-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                        National Cyber Alert System

                 Technical Cyber Security Alert TA06-208A


Mozilla Products Contain Multiple Vulnerabilities

   Original release date: July 27, 2006
   Last revised: --
   Source: US-CERT


Systems Affected

     * Mozilla SeaMonkey
     * Mozilla Firefox
     * Mozilla Thunderbird

   Any products based on Mozilla components, specifically Gecko, may also
   be affected.


Overview

   The Mozilla web browser and derived products contain several
   vulnerabilities, the most serious of which could allow a remote
   attacker to execute arbitrary code on an affected system.


I. Description

   Several vulnerabilities have been reported in the Mozilla web browser
   and derived products. More detailed information is available in the
   individual vulnerability notes, including the following:


   VU#476724 - Mozilla products fail to properly handle frame references 

   Mozilla products fail to properly handle frame or window references.
   This may allow a remote attacker to execute arbitrary code on a
   vulnerable system.
   (CVE-2006-3801)


   VU#670060 - Mozilla fails to properly release JavaScript references 

   Mozilla products fail to properly release memory. This vulnerability
   may allow a remote attacker to execute code on a vulnerable system.
   (CVE-2006-3677)


   VU#239124 - Mozilla fails to properly handle simultaneous XPCOM events
   
   Mozilla products are vulnerable to memory corruption via simultaneous
   XPCOM events. This may allow a remote attacker to execute arbitrary
   code on a vulnerable system.
   (CVE-2006-3113)


   VU#265964 - Mozilla products contain a race condition 

   Mozilla products contain a race condition. This vulnerability may
   allow a remote attacker to execute code on a vulnerable system.
   (CVE-2006-3803)


   VU#897540 - Mozilla products VCard attachment buffer overflow 

   Mozilla products fail to properly handle malformed VCard attachments,
   allowing a buffer overflow to occur. This vulnerability may allow a
   remote attacker to execute arbitrary code on a vulnerable system.
   (CVE-2006-3804)


   VU#876420 - Mozilla fails to properly handle garbage collection 

   The Mozilla JavaScript engine fails to properly perform garbage
   collection, which may allow a remote attacker to execute arbitrary
   code on a vulnerable system.
   (CVE-2006-3805)


   VU#655892 - Mozilla JavaScript engine contains multiple integer
   overflows 

   The Mozilla JavaScript engine contains multiple integer overflows.
   This vulnerability may allow a remote attacker to execute arbitrary
   code on a vulnerable system.
   (CVE-2006-3806)


   VU#687396 - Mozilla products fail to properly validate JavaScript
   constructors 

   Mozilla products fail to properly validate references returned by
   JavaScript constructors. This vulnerability may allow a remote
   attacker to execute arbitrary code on a vulnerable system.
   (CVE-2006-3807)


   VU#527676 - Mozilla contains multiple memory corruption
   vulnerabilities 

   Mozilla products contain multiple vulnerabilities that can cause
   memory corruption. This may allow a remote attacker to execute
   arbitrary code on a vulnerable system.
   (CVE-2006-3811)


II. Impact

   A remote, unauthenticated attacker could execute arbitrary code on a
   vulnerable system. An attacker may also be able to cause the
   vulnerable application to crash.


III. Solution

Upgrade

   Upgrade to Mozilla Firefox 1.5.0.5, Mozilla Thunderbird 1.5.0.5, or
   SeaMonkey 1.0.3.

Disable JavaScript and Java

   These vulnerabilities can be mitigated by disabling JavaScript and
   Java in all affected products. Instructions for disabling Java in
   Firefox can be found in the "Securing Your Web Browser" document.


Appendix A. References

     * US-CERT Vulnerability Notes Related to July Mozilla Security
       Advisories -
       <http://www.kb.cert.org/vuls/byid?searchview&query=firefox_1505>

     * CVE-2006-3081 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3801>

     * CVE-2006-3677 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3677>

     * CVE-2006-3113 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3113>

     * CVE-2006-3803 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3803>

     * CVE-2006-3804 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3804>

     * CVE-2006-3805 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3805>

     * CVE-2006-3806 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3806>

     * CVE-2006-3807 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3807>

     * CVE-2006-3811 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3811>

     * Mozilla Foundation Security Advisories -
       <http://www.mozilla.org/security/announce/>

     * Known Vulnerabilities in Mozilla Products -
       <http://www.mozilla.org/projects/security/known-vulnerabilities.html>

     * Securing Your Web Browser -
       <http://www.us-cert.gov/reading_room/securing_browser/browser_security.html#Mozilla_Firefox>


 ____________________________________________________________________

   The most recent version of this document can be found at:

     <http://www.us-cert.gov/cas/techalerts/TA06-208A.html>
 ____________________________________________________________________

   Feedback can be directed to US-CERT Technical Staff. Please send
   email to <cert@cert.org> with "TA06-208A Feedback VU#239124" in the
   subject.
 ____________________________________________________________________

   For instructions on subscribing to or unsubscribing from this
   mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
 ____________________________________________________________________

   Produced 2006 by US-CERT, a government organization.

   Terms of use:

     <http://www.us-cert.gov/legal.html>
 ____________________________________________________________________


Revision History

   Jul 27, 2006: Initial release


    
    

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRMkgNexOF3G+ig+rAQIFsAgAoWoMkxxhkzb+xgLVCJF7h4k4EBCgJGWa
BSOiFfL4Gs4vv4lNooDRCIOdxiBfXYL71XsIOT4aWry5852/6kyYnyAiXXYj1Uv0
SbPY2sQSZ5EaG+G9i8HDIy3fpJN4XgH3ng1uzUnJihY19IfndbXicpZE+debIUri
qt9NRD2f5FW5feKo1cBpYxtmxQAEePOa2dJHh7I7cnFGtG3MixHx4kVEyuYUutCX
5tHDsfTIdySNkIdCQ4vhk846bErB/kaHiKMQDfMglllb3GOSc07OQ0CDo2eTPVsA
9DtKkiDP1C4dh1mxco8CWlS6327+EB0KXGGoqDF2+j/rrpsW0oc8nA==
=HwuK
-----END PGP SIGNATURE-----