Technical Cyber Security Alert 2006-38A

Technical Cyber Security Alert 2006-38A: Posted Feb 8, 2006; Authored by US-CERT | Site kb.cert.org; Several vulnerabilities exist in the Mozilla web browser and derived products, the most serious of which could allow a remote attacker to execute arbitrary code on an affected system. Version of Mozilla Firefox below 1.5.0.1 and versions of SeaMonkey below 1.0 are affected.; tags | advisory, remote, web, arbitrary, vulnerability; advisories | CVE-2006-0296, CVE-2006-0295; SHA-256 | 0b913a4940b9c1df8bc0877a60ff3d579cb186e228c0c21ed540d188f86298b9; Download | Favorite | View

Technical Cyber Security Alert 2006-38A


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



                        National Cyber Alert System

                 Technical Cyber Security Alert TA06-038A


Multiple Vulnerabilities in Mozilla Products

   Original release date: February 7, 2006
   Last revised: --
   Source: US-CERT


Systems Affected

   Mozilla software, including the following, is affected:
     * Mozilla web browser, email and newsgroup client
     * Mozilla SeaMonkey
     * Firefox web browser
     * Thunderbird email client


Overview

   Several vulnerabilities exist in the Mozilla web browser and derived
   products, the most serious of which could allow a remote attacker to
   execute arbitrary code on an affected system.


I. Description

   Several vulnerabilities have been reported in the Mozilla web browser
   and derived products. More detailed information is available in the
   individual vulnerability notes, including:


   VU#592425 - Mozilla-based products fail to validate user input to the
   attribute name in "XULDocument.persist"

   A vulnerability in some Mozilla products that could allow a remote
   attacker to execute Javascript commands with the permissions of the
   user running the affected application.
   (CVE-2006-0296)


   VU#759273 - Mozilla QueryInterface memory corruption vulnerability

   Mozilla Firefox web browser and Thunderbird mail client contain a
   memory corruption vulnerability that may allow a remote attacker to
   execute arbitrary code.
   (CVE-2006-0295)


II. Impact

   The most severe impact of these vulnerabilities could allow a remote
   attacker to execute arbitrary code with the privileges of the user
   running the affected application. Other impacts include a denial of
   service or local information disclosure.


III. Solution

Upgrade

   Upgrade to Mozilla Firefox 1.5.0.1 or SeaMonkey 1.0.
   For Mozilla-based products that have no updates available, users are
   strongly encouraged to disable JavaScript.


Appendix A. References

     * Mozilla Foundation Security Advisories -
       <http://www.mozilla.org/security/announce/>

     * Mozilla Foundation Security Advisories -
       <http://www.mozilla.org/projects/security/known-vulnerabilities.ht
       ml>

     * US-CERT Vulnerability Note VU#592425 -
       <http://www.kb.cert.org/vuls/id/592425>

     * US-CERT Vulnerability Note VU#759273 -
       <http://www.kb.cert.org/vuls/id/759273>

     * US-CERT Vulnerability Notes Related to February Mozilla Security
       Advisories -
       <http://www.kb.cert.org/vuls/byid?searchview&query=mozilla_feb_200
       6>

     * US-CERT Vulnerability Note VU#604745 -
       <http://www.kb.cert.org/vuls/id/604745>

     * CVE-2006-0296 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0296>

     * CVE-2006-0295 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0295>

     * Firefox - Rediscover the Web - <http://www.mozilla.com/firefox/>

     * The SeaMonkey Project -
       <http://www.mozilla.org/projects/seamonkey/>

 ____________________________________________________________________

   The most recent version of this document can be found at:

     <http://www.us-cert.gov/cas/techalerts/TA06-038A.html>
 ____________________________________________________________________

   Feedback can be directed to US-CERT Technical Staff. Please send
   email to <cert@cert.org> with "TA06-038A Feedback VU#592425" in the
   subject.
 ____________________________________________________________________

   For instructions on subscribing to or unsubscribing from this
   mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
 ____________________________________________________________________

   Produced 2006 by US-CERT, a government organization.

   Terms of use:

     <http://www.us-cert.gov/legal.html>
 ____________________________________________________________________


Revision History

   Feb 7, 2006: Initial release




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQ+jqRn0pj593lg50AQLZBQf9Hm+BCzOd/iwaoQVyudnE8ut/m+s/xgeG
10b2mpig57dPaSKsq9EpOitFIdHmvFha85OkAz9lfxTprrGm9kjw1lYlSH8idIst
Oq4oXwpPOcwVpOY/OoVeAyGSuOdmeGl1CsMSczD10XbmWOyPf6NBnR/e8U0Vebeu
GglhyODY/eKjbQ6bvDz19t76F5FwiDYKsMpo6CrEMhJWYwQXw3I4O1c9A2/t4OUP
N7+ZShp5/Cql919Nhl3InYMnlNiOeQLxm45PYfXKwW0r4HCM/Rq/SEKsmuDOYtA/
01gBu67urEw63Z0xbjoVJL/RW+5cavYS+gNbCZmaDNbR9WJP04k2PQ==
=snvO
-----END PGP SIGNATURE-----

Top Authors In Last 30 Days

Red Hat 179 files
Ubuntu 58 files
Debian 26 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
E1.Coders 4 files
malvuln 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

Technical Cyber Security Alert 2006-38A

Technical Cyber Security Alert 2006-38A

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Technical Cyber Security Alert 2006-38A

Share This

Technical Cyber Security Alert 2006-38A

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems