----------------------------------------------------------------------


Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).

Request a free trial: 
http://secunia.com/products/corporate/vim/


----------------------------------------------------------------------

TITLE:
Mozilla Firefox Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA42517

VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/42517/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=42517

RELEASE DATE:
2010-12-11

DISCUSS ADVISORY:
http://secunia.com/advisories/42517/#comments

AVAILABLE ON SITE AND IN CUSTOMER AREA:
 * Last Update
 * Popularity
 * Comments
 * Criticality Level
 * Impact
 * Where
 * Solution Status
 * Operating System / Software
 * CVE Reference(s)

http://secunia.com/advisories/42517/

ONLY AVAILABLE IN CUSTOMER AREA:
 * Authentication Level
 * Report Reliability
 * Secunia PoC
 * Secunia Analysis
 * Systems Affected
 * Approve Distribution
 * Remediation Status
 * Secunia CVSS Score
 * CVSS

https://ca.secunia.com/?page=viewadvisory&vuln_id=42517

ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
 * AUTOMATED SCANNING

http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/

DESCRIPTION:
A weakness and some vulnerabilities have been reported in Mozilla
Firefox, which can be exploited by malicious people to conduct
cross-site scripting and spoofing attacks, bypass certain security
restrictions, and compromise a user's system.

1) Multiple errors in the browser engine can be exploited to corrupt
memory and potentially execute arbitrary code.

2) An error when handling line breaks in overly long strings passed
to "document.write()" can be exploited to read data from
out-of-bounds memory location and potentially execute arbitrary
code.

3) An error when opening a new window using "window.open()" can be
exploited to execute arbitrary JavaScript code with chrome privileges
via the "<isindex>" element.

4) An error in the handling of "<div>" elements nested within
"<treechildren>" elements in a XUL tree element can be exploited to
corrupt memory and potentially execute arbitrary code.

5) An error in the Java LiveConnect script when loaded via a "data:"
URL can be exploited to e.g. read arbitrary files, launch arbitrary
processes, and establish arbitrary network connections.

6) A use-after-free error in the "NodeIterator API" when handling a
"nsDOMAttribute" node can be exploited to corrupt memory and execute
arbitrary code.

7) An integer overflow when creating arrays can be exploited to
corrupt memory and potentially execute arbitrary code.

8) An error related to the XMLHttpRequestSpy object can be exploited
to execute arbitrary JavaScript code.

This is due to an incomplete fix for vulnerability #9 in:
SA37242

9) An error exists in the handling of documents with no inherent
origin associated. This can be exploited to bypass the same-origin
policy and spoof the URL of a trusted site by tricking users into
opening site which result in e.g. about:config or about:neterror
pages.

10) An error exists in the rendering engine when handling certain Mac
charset encodings. This can be exploited to potentially execute
arbitrary JavaScript code in the context of the destination website.

The weakness and the vulnerabilities are reported in versions prior
to 3.6.13 and 3.5.16.

SOLUTION:
Update to version  3.6.13 or 3.5.16.

PROVIDED AND/OR DISCOVERED BY:
6, 7) regenrecht, reported via ZDI 
9) Michal Zalewski

The vendor credits:
1) Jesee Ruderman, Andreas Gal, Nils, Brian Hackett, Igor Bukanov.
2) Dirk Heinrich
3) echo
4) wushi, team509
5) Gregory Fleischer
8) moz_bug_r_a4
10) Yosuke Hasegawa and Masatoshi Kimura

ORIGINAL ADVISORY:
http://www.mozilla.org/security/announce/2010/mfsa2010-74.html
http://www.mozilla.org/security/announce/2010/mfsa2010-75.html
http://www.mozilla.org/security/announce/2010/mfsa2010-76.html
http://www.mozilla.org/security/announce/2010/mfsa2010-77.html
http://www.mozilla.org/security/announce/2010/mfsa2010-78.html
http://www.mozilla.org/security/announce/2010/mfsa2010-79.html
http://www.mozilla.org/security/announce/2010/mfsa2010-80.html
http://www.mozilla.org/security/announce/2010/mfsa2010-81.html
http://www.mozilla.org/security/announce/2010/mfsa2010-82.html
http://www.mozilla.org/security/announce/2010/mfsa2010-83.html
http://www.mozilla.org/security/announce/2010/mfsa2010-84.html

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-264/
http://www.zerodayinitiative.com/advisories/ZDI-10-265/

Michal Zalewski:
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0144.html

OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/

DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/

EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/

EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/

EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/advisories/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------