Thread-topic: [SA24205] Mozilla Firefox Multiple Vulnerabilities
> ----------------------------------------------------------------------
>
> TITLE:
> Mozilla Firefox Multiple Vulnerabilities
>
> SECUNIA ADVISORY ID:
> SA24205
>
> VERIFY ADVISORY:
>
>
> CRITICAL:
> Highly critical
>
> IMPACT:
> Security Bypass, Cross Site Scripting, Spoofing, Exposure of
> sensitive information, System access
>
> WHERE:
> From remote
>
> SOFTWARE:
> Mozilla Firefox 1.x
>
> Mozilla Firefox 2.0.x
>
>
> DESCRIPTION:
> Multiple vulnerabilities have been reported in Mozilla Firefox, which
> can be exploited by malicious people to bypass certain security
> restrictions, conduct cross-site scripting and spoofing attacks, gain
> knowledge of sensitive information, and potentially compromise a
> user's system.
>
> 1) An error in the handling of the "locations.hostname" DOM property
> can be exploited to bypass certain security restrictions.
>
> For more information:
> SA24175
>
> 2) An integer underflow error in the Network Security Services (NSS)
> code when processing SSLv2 server messages can be exploited to cause
> a heap-based buffer overflow via a certificate with a public key too
> small to encrypt the "Master Secret".
>
> Successful exploitation may allow execution of arbitrary code.
>
> NOTE: Support for SSLv2 is disabled in Firefox 2.x. This version is
> only vulnerable if user has modified hidden internal NSS settings to
> re-enable SSLv2 support.
>
> 3) It is possible to conduct cross-site scripting attacks against
> sites containing a frame with a "data:" URI as source.
>
> Successful exploitation requires that a user is tricked into visiting
> a malicious website and opening a blocked popup.
>
> 4) It is possible to open windows containing local files thereby
> stealing the contents when the full path of a locally saved file
> containing malicious script code is known. This can be exploited in
> combination with a flaw in the seeding of the pseudo-random number
> generator causing downloaded files to be saved to temporary files
> with a somewhat predictable name.
>
> Successful exploitation requires that a user is tricked into visiting
> a malicious website and opening a blocked popup.
>
> 5) Browser UI elements like the host name and security indicators can
> be spoofed using a specially crafted custom cursor and manipulating
> the CSS3 hotspot property.
>
> 6) It may be possible to gain knowledge of sensitive information from
> a website due to an error resulting in two web pages colliding in the
> disk cache thereby potentially appending part of one document to the
> other.
>
> Successful exploitation requires that a user is tricked into visiting
> a malicious website while visiting the target website.
>
> 7) Various errors in the Mozilla parser when handling invalid
> trailing characters in HTML tag attribute names and during processing
> of UTF-7 content when child frames inherit the character set of its
> parent window can be exploited to conduct cross-site scripting
> attacks.
>
> 8) A vulnerability in the Password Manager may be exploited to
> conduct phishing attacks.
>
> For more information:
> SA23046
>
> 9) Multiple memory corruption errors exist in the layout engine,
> JavaScript engine, and in SVG. Some of these may be exploited to
> execute arbitrary code on a user's system.
>
> SOLUTION:
> Update to version 2.0.0.2 or 1.5.0.10.
>
> PROVIDED AND/OR DISCOVERED BY:
> 1) Michal Zalewski
> 2) Discovered by regenrecht and reported via iDefense Labs.
> 3) shutdown
> 4) Michal Zalewski
> 5) David Eckel
> 6) Aad
> 7) RSnake and Stefan Esser.
> 8) Robert Chapin
> 9) Jesse Ruderman, Martijn Wargers, Olli Pettay, Tom Ferris, Brian
> Crowder, Igor Bukanov, Johnny Stenback, moz_bug_r_a4, and shutdown.
>
> ORIGINAL ADVISORY:
> Mozilla Foundation:
>
>
>
>
>
>
>
>
> iDefense Labs:
> .
> php?id=482
>
> OTHER REFERENCES:
> SA24175:
>
>
> SA23046:
>
>
