Computer Hope
Other => Reviews and recommendations => Topic started by: Broni on February 04, 2009, 08:02:44 PM
-
Mozilla Firefox Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA33799
VERIFY ADVISORY:
http://secunia.com/advisories/33799/
CRITICAL:
Highly critical
IMPACT:
Security Bypass, Cross Site Scripting, Exposure of system
information, Exposure of sensitive information, System access
WHERE:
>From remote
SOFTWARE:
Mozilla Firefox 3.x
http://secunia.com/advisories/product/19089/
DESCRIPTION:
Some vulnerabilities have been reported in Mozilla Firefox, which can
be exploited by malicious, local users to potentially disclose
sensitive information, and by malicious people to conduct cross-site
scripting attacks, bypass certain security restrictions, disclose
sensitive information, or potentially to compromise a user's system.
1) Multiple errors in the layout engine can be exploited to cause
memory corruptions and potentially execute arbitrary code.
2) Multiple errors in the Javascript engine can be exploited to cause
memory corruptions and potentially execute arbitrary code.
3) A chrome XBL method can be used in combination with "window.eval"
to execute arbitrary Javascript code in the context of another web
site
4) An error when restoring a closed tab can be exploited to modify an
input control's text value, which allows e.g. to disclose the content
of a local file when a user re-opens a tab.
5) An error in the processing of shortcut files can be exploited to
execute arbitrary script code with chrome privileges e.g. via an HTML
file that loads a privileged chrome document via a .desktop shortcut
file.
This is related to:
SA32192
6) A security issue is caused due to cookies marked "HTTPOnly" being
readable by Javascript via the "XMLHttpRequest.getResponseHeader" and
"XMLHttpRequest.getAllResponseHeaders" APIs.
7) A security issue is caused due to Firefox ignoring certain HTTP
directives to not cache web pages ("Cache-Control: no-store" and
"Cache-Control: no-cache" for HTTPS pages), which can be exploited to
disclose potentially sensitive information via cached pages.
SOLUTION:
Update to version 3.0.6.
Mozilla SeaMonkey Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA33808
VERIFY ADVISORY:
http://secunia.com/advisories/33808/
CRITICAL:
Highly critical
IMPACT:
DoS, System access, Security Bypass
WHERE:
>From remote
SOFTWARE:
Mozilla SeaMonkey 1.1.x
http://secunia.com/advisories/product/14383/
DESCRIPTION:
Some vulnerabilities have been reported in Mozilla SeaMonkey, which
can be exploited by malicious people to bypass certain security
restrictions or potentially to compromise a user's system.
For more information see vulnerabilities #1, #2, #5, and #6 in:
SA33799
SOLUTION:
The vendor recommends to disable Javascript until a fixed version is
available.
Mozilla Thunderbird Memory Corruption Vulnerabilities
SECUNIA ADVISORY ID:
SA33802
VERIFY ADVISORY:
http://secunia.com/advisories/33802/
CRITICAL:
Highly critical
IMPACT:
DoS, System access
WHERE:
>From remote
SOFTWARE:
Mozilla Thunderbird 2.x
http://secunia.com/advisories/product/14070/
DESCRIPTION:
Some vulnerabilities have been reported in Mozilla Thunderbird, which
can potentially be exploited by malicious people to compromise a
user's system.
For more information see vulnerabilities #1 and #2 in:
SA33799
The vulnerabilities are reported in versions prior to 2.0.0.21.
SOLUTION:
The vulnerabilities will be fixed in an upcoming version 2.0.0.21.
The vendor recommends to disable Javascript until an update is
available.