Thread-topic: Mozilla Firefox Multiple Vulnerabilities
> ----------------------------------------------------------------------
>
> TITLE:
> Mozilla Firefox Multiple Vulnerabilities
>
> SECUNIA ADVISORY ID:
> SA27311
>
> VERIFY ADVISORY:
> http://secunia.com/advisories/27311/
>
> CRITICAL:
> Highly critical
>
> IMPACT:
> Spoofing, Manipulation of data, Exposure of sensitive information,
> DoS, System access
>
> WHERE:
> From remote
>
> SOFTWARE:
> Mozilla Firefox 2.0.x
> http://secunia.com/product/12434/
>
> DESCRIPTION:
> Some vulnerabilities and a weakness have been reported in Mozilla
> Firefox, which can be exploited by malicious people to disclose
> sensitive information, conduct phishing attacks, manipulate certain
> data, and potentially compromise a user's system.
>
> 1) Various errors in the browser engine can be exploited to cause a
> memory corruption.
>
> 2) Various errors in the Javascript engine can be exploited to cause
> a memory corruption.
>
> Successful exploitation of these vulnerabilities may allow execution
> of arbitrary code.
>
> 3) An error in the handling of onUnload events can be exploited to
> read and manipulate the document's location of new pages.
>
> 4) Input passed to the user ID when making an HTTP request using
> Digest Authentication is not properly sanitised before being used in
> a request. This can be exploited to insert arbitrary HTTP headers
> into a user's request when a proxy is used.
>
> 5) An error when displaying web pages written in the XUL markup
> language can be exploited to hide the window's title bar and
> facilitate phishing attacks.
>
> 6) An error exists in the handling of "smb:" and "sftp:" URI schemes
> on Linux systems with gnome-vfs support. This can be exploited to
> read any file owned by the target user via a specially crafted page
> on the same server.
>
> Successful exploitation requires that the attacker has write access
> to a mutually accessible location on the target server and the user
> is tricked into loading the malicious page.
>
> 7) An unspecified error in the handling of "XPCNativeWrappers" can
> lead to execution of arbitrary Javascript code with the user's
> privileges via subsequent access by the browser chrome (e.g. when a
> user right-clicks to open a context menu).
>
> This is related to vulnerability #6 in:
> SA26095
>
> SOLUTION:
> Update to version 2.0.0.8.
>
> NOTE: Additional fixes have been added to prevent the exploitation of
> a URI handling vulnerability in Microsoft Windows.
>
> For more information:
> SA26201
>
> PROVIDED AND/OR DISCOVERED BY:
> The vendor credits:
> 1) L. David Baron, Boris Zbarsky, Georgi Guninski, Paul Nickerson,
> Olli Pettay, Jesse Ruderman, Vladimir Sukhoy, Daniel Veditz, and
> Martijn Wargers
> 2) Igor Bukanov, Eli Friedman, and Jesse Ruderman
> 3) Michal Zalewski
> 4) Stefano Di Paola
> 5) Eli Friedman
> 6) Georgi Guninski
> 7) moz_bug_r_a4
>
> ORIGINAL ADVISORY:
> Mozilla:
> http://www.mozilla.org/security/announce/2007/mfsa2007-29.html
> http://www.mozilla.org/security/announce/2007/mfsa2007-30.html
> http://www.mozilla.org/security/announce/2007/mfsa2007-31.html
> http://www.mozilla.org/security/announce/2007/mfsa2007-33.html
> http://www.mozilla.org/security/announce/2007/mfsa2007-34.html
> http://www.mozilla.org/security/announce/2007/mfsa2007-35.html
> http://www.mozilla.org/security/announce/2007/mfsa2007-36.html
>
> OTHER REFERENCES:
> SA26095:
> http://secunia.com/advisories/26095/
>