Mozilla Firefox Auto-Update Can Be Spoofed in Certain Cases
|
|
SecurityTracker Alert ID: 1016851
|
|
SecurityTracker URL: http://securitytracker.com/id?1016851
|
|
CVE Reference: CVE-2006-4567
(Links to External Site)
|
Date: Sep 15 2006
|
Impact: Execution of arbitrary code via network, Modification of user information, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Advisory: Mozilla Foundation Security Advisory
|
Version(s): prior to 1.5.0.7
|
Description: A vulnerability was reported in Mozilla Firefox. A remote user can may be able to hijack auto-update sessions to cause arbitrary code to be loaded on the target user's system.
If a target user accepts a self-signed certificate from a malicious site, the certificate can be used to attempt to exploit the auto-update
system. A remote user that can spoof the DNS for the 'aus2.mozilla.org' site and the target user accepted the remote user's certificate
for the spoofed Mozilla update site, then the remote user can hijack a subsequent auto-update check.
Jon Oberheide reported this
vulnerability.
|
Impact: A remote user may be able to hijack auto-update sessions in certain cases to install arbitrary code on the target user's system.
|
Solution: The vendor has issued a fixed version (1.5.0.7).
The Mozilla advisory is available at:
http://www.mozilla.org/security/announce/2006/mfsa2006-58.html
|
Vendor URL: www.mozilla.org/security/announce/2006/mfsa2006-58.html (Links to External Site)
|
Cause: Authentication error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 14 Sep 2006 21:12:24 -0400
Subject: http://www.mozilla.org/security/announce/2006/mfsa2006-58.html
|
Mozilla Foundation Security Advisory 2006-58
Title: Auto-update compromise through DNS and SSL spoofing
Impact: Moderate
Announced: September 14, 2006
Reporter: Jon Oberheide
Products: Firefox, Thunderbird
Fixed in: Firefox 1.5.0.7
Thunderbird 1.5.0.7
CVE-2006-4567
|
|
