CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
AI Score
Confidence
High
EPSS
Percentile
95.1%
USN-874-1 fixed vulnerabilities in Firefox and Xulrunner. The upstream
changes introduced a regression when using NTLM authentication. This update
fixes the problem and adds additional stability fixes.
We apologize for the inconvenience.
Original advisory details:
Jesse Ruderman, Josh Soref, Martijn Wargers, Jose Angel, Olli Pettay, and
David James discovered several flaws in the browser and JavaScript engines
of Firefox. If a user were tricked into viewing a malicious website, a
remote attacker could cause a denial of service or possibly execute
arbitrary code with the privileges of the user invoking the program.
(CVE-2009-3979, CVE-2009-3980, CVE-2009-3982, CVE-2009-3986)
Takehiro Takahashi discovered flaws in the NTLM implementation in Firefox.
If an NTLM authenticated user visited a malicious website, a remote
attacker could send requests to other applications, authenticated as the
user. (CVE-2009-3983)
Jonathan Morgan discovered that Firefox did not properly display SSL
indicators under certain circumstances. This could be used by an attacker
to spoof an encrypted page, such as in a phishing attack. (CVE-2009-3984)
Jordi Chancel discovered that Firefox did not properly display invalid URLs
for a blank page. If a user were tricked into accessing a malicious
website, an attacker could exploit this to spoof the location bar, such as
in a phishing attack. (CVE-2009-3985)
David Keeler, Bob Clary, and Dan Kaminsky discovered several flaws in third
party media libraries. If a user were tricked into opening a crafted media
file, a remote attacker could cause a denial of service or possibly execute
arbitrary code with the privileges of the user invoking the program.
(CVE-2009-3388, CVE-2009-3389)
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Ubuntu | 9.10 | noarch | xulrunner-1.9.1 | < 1.9.1.7+nobinonly-0ubuntu0.9.10.1 | UNKNOWN |
Ubuntu | 9.10 | noarch | xulrunner-1.9.1-dbg | < 1.9.1.7+nobinonly-0ubuntu0.9.10.1 | UNKNOWN |
Ubuntu | 9.10 | noarch | xulrunner-1.9.1-dev | < 1.9.1.7+nobinonly-0ubuntu0.9.10.1 | UNKNOWN |
Ubuntu | 9.10 | noarch | xulrunner-1.9.1-gnome-support | < 1.9.1.7+nobinonly-0ubuntu0.9.10.1 | UNKNOWN |
Ubuntu | 9.10 | noarch | xulrunner-1.9.1-testsuite | < 1.9.1.7+nobinonly-0ubuntu0.9.10.1 | UNKNOWN |
Ubuntu | 9.10 | noarch | xulrunner-1.9.1-testsuite-dev | < 1.9.1.7+nobinonly-0ubuntu0.9.10.1 | UNKNOWN |
Ubuntu | 9.10 | noarch | xulrunner-dev | < 1.9.1.7+nobinonly-0ubuntu0.9.10.1 | UNKNOWN |
Ubuntu | 9.10 | noarch | firefox-3.5 | < 3.5.7+nobinonly-0ubuntu0.9.10.1 | UNKNOWN |
Ubuntu | 9.10 | noarch | abrowser-3.5-branding | < 3.5.7+nobinonly-0ubuntu0.9.10.1 | UNKNOWN |
Ubuntu | 9.10 | noarch | firefox-3.5-branding | < 3.5.7+nobinonly-0ubuntu0.9.10.1 | UNKNOWN |