Информационная безопасность
[RU] switch to English

Дополнительная информация

  Многочисленные уязвимости безопасности в Mozilla Firefox / Seamonkey

  US-CERT Technical Cyber Security Alert TA08-087A -- Mozilla Updates for Multiple Vulnerabilities

  Mozilla Foundation Security Advisory 2008-19

  Mozilla Foundation Security Advisory 2008-17

  Mozilla Foundation Security Advisory 2008-16

Date:26 марта 2008 г.
Subject:Mozilla Foundation Security Advisory 2008-18

Mozilla Foundation Security Advisory 2008-18

Title: Java socket connection to any local port via LiveConnect
Impact: High
Announced: March 25, 2008
Reporter: Gregory Fleischer
Products: Firefox, SeaMonkey

Fixed in: Firefox
 SeaMonkey 1.1.9

Security researcher Gregory Fleischer demonstrated that web content fetched via the jar: protocol can use Java via LiveConnect to open socket connections to arbitrary ports on the user's machine ("localhost"). The issue is caused by improper parsing of the content origin passed from the browser to the Java plugin. Such content was incorrectly evaluated to have a null host, assumed to be a local file, and was subsequently allowed permission to connect to the localhost. Sun has updated the Java Runtime Environment with a fix for this problem. Mozilla has also added a fix to LiveConnect to protect users who don't have the latest version of Java.

Disable Java until a version containing fixes can be installed or upgrade your system's JRE to one of the fixed versions listed in Sun's advisory: 1.6.0_05, 1.5.0_15, and 1.4.2_17.

   * https://bugzilla.mozilla.org/show_bug.cgi?id=402995
   * Sun's security advisory
   * CVE-2008-1195
   * CVE-2008-1240

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород