Results 1 to 8 of 8

Thread: FireFox Security Problems, released 4/17

  1. #1
    Junior Member
    Join Date
    Apr 2006
    Posts
    22

    FireFox Security Problems, released 4/17

    I Just recieved this in an email, and thought that you might not have heard about it...

    Galiath

    National Cyber Alert System

    Technical Cyber Security Alert TA06-107A


    Mozilla Products Contain Multiple Vulnerabilities

    Original release date: April 17, 2006
    Last revised: --
    Source: US-CERT


    Systems Affected

    * Mozilla web browser, email and newsgroup client
    * Mozilla SeaMonkey
    * Firefox web browser
    * Thunderbird email client
    * Mozilla Suite

    Any products based on Mozilla components, particularly Gecko may also
    be affected.


    Overview

    The Mozilla web browser and derived products contain several
    vulnerabilities, the most serious of which could allow a remote
    attacker to execute arbitrary code on an affected system.


    I. Description

    Several vulnerabilities have been reported in the Mozilla web browser
    and derived products. More detailed information is available in the
    individual vulnerability notes, including:

    VU#932734 - Mozilla crypto.generateCRMFRequest() vulnerability

    A vulnerability exists in the Mozilla JavaScript routine
    generateCRMFRequest() that may allow a remote attacker to execute
    arbitrary code.
    (CVE-2006-1728)

    VU#968814 - Mozilla JavaScript security bypass vulnerability

    Mozilla products fail to properly enforce security restrictions in
    JavaScript. This vulnerability may allow a remote, unauthenticated
    attacker to execute arbitrary code.
    (CVE-2006-1726)

    VU#179014 - Mozilla CSS integer overflow vulnerability

    Mozilla products contain an integer overflow that could allow a
    remote, unauthenticated attacker to execute arbitrary code.
    (CVE-2006-1730)

    VU#488774 - Mozilla XBL binding vulnerability

    Mozilla products fail to properly restrict access to privileged XBL
    bindings. This vulnerability may allow a remote, unauthenticated
    attacker to execute arbitrary code.
    (CVE-2006-1733)

    VU#842094 - Mozilla JavaScript cloned parent vulnerability

    Mozilla products fail to properly restrict access to a JavaScript
    functions cloned parent. This vulnerability may allow a remote
    attacker to execute arbitrary code on a vulnerable system.
    (CVE-2006-1734)

    VU#813230 - Mozilla products vulnerable to privilege escalation via
    XBL.method.eval

    A vulnerability in the way Mozilla products and derivative programs
    handle certain XBL methods could allow a remote attacker to execute
    arbitrary code on a vulnerable system.
    (CVE-2006-1735)

    VU#736934 - Mozilla products vulnerable to memory corruption via a
    particular sequence of HTML tags

    A vulnerability in the way Mozilla products and derivative programs
    handle certain HTML tags could allow a remote attacker to execute
    arbitrary code on a vulnerable system.
    (CVE-2006-0749)

    VU#935556 - Mozilla products may allow CSS border-rendering code to
    write past the end of an array

    A vulnerability in the way Mozilla products and derivative programs
    handle certain CSS methods could allow a remote attacker to crash the
    application or execute arbitrary code on a vulnerable system.
    (CVE-2006-1739)

    VU#350262 - Mozilla DHTML memory corruption vulnerabilities

    Mozilla products contain to multiple, unspecified vulnerabilities in
    the way they handle DHTML. These vulnerabilities may allow a remote
    attacker to execute arbitrary code or cause a denial-of-service
    condition.
    (CVE-2006-1724)

    VU#252324 - Mozilla display style vulnerability

    Mozilla products contain an unspecified vulnerability in the way they
    handle display styles. This vulnerability may allow a remote attacker
    to execute arbitrary code or cause a denial-of-service condition.

    VU#329500 - Mozilla products vulnerable to memory corruption via large
    regular expression in JavaScript

    A vulnerability in the way the JavaScript engine of Mozilla products
    and derivative programs handles a large regular expression could allow
    a remote attacker to crash the application or execute arbitrary code
    on a vulnerable system.


    II. Impact

    The most severe impact of these vulnerabilities could allow a remote
    attacker to execute arbitrary code with the privileges of the user
    running the affected application. Other effects include a denial of
    service or local information disclosure.


    III. Solution

    Upgrade

    Upgrade to Mozilla Firefox 1.5.0.2, Mozilla Thunderbird 1.5.0.2, or
    SeaMonkey 1.0.1. According to Mozilla.org, Thunderbird 1.5.0.2 is
    to be released on April 18, 2006.

    Users are strongly encourages to apply the workarounds described in
    the individual vulnerability notes until updates can be applied.


