.cert.org/>
List-help: <http://www.cert.org/>, <mailto:Majordomo@cert.org?body=help>
List-owner: <mailto:cert-advisory-owner@cert.org>
List-post: NO (posting not allowed on this list)
List-unsubscribe: <mailto:Majordomo@cert.org?body=unsubscribe%20cert-advisory>
Organization: CERT(R) Coordination Center - +1 412-268-7090

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



                        National Cyber Alert System

                 Technical Cyber Security Alert TA06-038A


Multiple Vulnerabilities in Mozilla Products

   Original release date: February 7, 2006
   Last revised: --
   Source: US-CERT


Systems Affected

   Mozilla software, including the following, is affected:
     * Mozilla web browser, email and newsgroup client
     * Mozilla SeaMonkey
     * Firefox web browser
     * Thunderbird email client


Overview

   Several vulnerabilities exist in the Mozilla web browser and derived
   products, the most serious of which could allow a remote attacker to
   execute arbitrary code on an affected system.


I. Description

   Several vulnerabilities have been reported in the Mozilla web browser
   and derived products. More detailed information is available in the
   individual vulnerability notes, including:


   VU#592425 - Mozilla-based products fail to validate user input to the
   attribute name in "XULDocument.persist"

   A vulnerability in some Mozilla products that could allow a remote
   attacker to execute Javascript commands with the permissions of the
   user running the affected application.
   (CVE-2006-0296)


   VU#759273 - Mozilla QueryInterface memory corruption vulnerability

   Mozilla Firefox web browser and Thunderbird mail client contain a
   memory corruption vulnerability that may allow a remote attacker to
   execute arbitrary code.
   (CVE-2006-0295)


II. Impact

   The most severe impact of these vulnerabilities could allow a remote
   attacker to execute arbitrary code with the privileges of the user
   running the affected application. Other impacts include a denial of
   service or local information disclosure.


III. Solution

Upgrade

   Upgrade to Mozilla Firefox 1.5.0.1 or SeaMonkey 1.0.
   For Mozilla-based products that have no updates available, users are
   strongly encouraged to disable JavaScript.


Appendix A. References

     * Mozilla Foundation Security Advisories -
       <http://www.mozilla.org/security/announce/>

     * Mozilla Foundation Security Advisories -
       <http://www.mozilla.org/projects/security/known-vulnerabilities.ht
       ml>

     * US-CERT Vulnerability Note VU#592425 -
       <http://www.kb.cert.org/vuls/id/592425>

     * US-CERT Vulnerability Note VU#759273 -
       <http://www.kb.cert.org/vuls/id/759273>

     * US-CERT Vulnerability Notes Related to February Mozilla Security
       Advisories -
       <http://www.kb.cert.org/vuls/byid?searchview&query=mozilla_feb_200
       6>

     * US-CERT Vulnerability Note VU#604745 -
       <http://www.kb.cert.org/vuls/id/604745>

     * CVE-2006-0296 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0296>

     * CVE-2006-0295 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0295>

     * Firefox - Rediscover the Web - <http://www.mozilla.com/firefox/>

     * The SeaMonkey Project -
       <http://www.mozilla.org/projects/seamonkey/>

 ____________________________________________________________________

   The most recent version of this document can be found at:

     <http://www.us-cert.gov/cas/techalerts/TA06-038A.html>
 ____________________________________________________________________

   Feedback can be directed to US-CERT Technical Staff. Please send
   email to <cert@cert.org> with "TA06-038A Feedback VU#592425" in the
   subject.
 ____________________________________________________________________

   For instructions on subscribing to or unsubscribing from this
   mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
 ____________________________________________________________________

   Produced 2006 by US-CERT, a government organization.

   Terms of use:

     <http://www.us-cert.gov/legal.html>
 ____________________________________________________________________


Revision History

   Feb 7, 2006: Initial release




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQ+jqRn0pj593lg50AQLZBQf9Hm+BCzOd/iwaoQVyudnE8ut/m+s/xgeG
10b2mpig57dPaSKsq9EpOitFIdHmvFha85OkAz9lfxTprrGm9kjw1lYlSH8idIst
Oq4oXwpPOcwVpOY/OoVeAyGSuOdmeGl1CsMSczD10XbmWOyPf6NBnR/e8U0Vebeu
GglhyODY/eKjbQ6bvDz19t76F5FwiDYKsMpo6CrEMhJWYwQXw3I4O1c9A2/t4OUP
N7+ZShp5/Cql919Nhl3InYMnlNiOeQLxm45PYfXKwW0r4HCM/Rq/SEKsmuDOYtA/
01gBu67urEw63Z0xbjoVJL/RW+5cavYS+gNbCZmaDNbR9WJP04k2PQ==
=snvO
-----END PGP SIGNATURE-----

Previous message sorted by date: US-CERT Technical Cyber Security Alert TA06-032A -- Winamp Playlist Buffer Overflow
Next message sorted by date: US-CERT Technical Cyber Security Alert TA06-045A -- Microsoft Windows, Windows Media Player, and Internet Explorer Vulnerabilities
Previous message sorted by thread: US-CERT Technical Cyber Security Alert TA06-032A -- Winamp Playlist Buffer Overflow
Next message by thread: US-CERT Technical Cyber Security Alert TA06-045A -- Microsoft Windows, Windows Media Player, and Internet Explorer Vulnerabilities
Main Index
Thread Index

CSIM home pageWMailAccount managementCSIM LibraryNetwork test toolsSearch CSIM directories
Contact us: Olivier Nicole CSIM    SET    AIT Last update: Feb 2006