Mozilla Products Multiple Vulnerabilities
RISK: Medium Risk
Multiple vulnerabilities have been identified in Mozilla Firefox, Thunderbird and SeaMonkey, which could be exploited by attackers to manipulate or disclose certain data, bypass security restrictions or compromise a vulnerable system.
1. Due to memory corruption errors in the browser engine when parsing malformed data, which could be exploited by attackers to crash a vulnerable browser or execute arbitrary code.
2. Due to buffer overflow and memory corruption errors when processing overly long data passed to "document.write()", which could be exploited by remote attackers to compromise a vulnerable system.
3. Due to a use-after-free error in "nsBarProp" when accessing the "locationbar" property of a "window" object after it had been closed, which could be exploited by remote attackers to compromise a vulnerable system.
4. Due to a dangling pointer in "LookupGetterOrSetter" when "window.__lookupGetter__" is called without arguments, which could be exploited by remote attackers to compromise a vulnerable system.
5. Due to an input validation error in the Gopher parser when processing certain text, which could allow cross site scripting attacks.
6. Due to an error when handling modal call, which could allow attackers to bypass same-origin policy and conduct cross-dmain scripting attacks.
7. Due to an error when handling SSL certificates, which could allow spoofing attacks via MitM attacks.
8. Due to errors when loading libraries on Windows and Linux, which could allow attackers or malicious users to load malicious librairies.
9. Due to the SSL implementation permitting servers to use Diffie-Hellman Ephemeral mode (DHE) with insecure keys, which could be exploited to guess the keys.
Impact
- Remote Code Execution
- Security Restriction Bypass
- Information Disclosure
System / Technologies affected
- Mozilla Firefox versions prior to 3.6.11
- Mozilla Firefox versions prior to 3.5.14
- Mozilla Thunderbird versions prior to 3.1.5
- Mozilla Thunderbird versions prior to 3.0.9
- Mozilla SeaMonkey versions prior to 2.0.9
Solutions
Before installation of the software, please visit the software manufacturer web-site for more details.
- Upgrade to Mozilla Firefox version 3.6.11 or 3.5.14 :
- http://www.mozilla.com/firefox/ - Upgrade to Mozilla Thunderbird version 3.1.5 or 3.0.9 :
- http://www.mozilla.com/thunderbird/ - Upgrade to Mozilla SeaMonkey version 2.0.9 :
- http://www.mozilla.com/seamonkey/
Vulnerability Identifier
- CVE-2010-3170
- CVE-2010-3173
- CVE-2010-3174
- CVE-2010-3175
- CVE-2010-3176
- CVE-2010-3177
- CVE-2010-3178
- CVE-2010-3179
- CVE-2010-3180
- CVE-2010-3181
- CVE-2010-3182
- CVE-2010-3183
Source
Related Link
- http://www.vupen.com/english/advisories/2010/2726
- http://secunia.com/advisories/41890/
- http://secunia.com/advisories/41923/
- http://www.mozilla.org/security/announce/2010/mfsa2010-64.html
- http://www.mozilla.org/security/announce/2010/mfsa2010-65.html
- http://www.mozilla.org/security/announce/2010/mfsa2010-66.html
- http://www.mozilla.org/security/announce/2010/mfsa2010-67.html
- http://www.mozilla.org/security/announce/2010/mfsa2010-68.html
- http://www.mozilla.org/security/announce/2010/mfsa2010-69.html
- http://www.mozilla.org/security/announce/2010/mfsa2010-70.html
- http://www.mozilla.org/security/announce/2010/mfsa2010-71.html
- http://www.mozilla.org/security/announce/2010/mfsa2010-72.html
Share with