>
>
> TITLE:
> Firefox Multiple Vulnerabilities
>
> SECUNIA ADVISORY ID:
> SA19631
>
> VERIFY ADVISORY:
>
>
> CRITICAL:
> Highly critical
>
> IMPACT:
> Security Bypass, Cross Site Scripting, Spoofing, Exposure of
> sensitive information, DoS, System access
>
> WHERE:
> From remote
>
> SOFTWARE:
> Mozilla Firefox 0.x
>
> Mozilla Firefox 1.x
>
>
> DESCRIPTION:
> Multiple vulnerabilities have been reported in Firefox, which can be
> exploited by malicious people to conduct cross-site scripting and
> phishing attacks, bypass certain security restrictions, disclose
> sensitive information, and potentially compromise a user's system.
>
> 1) An error exists where JavaScript can be injected into another
> page, which is currently loading. This can be exploited to execute
> arbitrary HTML and script code in a user's browser session in context
> of an arbitrary site.
>
> 2) An error in the garbage collection in the JavaScript engine can be
> exploited to cause a memory corruption.
>
> Successful exploitation may allow execution of arbitrary code.
>
> 3) A boundary error in the CSS border rendering implementation may be
> exploited to write past the end of an array.
>
> 4) An integer overflow in the handling of overly long regular
> expressions in JavaScript may be exploited to execute arbitrary
> JavaScript bytecode.
>
> 5) Two errors in the handling of "-moz-grid" and "-moz-grid-group"
> display styles may be exploited to execute arbitrary code.
>
> 6) An error in the "InstallTrigger.install()" method can be exploited
> to cause a memory corruption.
>
> 7) An unspecified error can be exploited to spoof the secure lock
> icon and the address bar by changing the location of a pop-up window
> in certain situations.
>
> Successful exploitation requires that the "Entering secure site"
> dialog has been enabled (not enabled by default).
>
> 8) It is possible to trick users into downloading malicious files via
> the "Save image as..." menu option.
>
> 9) A JavaScript function created via an "eval()" call associated with
> a method of an XBL binding may be compiled with incorrect privileges.
> This can be exploited to execute arbitrary code.
>
> 10) An error where the "Object.watch()" method exposes the internal
> "clone parent" function object can be exploited to execute arbitrary
> JavaScript code with escalated privileges.
>
> Successful exploitation allows execution of arbitrary code.
>
> 11) An error in the protection of the compilation scope of built-in
> privileged XBL bindings can be exploited to execute arbitrary
> JavaScript code with escalated privileges.
>
> Successful exploitation allows execution of arbitrary code.
>
> 12) An unspecified error can be exploited to execute arbitrary HTML
> and script code in a user's browser session in context of an
> arbitrary site via the window.controllers array.
>
> 13) An error in the processing of a certain sequence of HTML tags can
> be exploited to cause a memory corruption.
>
> Successful exploitation allows execution of arbitrary code.
>
> 14) An error in the "valueOf.call()" and "valueOf.apply()" methods
> can be exploited to execute arbitrary HTML and script code in a
> user's browser session in context of an arbitrary site.
>
> 15) Some errors in the DHTML implementation can be exploited to cause
> a memory corruption.
>
> Successful exploitation may allow execution of arbitrary code.
>
> 16) An integer overflow error in the processing of the CSS
> letter-spacing property can be exploited to cause a heap-based buffer
> overflow.
>
> Successful exploitation allows execution of arbitrary code.
>
> 17) An error in the handling of file upload controls can be exploited
> to upload arbitrary files from a user's system by e.g. dynamically
> changing a text input box to a file upload control.
>
> 18) An unspecified error in the "crypto.generateCRMFRequest()" method
> can be exploited to execute arbitrary code.
>
> 19) An error in the handling of scripts in XBL controls can be
> exploited to gain chrome privileges via the "Print Preview"
> functionality.
>
> 20) An error in a security check in the "js_ValueToFunctionObject()"
> method can be exploited to execute arbitrary code via "setTimeout()"
> and "ForEach".
>
> 21) An error in the interaction between XUL content windows and the
> history mechanism can be exploited to trick users into interacting
> with a browser user interface which is not visible.
>
> Successful exploitation may allow execution of arbitrary code.
>
> SOLUTION:
> Update to versions 1.0.8 or 1.5.0.2.
>
>
> PROVIDED AND/OR DISCOVERED BY:
> 1, 9, 10, 12, 18, 20) shutdown
> 2) Igor Bukanov
> 3) Bernd Mielke
> 4) Alden D'Souza
> 5) Martijn Wargers
> 6) Bob Clary
> 7) Tristor
> 8) Michael Krax
> 11, 14, 21) moz_bug_r_a4
> 13, 16) TippingPoint and the Zero Day Initiative
> 17) Claus Jørgensen and Jesse Ruderman
> 19) Georgi Guninski
>
> ORIGINAL ADVISORY:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
