Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Mozilla Firefox Multiple Bugs Let Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1016586
|
|
SecurityTracker URL: http://securitytracker.com/id?1016586
|
|
CVE Reference: CVE-2006-3113
, CVE-2006-3677
, CVE-2006-3801
, CVE-2006-3802
, CVE-2006-3803
, CVE-2006-3805
, CVE-2006-3806
, CVE-2006-3807
, CVE-2006-3808
, CVE-2006-3809
, CVE-2006-3810
, CVE-2006-3811
, CVE-2006-3812
(Links to External Site)
|
Date: Jul 27 2006
|
Impact: Denial of service via network, Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Advisory: Mozilla Foundation Security Advisory
|
Version(s): 1.5.0.4 and prior versions
|
Description: Several vulnerabilities were reported in Mozilla Firefox. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can execute arbitrary scripting code in the context of an arbitrary domain.
A remote user can create a specially crafted HTML that, when loaded by the target user, will cause the target user's browser to crash
or execute arbitrary code. The code will run with the privileges of the target user.
A flaw in the processing of simultaneously
XPCOM events may cause a deleted timer object to be used, causing the browser to crash or execute arbitrary code [MFSA 2006-46;
CVE-2006-3113]. Firefox version 1.5.x is affected. Mozilla Suite is not affected. Thunderbird is affected if Javascript is enabled
in mail. Secunia Research discovered this vulnerability.
A web page containing Java can reference the window.navigator object
but change the object before Java is started to execute native code [MFSA 2006-45; CVE-2006-3677]. Firefox 1.0 and Mozilla Suite
1.7 are not affected. Thunderbird is not affected. TippingPoint reported this vulnerability.
The browser may not properly clear
a JavaScript reference to a frame or window when the referenced content is deleted, allowing native code to be executed [MFSA 2006-44;
CVE-2006-3801]. Firefox 1.0 and Mozilla Suite 1.7 are not affected. Thunderbird is affected if Javascript is enabled in mail.
Thilo Girmann discovered this vulnerability.
A web page can hijack native DOM methods on a target document object in a different
domain to cause arbitrary scripting code to run in the target domain [MFSA 2006-47; CVE-2006-3802]. Firefox 1.0 and Mozilla Suite
1.7 are not affected. Thunderbird is affected if Javascript is enabled in mail. Thor Larholm discovered this vulnerability.
A
script can redefine the standard Object() constructor of a named Javascript function to return a reference to a privileged target
object, allowing the script to execute with elevated privileges [MFSA 2006-51; CVE-2006-3807]. Thunderbird is affected if Javascript
is enabled in mail. moz_bug_r_a4 discovered this vulnerability.
A race condition in Javascript garbage collection may cause
a temporary variable to be deleted while still being used to create a new Function object [MFSA 2006-48; CVE-2006-3803]. This may
allow a remote user to execute arbitrary code. Firefox 1.0 and Mozilla Suite 1.7 are not affected. Thunderbird is affected if
Javascript is enabled in mail. H. D. Moore discovered this vulnerability.
Some garbage collection functions may delete temporary
objects that are still in use, which may allow a remote user to execute arbitrary code [MFSA 2006-50; CVE-2006-3805]. Thunderbird
is affected if Javascript is enabled in mail. Mozilla developers Igor Bukanov and shutdown discovered this vulnerability.
Some
integer overflows can be triggered by long strings in the toSource() methods of the Object, Array, and String objects and string
function arguments [MFSA 2006-50; CVE-2006-3806]. Thunderbird is affected if Javascript is enabled in mail. Mozilla developer
Georgi Guninski discovered this vulnerability.
A Proxy AutoConfig (PAC) server can send a specially crafted PAC script that sets
the required FindProxyForURL function to the eval method on a privileged object that has leaked into the PAC sandbox to execute
code with elevated privileges [MFSA 2006-52; CVE-2006-3808]. moz_bug_r_a4 discovered this vulnerability.
A script that has been
granted the UniversalBrowserRead privilege can gain UniversalXPConnect privileges [MFSA 2006-53; CVE-2006-3809]. Thunderbird is
affected if Javascript is enabled in mail. Mozilla developer shutdown reported this vulnerability.
A remote user can invoke
XPCNativeWrapper(window).Function(...) to create a function that can execute in a target window, permitting cross-site scripting
attacks [MFSA 2006-54; CVE-2006-3810]. Firefox 1.0 and Mozilla Suite 1.7 are not affected. Thunderbird is affected if Javascript
is enabled in mail. Mozilla developer shutdown reported this vulnerability.
A remote user can trigger any of several memory
corruption errors, causing the target user's browser to crash or potentially execute arbitrary code [MFSA 2006-55; CVE-2006-3811].
Mozilla developers Boris Zbarsky, Darin Fisher, Daniel Veditz, Jesse Ruderman, and Martijn Wargers discovered these vulnerabilities.
A
chrome URL can be made to reference remote files, which can run scripts with full privileges [MFSA 2006-56; CVE-2006-3812]. Benjamin
Smedberg discovered this vulnerability.
|
Impact: A remote user can create HTML that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can execute arbitrary scripting code in the context of an arbitrary domain.
|
Solution: The vendor has issued a fixed version (1.5.0.5).
The Mozilla advisories are available at:
http://www.mozilla.org/security/announce/2006/mfsa2006-44.html
http://www.
mozilla.org/security/announce/2006/mfsa2006-45.html
http://www.mozilla.org/security/announce/2006/mfsa2006-46.html
http://www.mozilla.org/security/announce/2006/mfsa200
6-47.html
http://www.mozilla.org/security/announce/2006/mfsa2006-48.html
http://www.mozilla.org/security/announce/2006/mfsa2006-50.html
http://www.mozilla.org/security
/announce/2006/mfsa2006-51.html
http://www.mozilla.org/security/announce/2006/mfsa2006-52.html
http://www.mozilla.org/security/announce/2006/mfsa2006-53.html
http://ww
w.mozilla.org/security/announce/2006/mfsa2006-54.html
http://www.mozilla.org/security/announce/2006/mfsa2006-55.html
|
Vendor URL: www.mozilla.com/firefox/ (Links to External Site)
|
Cause: Access control error, Boundary error, State error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Thu, 27 Jul 2006 00:32:37 -0400
Subject: Mozilla Firefox vulnerabilities
|
MFSA 2006-56 chrome: scheme loading remote content CVE-2006-3812
MFSA 2006-55 Crashes with evidence of memory corruption (rv:1.8.0.5) CVE-2006-3811
MFSA 2006-54 XSS with XPCNativeWrapper(window).Function(...) CVE-2006-3810
MFSA 2006-53 UniversalBrowserRead privilege escalation CVE-2006-3809
MFSA 2006-52 PAC privilege escalation using Function.prototype.call CVE-2006-3808
MFSA 2006-51 Privilege escalation using named-functions and redefined "new Object()" CVE-20
06-3807
MFSA 2006-50 JavaScript engine vulnerabilities CVE-2006-3805, CVE-2006-3806
MFSA 2006-48 JavaScript new Function race condition CVE-2006-3803
MFSA 2006-47 Native DOM methods can be hijacked across domains CVE-2006-3802
MFSA 2006-46 Memory corruption with simultaneous events CVE-2006-3113
MFSA 2006-45 Javascript navigator Object Vulnerability CVE-2006-3677
MFSA 2006-44 Code execution through deleted frame reference CVE-2006-3801
|
|
Go to the Top of This SecurityTracker Archive Page
|
