Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11326
HistoryFeb 08, 2006 - 12:00 a.m.

US-CERT Technical Cyber Security Alert TA06-038A -- Multiple Vulnerabilities in Mozilla Products

2006-02-0800:00:00
vulners.com
17

EPSS

0.97

Percentile

99.7%

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                    National Cyber Alert System

             Technical Cyber Security Alert TA06-038A

Multiple Vulnerabilities in Mozilla Products

Original release date: February 7, 2006
Last revised: –
Source: US-CERT

Systems Affected

Mozilla software, including the following, is affected:
* Mozilla web browser, email and newsgroup client
* Mozilla SeaMonkey
* Firefox web browser
* Thunderbird email client

Overview

Several vulnerabilities exist in the Mozilla web browser and derived
products, the most serious of which could allow a remote attacker to
execute arbitrary code on an affected system.

I. Description

Several vulnerabilities have been reported in the Mozilla web browser
and derived products. More detailed information is available in the
individual vulnerability notes, including:

VU#592425 - Mozilla-based products fail to validate user input to the
attribute name in "XULDocument.persist"

A vulnerability in some Mozilla products that could allow a remote
attacker to execute Javascript commands with the permissions of the
user running the affected application.
(CVE-2006-0296)

VU#759273 - Mozilla QueryInterface memory corruption vulnerability

Mozilla Firefox web browser and Thunderbird mail client contain a
memory corruption vulnerability that may allow a remote attacker to
execute arbitrary code.
(CVE-2006-0295)

II. Impact

The most severe impact of these vulnerabilities could allow a remote
attacker to execute arbitrary code with the privileges of the user
running the affected application. Other impacts include a denial of
service or local information disclosure.

III. Solution

Upgrade

Upgrade to Mozilla Firefox 1.5.0.1 or SeaMonkey 1.0.
For Mozilla-based products that have no updates available, users are
strongly encouraged to disable JavaScript.

Appendix A. References

 * Mozilla Foundation Security Advisories -
   <http://www.mozilla.org/security/announce/>

 * Mozilla Foundation Security Advisories -
   <http://www.mozilla.org/projects/security/known-vulnerabilities.ht
   ml>

 * US-CERT Vulnerability Note VU#592425 -
   <http://www.kb.cert.org/vuls/id/592425>

 * US-CERT Vulnerability Note VU#759273 -
   <http://www.kb.cert.org/vuls/id/759273>

 * US-CERT Vulnerability Notes Related to February Mozilla Security
   Advisories -
   <http://www.kb.cert.org/vuls/byid?searchview&query=mozilla_feb_200
   6>

 * US-CERT Vulnerability Note VU#604745 -
   <http://www.kb.cert.org/vuls/id/604745>

 * CVE-2006-0296 -
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0296>

 * CVE-2006-0295 -
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0295>

 * Firefox - Rediscover the Web - <http://www.mozilla.com/firefox/>

 * The SeaMonkey Project -
   <http://www.mozilla.org/projects/seamonkey/>

The most recent version of this document can be found at:

 <http://www.us-cert.gov/cas/techalerts/TA06-038A.html>

Feedback can be directed to US-CERT Technical Staff. Please send
email to <[email protected]> with "TA06-038A Feedback VU#592425" in the
subject.


For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html&gt;.


Produced 2006 by US-CERT, a government organization.

Terms of use:

 &lt;http://www.us-cert.gov/legal.html&gt;

Revision History

Feb 7, 2006: Initial release

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQ+jqRn0pj593lg50AQLZBQf9Hm+BCzOd/iwaoQVyudnE8ut/m+s/xgeG
10b2mpig57dPaSKsq9EpOitFIdHmvFha85OkAz9lfxTprrGm9kjw1lYlSH8idIst
Oq4oXwpPOcwVpOY/OoVeAyGSuOdmeGl1CsMSczD10XbmWOyPf6NBnR/e8U0Vebeu
GglhyODY/eKjbQ6bvDz19t76F5FwiDYKsMpo6CrEMhJWYwQXw3I4O1c9A2/t4OUP
N7+ZShp5/Cql919Nhl3InYMnlNiOeQLxm45PYfXKwW0r4HCM/Rq/SEKsmuDOYtA/
01gBu67urEw63Z0xbjoVJL/RW+5cavYS+gNbCZmaDNbR9WJP04k2PQ==
=snvO
-----END PGP SIGNATURE-----