>
> TITLE:
> Firefox Multiple Vulnerabilities
>
> SECUNIA ADVISORY ID:
> SA20376
>
> VERIFY ADVISORY:
> http://secunia.com/advisories/20376/
>
> CRITICAL:
> Highly critical
>
> IMPACT:
> Security Bypass, Cross Site Scripting, System access
>
> WHERE:
> From remote
>
> SOFTWARE:
> Mozilla Firefox 1.x
> http://secunia.com/product/4227/
> Mozilla Firefox 0.x
> http://secunia.com/product/3256/
>
> DESCRIPTION:
> Multiple vulnerabilities have been reported in Firefox, which can be
> exploited by malicious people to bypass certain security
> restrictions, conduct cross-site scripting and HTTP response
> smuggling attacks, and potentially compromise a user's system.
>
> 1) An error in the sandbox protection of JavaScript run via
> EvalInSandbox can be exploited to execute arbitrary JavaScript code
> with escalated privileges by calling the "valueOf()" function on
> external objects outside of the sandbox.
>
> Successful exploitation requires that the attacker is able to execute
> JavaScript code inside the EvalInSandbox (e.g. via a Proxy Autoconfig
> script or a third-party extension using the vulnerable
> functionality).
>
> 2) Some errors in the browser engine can be exploited to cause a
> memory corruption.
>
> Successful exploitation may allow execution of arbitrary code.
>
> 3) Two errors in the handling of specially crafted HTTP responses in
> certain situations can be exploited to cause the browser to process a
> response as two separate responses from different sites.
>
> Successful exploitation allows execution of arbitrary HTML and script
> in a user's browser session in context of an arbitrary site, but
> requires that the browser is configured to use a proxy or that the
> malicious site shares the same IP address as the targeted site.
>
> 4) Two errors in the handling of the "View Image" and "Show only this
> frame" functionalities can be exploited to execute arbitrary HTML and
> script code in a user's browser session in context of an arbitrary
> site by e.g. tricking a user into right-clicking and choosing "View
> Image" on a broken image.
>
> 5) An error caused due to persisted XUL attributes in certain
> situations being associated with an incorrect URL can be exploited to
> execute arbitrary JavaScript code with escalated privileges.
>
> 6) An error caused due to content-defined setters on an object
> prototype being called by privileged code in the user interface can
> be exploited to execute arbitrary JavaScript code with escalated
> privileges.
>
> 7) An error caused due to an off-by-two array boundary error in the
> "crypto.signText()" function can be exploited to cause a buffer
> overflow by passing optional Certificate Authority name arguments.
>
> 8) An error exists due to Unicode Byte-order-Mark (BOM) data being
> stripped from documents served in UTF-8 during the conversion to
> Unicode. This can be exploited to bypass certain HTML and JavaScript
> filtering mechanisms in web applications using the UTF-8 character
> encoding.
>
> 9) An error in the processing of the addSelectionListener when
> handling notifications in certain situations can be exploited to
> execute arbitrary JavaScript code with escalated privileges.
>
> SOLUTION:
> Update to version 1.5.0.4.
> http://www.mozilla.com/firefox/
>
> PROVIDED AND/OR DISCOVERED BY:
> 1) moz_bug_r_a4
> 2) Mozilla Developers
> 3) Kazuho Oku, Cybozu Labs
> 4) Paul Nickerson
> 5) Jonas Sicking, Mozilla
> 6) Paul Nickerson and moz_bug_r_a4
> 7) Mikolaj J. Habryn
> 8) Masatoshi Kimura
> 9) moz_bug_r_a4
>
> ORIGINAL ADVISORY:
> 1) http://www.mozilla.org/security/announce/2006/mfsa2006-31.html
> 2) http://www.mozilla.org/security/announce/2006/mfsa2006-32.html
> 3) http://www.mozilla.org/security/announce/2006/mfsa2006-33.html
> 4) http://www.mozilla.org/security/announce/2006/mfsa2006-34.html
> 5) http://www.mozilla.org/security/announce/2006/mfsa2006-35.html
> 6) http://www.mozilla.org/security/announce/2006/mfsa2006-37.html
> 7) http://www.mozilla.org/security/announce/2006/mfsa2006-38.html
> 8) http://www.mozilla.org/security/announce/2006/mfsa2006-42.html
> 9) http://www.mozilla.org/security/announce/2006/mfsa2006-43.html
>