Lucene search

K
saintSAINT CorporationSAINT:CE5429426532AF5F968BB29962C53BED
HistoryAug 14, 2006 - 12:00 a.m.

Mozilla Firefox JavaScript Navigator object vulnerability

2006-08-1400:00:00
SAINT Corporation
download.saintcorporation.com
27

EPSS

0.974

Percentile

99.9%

Added: 08/14/2006
CVE: CVE-2006-3677
BID: 19192
OSVDB: 27559

Background

When used in a web page, Java references properties of the **window.navigator** object as it starts up in Firefox or SeaMonkey.

Problem

If a web page replaces the navigator object before starting Java, then the page could cause the browser to crash in a way that allows arbitrary command execution.

Resolution

Upgrade to Firefox 1.5.0.5 or higher or SeaMonkey 1.0.3 or higher.

References

<http://www.mozilla.org/security/announce/2006/mfsa2006-45.html&gt;

Limitations

Exploit works on Firefox 1.5.0.4 and requires a user to click on the Exploit button. The Java plug-in must be installed in order for the exploit to succeed. Firefox’s automatic update feature must be disabled in order for the exploit to succeed. Note that it may take several minutes for this exploit to succeed because a large amount of memory must be allocated on the target.

Platforms

Windows 2000
Windows XP SP2
Linux
Ubuntu Linux