SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Mozilla Firefox Vendors:   Mozilla.org
Mozilla Firefox Multiple Bugs Let Remote Users Execute Arbitrary Code, Obtain Information and Conduct Cross-Site Scripting Attacks and Let Local Users Obtain Elevated Privileges
SecurityTracker Alert ID:  1028555
SecurityTracker URL:  http://securitytracker.com/id/1028555
CVE Reference:   CVE-2013-0801, CVE-2013-1669, CVE-2013-1670, CVE-2013-1671, CVE-2013-1672, CVE-2013-1673, CVE-2013-1674, CVE-2013-1675, CVE-2013-1676, CVE-2013-1677, CVE-2013-1678, CVE-2013-1679, CVE-2013-1680, CVE-2013-1681   (Links to External Site)
Date:  May 14 2013
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 17.0.6 and 21.0
Description:   Multiple vulnerabilities were reported in Mozilla Firefox. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can conduct cross-site scripting attacks. A remote user can obtain potentially sensitive information. A local user can obtain elevated privileges on the target system.

A remote user can create specially crafted HTML that, when loaded by the target user, will trigger memory corruption errors and execute arbitrary code on the target system [CVE-2013-0801, CVE-2013-1669]. The code will run with the privileges of the target user.

A remote user can access a content level constructor with chrome privileged access to write to objects that should be read-only and conduct cross-site scripting attacks [CVE-2013-1670].

A local user can exploit a flaw in the '<input>' control to determine the full path of a target file [CVE-2013-1671].

A local user on Windows-based systems can exploit a flaw in the Mozilla Maintenance Service to gain system privileges [CVE-2013-1672, CVE-2013-1673].

A remote user can trigger a use-after-free in the resizing of video during playback [CVE-2013-1674].

A remote user can trigger a uninitialized memory error in some DOMSVGZoomEvent() functions to obtain potentially sensitive information from memory [CVE-2013-1675].

A remote user can trigger an out-of-bounds read in SelectionIterator::GetNextSegment() [CVE-2013-1676].

A remote user can trigger an out-of-bounds read in gfxSkipCharsIterator::SetOffsets() [CVE-2013-1677].

A remote user can trigger an invalid write in _cairo_xlib_surface_add_glyph() [CVE-2013-1678].

A remote user can trigger a use-after-free heap error in mozilla::plugins::child::_geturlnotify() [CVE-2013-1679].

A remote user can trigger a use-after-free heap error in nsFrameList::FirstChild() [CVE-2013-1680].

A remote user can trigger a use-after-free heap error in nsContentUtils::RemoveScriptBlocker() [CVE-2013-1681].

Christoph Diehl, Christian Holler, Jesse Ruderman, Timothy Nikkel, Jeff Walden, Bob Clary, Ben Turner, Benoit Jacob, Bobby Holley, Andrew McCreight, Gary Kwong, Jason Orendorff, Matt Wobensmith, Mats Palmgren, Cody Crews, moz_bug_r_a4, Seb Patane, Robert Kugler, Nils, Ms2ger, and Abhishek Arya (Inferno) of the Google Chrome Security Team reported these vulnerabilities.

Impact:   A remote user can create a file that, when loaded by the target user, will execute arbitrary code on the target user's system.

A local user can obtain elevated privileges on the target system.

A remote user can conduct cross-site scripting attacks.

A remote user can obtain potentially sensitive information.

Solution:   The vendor has issued a fix (17.0.6, 21.0).

The vendor's advisories are available at:

http://www.mozilla.org/security/announce/2013/mfsa2013-41.html
http://www.mozilla.org/security/announce/2013/mfsa2013-42.html
http://www.mozilla.org/security/announce/2013/mfsa2013-43.html
http://www.mozilla.org/security/announce/2013/mfsa2013-44.html
http://www.mozilla.org/security/announce/2013/mfsa2013-45.html
http://www.mozilla.org/security/announce/2013/mfsa2013-46.html
http://www.mozilla.org/security/announce/2013/mfsa2013-47.html
http://www.mozilla.org/security/announce/2013/mfsa2013-48.html

Vendor URL:  www.mozilla.org/security/announce/2013/mfsa2013-41.html (Links to External Site)
Cause:   Access control error, Boundary error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
May 14 2013 (Red Hat Issues Fix) Mozilla Firefox Multiple Bugs Let Remote Users Execute Arbitrary Code, Obtain Information and Conduct Cross-Site Scripting Attacks and Let Local Users Obtain Elevated Privileges
Red Hat has issued a fix for Red Hat Enterprise Linux 5 and 6.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC