Mozilla S/MIME ASN.1 Implementation Bugs May Let Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1009479 |
|
SecurityTracker URL: http://securitytracker.com/id/1009479
|
|
CVE Reference:
CAN-2003-0564
(Links to External Site)
|
Updated: Apr 15 2004
|
Original Entry Date: Mar 18 2004
|
Impact:
Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 1.4 and prior versions
|
Description:
A vulnerability was reported in the Mozilla browser. A remote user may be able to execute arbitrary code on the target user's system.
A vulnerability was reported in the S/MIME implementation in the NSS security suite that ships with Mozilla 1.4. A remote user can reportedly send a specially crafted S/MIME email message that contains certain unexpected ASN.1 constructs to cause the target user's browser to crash or arbitrary code to be executed on the target user's system.
This was demonstrated using the NISCC test suite, the report said.
NSS version 3.9 reportedly corrects these problems.
|
Impact:
A remote user may be able to execute arbitrary code on the target user's system.
|
Solution:
The vendor has issued a fixed version (1.5 and later versions), available at:
http://www.mozilla.org/
|
Vendor URL: www.mozilla.org/ (Links to External Site)
|
Cause:
Boundary error, Exception handling error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Thu, 18 Mar 2004 04:11:44 -0500
Subject: CAN-2003-0564
|
CVE: CAN-2003-0564
A vulnerability was reported in the NSS security suite which ships with Mozilla 1.4. The
S/MIME implementation reportedly allows a remote user to cause a Denial of Service and
possibly execute arbitrary code by sending an S/MIME email message that contains certain
unexpected ASN.1 constructs. This was demonstrated using the NISCC test suite, the report
said. NSS version 3.9 reportedly corrects these problems.
|
|