    Appendix A. References

    * Mozilla Foundation Security Advisories -
    <http://www.mozilla.org/security/announce/>

    * Mozilla Foundation Security Advisories -
    <http://www.mozilla.org/projects/secu...erabilities.ht
    ml>

    * US-CERT Vulnerability Note VU#932734 -
    <http://www.kb.cert.org/vuls/id/932734>

    * US-CERT Vulnerability Note VU#968814 -
    <http://www.kb.cert.org/vuls/id/968814>

    * US-CERT Vulnerability Note VU#179014 -
    <http://www.kb.cert.org/vuls/id/179014>

    * US-CERT Vulnerability Note VU#488774 -
    <http://www.kb.cert.org/vuls/id/488774>

    * US-CERT Vulnerability Note VU#842094 -
    <http://www.kb.cert.org/vuls/id/842094>

    * US-CERT Vulnerability Note VU#813230 -
    <http://www.kb.cert.org/vuls/id/813230>

    * US-CERT Vulnerability Note VU#736934 -
    <http://www.kb.cert.org/vuls/id/736934>

    * US-CERT Vulnerability Note VU#935556 -
    <http://www.kb.cert.org/vuls/id/935556>

    * US-CERT Vulnerability Note VU#350262 -
    <http://www.kb.cert.org/vuls/id/350262>

    * US-CERT Vulnerability Note VU#252324 -
    <http://www.kb.cert.org/vuls/id/252324>

    * US-CERT Vulnerability Note VU#329500 -
    <http://www.kb.cert.org/vuls/id/329500>

    * US-CERT Vulnerability Notes Related to April Mozilla Security
    Advisories -
    <http://www.kb.cert.org/vuls/byid?sea...ozilla_April_2
    006>

    * CVE-2006-1726 -
    <http://cve.mitre.org/cgi-bin/cvename...=CVE-2006-1726>

    * CVE-2006-1728 -
    <http://cve.mitre.org/cgi-bin/cvename...=CVE-2006-1728>

    * CVE-2006-1730 -
    <http://cve.mitre.org/cgi-bin/cvename...=CVE-2006-1730>

    * CVE-2006-1733 -
    <http://cve.mitre.org/cgi-bin/cvename...=CVE-2006-1733>

    * CVE-2006-1734 -
    <http://cve.mitre.org/cgi-bin/cvename...=CVE-2006-1734>

    * CVE-2006-1735 -
    <http://cve.mitre.org/cgi-bin/cvename...=CVE-2006-1735>

    * CVE-2006-0749 -
    <http://cve.mitre.org/cgi-bin/cvename...=CVE-2006-0749>

    * CVE-2006-1739 -
    <http://cve.mitre.org/cgi-bin/cvename...=CVE-2006-1739>

    * CVE-2006-1724 -
    <http://cve.mitre.org/cgi-bin/cvename...=CVE-2006-1724>

    * Firefox - Rediscover the Web - <http://www.mozilla.com/firefox/>

    * Thunderbird - Reclaim your inbox -
    <http://www.mozilla.com/thunderbird/>

    * The SeaMonkey Project -
    <http://www.mozilla.org/projects/seamonkey/>

    * Mozilla Suite - The All-in-One Internet Application Suite -
    <http://www.mozilla.org/products/mozilla1.x/>

    * Securing Your Web Browser -
    <http://www.us-cert.gov/reading_room/...r/browser_secu
    rity.html#Mozilla_Firefox>


    ____________________________________________________________________

    The most recent version of this document can be found at:

    <http://www.us-cert.gov/cas/techalerts/TA06-107A.html>

  2. #2
    Senior Member
    Join Date
    Mar 2005
    Posts
    400
    Hey... Firefox doesn't have any vulnerablities, unlike IE.

    Ouch....!!
    I just bit my tongue.

    ZT3000
    Beta tester of "0"s and "1"s"

  3. #3
    That must have been what the automatic update to FireFox was yesterday. Mine is at the 1.5.0.2 level.

  4. #4
    Junior Member
    Join Date
    Apr 2006
    Posts
    22
    Thought some of the IE bashers might want to hear that (I personally use both FF and IE).

    The nice thing is that FireFox actually caught it, the same day it was released. And actually put a patch into play the SAME DAY (unlike IE waiting for the next patch release day... )

    Galiath

  5. #5
    Uh, Galiath, the vulnerabilities weren't fixed the same day they were found. It was publicly announced at the same time the fixes were released. Chances are the vulnerabilities were discovered and provided to Mozilla some weeks ago. That's called responsible disclosure. It allows the vendor time to produce an acceptable response.

    This last thing with IE was a vulnerability that was publicly announced, with exploit code released before providing MS an opportunity to research and fix it. That's called irresponsible disclosure. It makes it difficult for the vendor to provide a response.

    It does take a bit of time to research and develop working patches. However, in this last set of incidents, MS looks bad and the others look good--unless you look under the hood and check things out.

  6. #6
    Atleast there patched now.

  7. #7
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    All software has vulnerabilities.

    Not all software has the same, or even similar, vulnerabilities.

    And IE's vulnerabilities are unique, yes? Is there any other browser that, once compromised, poses the same risk to the Windows kernel as IE? Anybody seen a browser hijack for Firefox or Opera yet?

    “Everybody is ignorant, only on different subjects.” — Will Rogers

  8. #8
    Hoopy Frood
    Join Date
    Jun 2004
    Posts
    662
    Originally posted here by brokencrow
    And IE's vulnerabilities are unique, yes? Is there any other browser that, once compromised, poses the same risk to the Windows kernel as IE?
    Can you define exactly what you mean by this and give an example? Although I've heard this argument many times, I've never heard anyone elaborate on it. From what I understand, I.E. runs under exactly under the same priveledges as the user who's logged onto the system and, if compromised, would provide exactly the same level of access to the system as any other web browser that was compromised in the same manner (e.g. buffer overflow).

    - X
    "Personality is only ripe when a man has made the truth his own."

    -- Søren Kierkegaard

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •