Thread-topic: Security patches for Mozilla Firefox/Thunderbird/SeaMonkey
http://isc.sans.org/diary.php?storyid=1515
Security patches for Mozilla Firefox/Thunderbird/SeaMonkey (NEW)
Published: 2006-07-26,
Last Updated: 2006-07-26 23:37:47 UTC by Bojan Zdrnja (Version: 1)
The Mozilla Foundation released new versions of Firefox, Thunderbird and
SeaMonkey products.
New versions fix numerous security vulnerabilities, of which some are
rated critical. Here's a short overview of the vulnerabilities that have
been fixed:
MFSA 2006-44
(http://www.mozilla.org/security/announce/2006/mfsa2006-44.html): Code
execution through deleted frame reference.
This vulnerability allows remote execution and affects only Firefox 1.5
and SeaMonkey 1.0. As Thunderbird uses the same browser engine as
Firefox it is vulnerable to this as well, but the JavaScript parsing
function in e-mails is not turned on by default (and we recommend that
it stays turned off).
MFSA 2006-45
(http://www.mozilla.org/security/announce/2006/mfsa2006-45.html):
Javascript navigator Object Vulnerability.
Another remote execution vulnerability, affects Firefox 1.5 and
SeaMonkey.
MFSA 2006-46
(http://www.mozilla.org/security/announce/2006/mfsa2006-46.html): Memory
corruption with simultaneous events.
Remote execution vulnerability, affects Firefox and SeaMonkey.
MFSA 2006-47
(http://www.mozilla.org/security/announce/2006/mfsa2006-47.html): Native
DOM methods can be hijacked across domains.
Information leaking vulnerability, can be combined with XSS, although
limited. Affects Firefox and SeaMonkey.
MFSA 2006-48
(http://www.mozilla.org/security/announce/2006/mfsa2006-48.html):
JavaScript new Function race condition.
Remote execution vulnerability, affects Firefox, Thunderbird and
SeaMonkey.
MFSA 2006-49
(http://www.mozilla.org/security/announce/2006/mfsa2006-49.html): Heap
buffer overwrite on malformed vCard, affects Thunderbird and SeaMonkey.
MFSA 2006-50
(http://www.mozilla.org/security/announce/2006/mfsa2006-50.html):
JavaScript engine vulnerabilities
Multiple vulnerabilities which can lead to remote execution, affect
Firefox, Thunderbird and SeaMonkey.
MFSA 2006-51
(http://www.mozilla.org/security/announce/2006/mfsa2006-51.html):
Privilege escalation using named-functions and redefined "new Object()".
Remote execution vulnerability, affects Firefox, Thunderbird, SeaMonkey.
MFSA 2006-52
(http://www.mozilla.org/security/announce/2006/mfsa2006-52.html): PAC
privilege escalation using Function.prototype.call
Remote script execution vulnerability through a "poisoned" PAC file.
Affects Firefox and SeaMonkey.
MFSA 2006-53
(http://www.mozilla.org/security/announce/2006/mfsa2006-53.html):
UniversalBrowserRead privilege escalation.
Remote script execution vulnerability, affects Firefox, Thunderbird and
SeaMonkey.
MFSA 2006-54
(http://www.mozilla.org/security/announce/2006/mfsa2006-54.html): XSS
with XPCNativeWrapper(window).Function(...).
XSS vulnerability using the XPCNativeWrapper construct. Affects Firefox,
Thunderbird and SeaMonkey.
MFSA 2006-55
(http://www.mozilla.org/security/announce/2006/mfsa2006-55.html):
Crashes with evidence of memory corruption (rv:1.8.0.5).
Probably just a DoS attack, but there is a possibility that it could be
turned into a remote execution vulnerability. Affects Firefox,
Thunderbird and SeaMonkey.
MFSA 2006-56
(http://www.mozilla.org/security/announce/2006/mfsa2006-56.html):
chrome: scheme loading remote content
Remote script execution vulnerability that affects Firefox and
SeaMonkey.
As some of these vulnerabilities are critical, it would be good if you
can upgrade as soon as possible; otherwise, check for potential
workarounds in the original advisories - in most cases the
vulnerabilities are JavaScript related, so turning off JavaScript will
help (and that goes in general).