exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Technical Cyber Security Alert 2006-153A

Technical Cyber Security Alert 2006-153A
Posted Jun 3, 2006
Authored by US-CERT | Site cert.org

National Cyber Alert System Technical Cyber Security Alert TA06-153A: Mozilla Products Contain Multiple Vulnerabilities.

tags | advisory, vulnerability
SHA-256 | 4b7a351b592f163172aae4ced003fc3ab814494e58efb8c56b84a230ab6a9252

Technical Cyber Security Alert 2006-153A

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



National Cyber Alert System

Technical Cyber Security Alert TA06-153A


Mozilla Products Contain Multiple Vulnerabilities

Original release date: June 2, 2006
Last revised: --
Source: US-CERT


Systems Affected

* Mozilla SeaMonkey
* Firefox web browser
* Thunderbird email client

Any products based on Mozilla components, particularly Gecko, may also
be affected.


Overview

The Mozilla web browser and derived products contain several
vulnerabilities, the most serious of which could allow a remote
attacker to execute arbitrary code on an affected system.


I. Description

Several vulnerabilities have been reported in the Mozilla web browser
and derived products. More detailed information is available in the
individual vulnerability notes, including:


VU#237257 - Mozilla privilege escalation using addSelectionListener

A privilege escalation vulnerability exists in the Mozilla
addSelectionListener method. This may allow a remote attacker to
execute arbitrary code.


VU#421529 - Mozilla contains a buffer overflow vulnerability in
crypto.signText()

Mozilla products contain a buffer overflow in the crypto.signText()
method. This may allow a remote attacker to execute arbitrary code.


VU#575969 - Mozilla may process content-defined setters on object
prototypes with elevated privileges

Mozilla allows content-defined setters on object prototypes to execute
with elevated privileges. This may allow a remote attacker to execute
arbitrary code.


VU#243153 - Mozilla may associate persisted XUL attributes with an
incorrect URL

Mozilla can allow persisted XUL attributes to associate with the wrong
URL. This may allow a remote attacker to execute arbitrary code.


VU#466673 - Mozilla contains multiple memory corruption
vulnerabilities

Mozilla contains several memory corruption vulnerabilities. This may
allow a remote attacker to execute arbitrary code.


II. Impact

The most severe impact of these vulnerabilities could allow a remote
attacker to execute arbitrary code with the privileges of the user
running the affected application. Other effects include a denial of
service or local information disclosure.


III. Solution

Upgrade

Upgrade to Mozilla Firefox 1.5.0.4, Mozilla Thunderbird 1.5.0.4, or
SeaMonkey 1.0.2.

Disable JavaScript

These vulnerabilities can be mitigated by disabling JavaScript.


Appendix A. References

* US-CERT Vulnerability Note VU#237257 -
<http://www.kb.cert.org/vuls/id/237257>

* US-CERT Vulnerability Note VU#421529 -
<http://www.kb.cert.org/vuls/id/421529>

* US-CERT Vulnerability Note VU#575969 -
<http://www.kb.cert.org/vuls/id/575969>

* US-CERT Vulnerability Note VU#243153 -
<http://www.kb.cert.org/vuls/id/243153>

* US-CERT Vulnerability Note VU#466673 -
<http://www.kb.cert.org/vuls/id/466673>

* Mozilla Foundation Security Advisories -
<http://www.mozilla.org/security/announce/>

* US-CERT Vulnerability Notes Related to June Mozilla Security
Advisories -
<http://www.kb.cert.org/vuls/byid?searchview&query=firefox_1504>

* Mozilla Foundation Security Advisories -
<http://www.mozilla.org/projects/security/known-vulnerabilities.html>

* Firefox - Rediscover the Web - <http://www.mozilla.com/firefox/>

* Thunderbird - Reclaim your inbox -
<http://www.mozilla.com/thunderbird/>

* The SeaMonkey Project -
<http://www.mozilla.org/projects/seamonkey/>

* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/browser_security.html#Mozilla_Firefox>


____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA06-153A.html>
____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-153A Feedback VU#237257" in the
subject.
____________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________

Produced 2006 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________


Revision History

Jun 2, 2006: Initial release




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRICC5H0pj593lg50AQKT/Af+IMgN13YNpubQiBvQsAQkXHTbjQnWuM7q
XyvsEZHT/DAEUVr9kR1wx5IlS+lwELN9jq2QwfFJz7E+1psUJd5o9wLD/KUTlrUk
baclGN/pEIR8jp1zyCVCCTbCeFig9RNA7vaGYzdbNjhXWhJANagK0bIK3Y9xS2ug
B2i33KtkApsZ4Jn9/hXrtqkUhgf1FaBIWlq9By2gsVraAdRYiObtR3YfDDwX0d/H
8PHNxtdg+bOJEaYoQxYzxWDdx06wr7ZVzvGhkacWIyOmC35x/9mTmFOeZrH9ecjq
3fDxx3gUXSKIn4yToKnfxqCD8nA6vi9b22LW+CIKuSPosbloWaw9ew==
=nbAW
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    14 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    12 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close