Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: us-cer~3.txt

Mozilla products Multiple vulnerabilities




                        National Cyber Alert System

                 Technical Cyber Security Alert TA06-038A


Multiple Vulnerabilities in Mozilla Products

   Original release date: February 7, 2006
   Last revised: --
   Source: US-CERT


Systems Affected

   Mozilla software, including the following, is affected:
     * Mozilla web browser, email and newsgroup client
     * Mozilla SeaMonkey
     * Firefox web browser
     * Thunderbird email client


Overview

   Several vulnerabilities exist in the Mozilla web browser and derived
   products, the most serious of which could allow a remote attacker to
   execute arbitrary code on an affected system.


I. Description

   Several vulnerabilities have been reported in the Mozilla web browser
   and derived products. More detailed information is available in the
   individual vulnerability notes, including:


   VU#592425 - Mozilla-based products fail to validate user input to the
   attribute name in "XULDocument.persist"

   A vulnerability in some Mozilla products that could allow a remote
   attacker to execute Javascript commands with the permissions of the
   user running the affected application.
   (CVE-2006-0296)


   VU#759273 - Mozilla QueryInterface memory corruption vulnerability

   Mozilla Firefox web browser and Thunderbird mail client contain a
   memory corruption vulnerability that may allow a remote attacker to
   execute arbitrary code.
   (CVE-2006-0295)


II. Impact

   The most severe impact of these vulnerabilities could allow a remote
   attacker to execute arbitrary code with the privileges of the user
   running the affected application. Other impacts include a denial of
   service or local information disclosure.


III. Solution

Upgrade

   Upgrade to Mozilla Firefox 1.5.0.1 or SeaMonkey 1.0.
   For Mozilla-based products that have no updates available, users are
   strongly encouraged to disable JavaScript.


Appendix A. References

     * Mozilla Foundation Security Advisories -
       <http://www.mozilla.org/security/announce/>

     * Mozilla Foundation Security Advisories -
       <http://www.mozilla.org/projects/security/known-vulnerabilities.ht
       ml>

     * US-CERT Vulnerability Note VU#592425 -
       <http://www.kb.cert.org/vuls/id/592425>

     * US-CERT Vulnerability Note VU#759273 -
       <http://www.kb.cert.org/vuls/id/759273>

     * US-CERT Vulnerability Notes Related to February Mozilla Security
       Advisories -
       <http://www.kb.cert.org/vuls/byid?searchview&query=mozilla_feb_200
       6>

     * US-CERT Vulnerability Note VU#604745 -
       <http://www.kb.cert.org/vuls/id/604745>

     * CVE-2006-0296 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0296>

     * CVE-2006-0295 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0295>

     * Firefox - Rediscover the Web - <http://www.mozilla.com/firefox/>

     * The SeaMonkey Project -
       <http://www.mozilla.org/projects/seamonkey/>

 ____________________________________________________________________

   The most recent version of this document can be found at:

     <http://www.us-cert.gov/cas/techalerts/TA06-038A.html>
 ____________________________________________________________________

   Feedback can be directed to US-CERT Technical Staff. Please send
   email to <cert@cert.org> with "TA06-038A Feedback VU#592425" in the
   subject.
 ____________________________________________________________________

   For instructions on subscribing to or unsubscribing from this
   mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
 ____________________________________________________________________

   Produced 2006 by US-CERT, a government organization.

   Terms of use:

     <http://www.us-cert.gov/legal.html>
 ____________________________________________________________________


Revision History

   Feb 7, 2006: Initial release



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH