exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Technical Cyber Security Alert 2006-208A

Technical Cyber Security Alert 2006-208A
Posted Jul 28, 2006
Authored by US-CERT | Site cert.org

Technical Cyber Security Alert TA06-208A - The Mozilla web browser and derived products contain several vulnerabilities, the most serious of which could allow a remote attacker to execute arbitrary code on an affected system.

tags | advisory, remote, web, arbitrary, vulnerability
advisories | CVE-2006-3801, CVE-2006-3677, CVE-2006-3113, CVE-2006-3803, CVE-2006-3805, CVE-2006-3804, CVE-2006-3806, CVE-2006-3807, CVE-2006-3811
SHA-256 | 86ea302741e04f7adec9c59cfe0f6d1c012d7ce705526cc004e3a7bf46a8a996

Technical Cyber Security Alert 2006-208A

Change Mirror Download


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA06-208A


Mozilla Products Contain Multiple Vulnerabilities

Original release date: July 27, 2006
Last revised: --
Source: US-CERT


Systems Affected

* Mozilla SeaMonkey
* Mozilla Firefox
* Mozilla Thunderbird

Any products based on Mozilla components, specifically Gecko, may also
be affected.


Overview

The Mozilla web browser and derived products contain several
vulnerabilities, the most serious of which could allow a remote
attacker to execute arbitrary code on an affected system.


I. Description

Several vulnerabilities have been reported in the Mozilla web browser
and derived products. More detailed information is available in the
individual vulnerability notes, including the following:


VU#476724 - Mozilla products fail to properly handle frame references

Mozilla products fail to properly handle frame or window references.
This may allow a remote attacker to execute arbitrary code on a
vulnerable system.
(CVE-2006-3801)


VU#670060 - Mozilla fails to properly release JavaScript references

Mozilla products fail to properly release memory. This vulnerability
may allow a remote attacker to execute code on a vulnerable system.
(CVE-2006-3677)


VU#239124 - Mozilla fails to properly handle simultaneous XPCOM events

Mozilla products are vulnerable to memory corruption via simultaneous
XPCOM events. This may allow a remote attacker to execute arbitrary
code on a vulnerable system.
(CVE-2006-3113)


VU#265964 - Mozilla products contain a race condition

Mozilla products contain a race condition. This vulnerability may
allow a remote attacker to execute code on a vulnerable system.
(CVE-2006-3803)


VU#897540 - Mozilla products VCard attachment buffer overflow

Mozilla products fail to properly handle malformed VCard attachments,
allowing a buffer overflow to occur. This vulnerability may allow a
remote attacker to execute arbitrary code on a vulnerable system.
(CVE-2006-3804)


VU#876420 - Mozilla fails to properly handle garbage collection

The Mozilla JavaScript engine fails to properly perform garbage
collection, which may allow a remote attacker to execute arbitrary
code on a vulnerable system.
(CVE-2006-3805)


VU#655892 - Mozilla JavaScript engine contains multiple integer
overflows

The Mozilla JavaScript engine contains multiple integer overflows.
This vulnerability may allow a remote attacker to execute arbitrary
code on a vulnerable system.
(CVE-2006-3806)


VU#687396 - Mozilla products fail to properly validate JavaScript
constructors

Mozilla products fail to properly validate references returned by
JavaScript constructors. This vulnerability may allow a remote
attacker to execute arbitrary code on a vulnerable system.
(CVE-2006-3807)


VU#527676 - Mozilla contains multiple memory corruption
vulnerabilities

Mozilla products contain multiple vulnerabilities that can cause
memory corruption. This may allow a remote attacker to execute
arbitrary code on a vulnerable system.
(CVE-2006-3811)


II. Impact

A remote, unauthenticated attacker could execute arbitrary code on a
vulnerable system. An attacker may also be able to cause the
vulnerable application to crash.


III. Solution

Upgrade

Upgrade to Mozilla Firefox 1.5.0.5, Mozilla Thunderbird 1.5.0.5, or
SeaMonkey 1.0.3.

Disable JavaScript and Java

These vulnerabilities can be mitigated by disabling JavaScript and
Java in all affected products. Instructions for disabling Java in
Firefox can be found in the "Securing Your Web Browser" document.


Appendix A. References

* US-CERT Vulnerability Notes Related to July Mozilla Security
Advisories -
<http://www.kb.cert.org/vuls/byid?searchview&query=firefox_1505>

* CVE-2006-3081 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3801>

* CVE-2006-3677 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3677>

* CVE-2006-3113 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3113>

* CVE-2006-3803 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3803>

* CVE-2006-3804 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3804>

* CVE-2006-3805 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3805>

* CVE-2006-3806 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3806>

* CVE-2006-3807 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3807>

* CVE-2006-3811 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3811>

* Mozilla Foundation Security Advisories -
<http://www.mozilla.org/security/announce/>

* Known Vulnerabilities in Mozilla Products -
<http://www.mozilla.org/projects/security/known-vulnerabilities.html>

* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/browser_security.html#Mozilla_Firefox>


____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA06-208A.html>
____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-208A Feedback VU#239124" in the
subject.
____________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________

Produced 2006 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________


Revision History

Jul 27, 2006: Initial release





-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRMkgNexOF3G+ig+rAQIFsAgAoWoMkxxhkzb+xgLVCJF7h4k4EBCgJGWa
BSOiFfL4Gs4vv4lNooDRCIOdxiBfXYL71XsIOT4aWry5852/6kyYnyAiXXYj1Uv0
SbPY2sQSZ5EaG+G9i8HDIy3fpJN4XgH3ng1uzUnJihY19IfndbXicpZE+debIUri
qt9NRD2f5FW5feKo1cBpYxtmxQAEePOa2dJHh7I7cnFGtG3MixHx4kVEyuYUutCX
5tHDsfTIdySNkIdCQ4vhk846bErB/kaHiKMQDfMglllb3GOSc07OQ0CDo2eTPVsA
9DtKkiDP1C4dh1mxco8CWlS6327+EB0KXGGoqDF2+j/rrpsW0oc8nA==
=HwuK
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close