>
>
> TITLE:
> Firefox Multiple Vulnerabilities
>
> SECUNIA ADVISORY ID:
> SA18700
>
> VERIFY ADVISORY:
> http://secunia.com/advisories/18700/
>
> CRITICAL:
> Highly critical
>
> IMPACT:
> Security Bypass, Cross Site Scripting, Exposure of system
> information, Exposure of sensitive information, System access
>
> WHERE:
> From remote
>
> SOFTWARE:
> Mozilla Firefox 0.x
> http://secunia.com/product/3256/
> Mozilla Firefox 1.x
> http://secunia.com/product/4227/
>
> DESCRIPTION:
> Multiple vulnerabilities have been reported in Firefox, which can be
> exploited by malicious people to bypass certain security
> restrictions, conduct cross-site scripting attacks, potentially
> disclose sensitive information, and potentially compromise a user's
> system.
>
> 1) Some errors in the JavaScript engine where certain temporary
> variables are not properly protected may be exploited to execute
> arbitrary code via a user-defined method triggering garbage
> collection.
>
> One of the vulnerabilities affects only version 1.5. The other
> affects version 1.5 and prior.
>
> 2) An error in the dynamic style handling can be exploited to
> reference freed memory by changing the style of an element from
> "position:relative" to "position:static".
>
> Successful exploitation may allow execution of arbitrary code.
>
> The vulnerability has been reported in version 1.5.
>
> 3) An error in the "QueryInterface" method of the Location and
> Navigator objects can be exploited to cause a memory corruption.
>
> Successful exploitation may allow execution of arbitrary code.
>
> The vulnerability has been reported in version 1.5.
>
> 4) An input validation error in the processing of the attribute name
> when calling "XULDocument.persist()" can be exploited to inject
> arbitrary XML and JavaScript code in "localstore.rdf", which will be
> executed with the permissions of the browser the next time the
> browser starts up again.
>
> 5) Some integer overflows in the E4X, SVG, and Canvas functionalities
> may be exploited to execute arbitrary code.
>
> The vulnerabilities have been reported in version 1.5.
>
> 6) A boundary error in the "nsExpatDriver::ParseBuffer()" function in
> the XML parser may be exploited to disclose data on the heap.
>
> The vulnerability does not affect version 1.0.
>
> 7) The internal "AnyName" object of the E4X functionality is not
> properly protected. This can be exploited to create a communication
> channel between two windows or frames having different domains.
>
> This does not pose any direct risks and does not allow bypass of
> same-origin restrictions or disclosure of web content from other
> domains.
>
> The vulnerability does not affect version 1.0.
>
> SOLUTION:
> Update to version 1.5.0.1.
> http://www.mozilla.com/firefox/
>
> PROVIDED AND/OR DISCOVERED BY:
> 1) Igor Bukanov
> 2) Martijn Wargers
> 3) Georgi Guninski
> 4) moz_bug_r_a4
> 5) Georgi Guninski
> 6) Johnny Stenback
> 7) Brendan Eich
>
> ORIGINAL ADVISORY:
> Mozilla:
> http://www.mozilla.org/security/announce/mfsa2006-01.html
> http://www.mozilla.org/security/announce/mfsa2006-02.html
> http://www.mozilla.org/security/announce/mfsa2006-04.html
> http://www.mozilla.org/security/announce/mfsa2006-05.html
> http://www.mozilla.org/security/announce/mfsa2006-06.html
> http://www.mozilla.org/security/announce/mfsa2006-07.html
> http://www.mozilla.org/security/announce/mfsa2006-08.html
>