[SA19631] Firefox Multiple Vulnerabilities

2006-04-1400:00:00

vulners.com

JSON

TITLE:
Firefox Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA19631

VERIFY ADVISORY:
http://secunia.com/advisories/19631/

CRITICAL:
Highly critical

IMPACT:
Security Bypass, Cross Site Scripting, Spoofing, Exposure of
sensitive information, DoS, System access

WHERE:
>From remote

SOFTWARE:
Mozilla Firefox 0.x
http://secunia.com/product/3256/
Mozilla Firefox 1.x
http://secunia.com/product/4227/

DESCRIPTION:
Multiple vulnerabilities have been reported in Firefox, which can be
exploited by malicious people to conduct cross-site scripting and
phishing attacks, bypass certain security restrictions, disclose
sensitive information, and potentially compromise a user's system.

1) An error exists where JavaScript can be injected into another
page, which is currently loading. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in context
of an arbitrary site.

2) An error in the garbage collection in the JavaScript engine can be
exploited to cause a memory corruption.

Successful exploitation may allow execution of arbitrary code.

3) A boundary error in the CSS border rendering implementation may be
exploited to write past the end of an array.

4) An integer overflow in the handling of overly long regular
expressions in JavaScript may be exploited to execute arbitrary
JavaScript bytecode.

5) Two errors in the handling of "-moz-grid" and "-moz-grid-group"
display styles may be exploited to execute arbitrary code.

6) An error in the "InstallTrigger.install()" method can be exploited
to cause a memory corruption.

7) An unspecified error can be exploited to spoof the secure lock
icon and the address bar by changing the location of a pop-up window
in certain situations.

Successful exploitation requires that the "Entering secure site"
dialog has been enabled (not enabled by default).

8) It is possible to trick users into downloading malicious files via
the "Save image as…" menu option.

9) A JavaScript function created via an "eval()" call associated with
a method of an XBL binding may be compiled with incorrect privileges.
This can be exploited to execute arbitrary code.

10) An error where the "Object.watch()" method exposes the internal
"clone parent" function object can be exploited to execute arbitrary
JavaScript code with escalated privileges.

Successful exploitation allows execution of arbitrary code.

11) An error in the protection of the compilation scope of built-in
privileged XBL bindings can be exploited to execute arbitrary
JavaScript code with escalated privileges.

Successful exploitation allows execution of arbitrary code.

12) An unspecified error can be exploited to execute arbitrary HTML
and script code in a user's browser session in context of an
arbitrary site via the window.controllers array.

13) An error in the processing of a certain sequence of HTML tags can
be exploited to cause a memory corruption.

Successful exploitation allows execution of arbitrary code.

14) An error in the "valueOf.call()" and "valueOf.apply()" methods
can be exploited to execute arbitrary HTML and script code in a
user's browser session in context of an arbitrary site.

15) Some errors in the DHTML implementation can be exploited to cause
a memory corruption.

Successful exploitation may allow execution of arbitrary code.

16) An integer overflow error in the processing of the CSS
letter-spacing property can be exploited to cause a heap-based buffer
overflow.

Successful exploitation allows execution of arbitrary code.

17) An error in the handling of file upload controls can be exploited
to upload arbitrary files from a user's system by e.g. dynamically
changing a text input box to a file upload control.

18) An unspecified error in the "crypto.generateCRMFRequest()" method
can be exploited to execute arbitrary code.

19) An error in the handling of scripts in XBL controls can be
exploited to gain chrome privileges via the "Print Preview"
functionality.

20) An error in a security check in the "js_ValueToFunctionObject()"
method can be exploited to execute arbitrary code via "setTimeout()"
and "ForEach".

21) An error in the interaction between XUL content windows and the
history mechanism can be exploited to trick users into interacting
with a browser user interface which is not visible.

Successful exploitation may allow execution of arbitrary code.

SOLUTION:
Update to versions 1.0.8 or 1.5.0.2.
http://www.mozilla.com/firefox/

PROVIDED AND/OR DISCOVERED BY:
1, 9, 10, 12, 18, 20) shutdown
2) Igor Bukanov
3) Bernd Mielke
4) Alden D'Souza
5) Martijn Wargers
6) Bob Clary
7) Tristor
8) Michael Krax
11, 14, 21) moz_bug_r_a4
13, 16) TippingPoint and the Zero Day Initiative
17) Claus Jшrgensen and Jesse Ruderman
19) Georgi Guninski

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/

Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

JSON