Guru3D.com Forums

Go Back   Guru3D.com Forums > General > General Software and Applications
Reload this Page Multiple vulnerabilites in Firefox
General Software and Applications Trouble with software/DirectX or other programs like Detonator Destroyer.
Reply
 
Thread Tools Display Modes
Multiple vulnerabilites in Firefox
Old
  (#1)
SgtSquarenuts
Master Guru
 
Videocard: BFG 6800 Ultra o/c w/c/Koolance Exo
Processor: Intel P4c 3.2EE/wc/Koolance Liquid
Mainboard: Asus P4c800eDel, rev 2
Memory: 1 gig OCZ 4001024PFDC-K rev-3
Soundcard: Creative Audigy 2 ZS- Logitech Z680
PSU: Antec Neo HE 550
Default Multiple vulnerabilites in Firefox - 07-28-2006, 05:47 | posts: 173 | Location: Illinisia
It seems Mozilla is not as safe as you think.






-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA06-208A


Mozilla Products Contain Multiple Vulnerabilities

Original release date: July 27, 2006
Last revised: --
Source: US-CERT


Systems Affected

* Mozilla SeaMonkey
* Mozilla Firefox
* Mozilla Thunderbird

Any products based on Mozilla components, specifically Gecko, may also
be affected.


Overview

The Mozilla web browser and derived products contain several
vulnerabilities, the most serious of which could allow a remote
attacker to execute arbitrary code on an affected system.


I. Description

Several vulnerabilities have been reported in the Mozilla web browser
and derived products. More detailed information is available in the
individual vulnerability notes, including the following:


VU#476724 - Mozilla products fail to properly handle frame references

Mozilla products fail to properly handle frame or window references.
This may allow a remote attacker to execute arbitrary code on a
vulnerable system.
(CVE-2006-3801)


VU#670060 - Mozilla fails to properly release JavaScript references

Mozilla products fail to properly release memory. This vulnerability
may allow a remote attacker to execute code on a vulnerable system.
(CVE-2006-3677)


VU#239124 - Mozilla fails to properly handle simultaneous XPCOM events

Mozilla products are vulnerable to memory corruption via simultaneous
XPCOM events. This may allow a remote attacker to execute arbitrary
code on a vulnerable system.
(CVE-2006-3113)


VU#265964 - Mozilla products contain a race condition

Mozilla products contain a race condition. This vulnerability may
allow a remote attacker to execute code on a vulnerable system.
(CVE-2006-3803)


VU#897540 - Mozilla products VCard attachment buffer overflow

Mozilla products fail to properly handle malformed VCard attachments,
allowing a buffer overflow to occur. This vulnerability may allow a
remote attacker to execute arbitrary code on a vulnerable system.
(CVE-2006-3804)


VU#876420 - Mozilla fails to properly handle garbage collection

The Mozilla JavaScript engine fails to properly perform garbage
collection, which may allow a remote attacker to execute arbitrary
code on a vulnerable system.
(CVE-2006-3805)


VU#655892 - Mozilla JavaScript engine contains multiple integer
overflows

The Mozilla JavaScript engine contains multiple integer overflows.
This vulnerability may allow a remote attacker to execute arbitrary
code on a vulnerable system.
(CVE-2006-3806)


VU#687396 - Mozilla products fail to properly validate JavaScript
constructors

Mozilla products fail to properly validate references returned by
JavaScript constructors. This vulnerability may allow a remote
attacker to execute arbitrary code on a vulnerable system.
(CVE-2006-3807)


VU#527676 - Mozilla contains multiple memory corruption
vulnerabilities

Mozilla products contain multiple vulnerabilities that can cause
memory corruption. This may allow a remote attacker to execute
arbitrary code on a vulnerable system.
(CVE-2006-3811)


II. Impact

A remote, unauthenticated attacker could execute arbitrary code on a
vulnerable system. An attacker may also be able to cause the
vulnerable application to crash.


III. Solution

Upgrade

Upgrade to Mozilla Firefox 1.5.0.5, Mozilla Thunderbird 1.5.0.5, or
SeaMonkey 1.0.3.

Disable JavaScript and Java

These vulnerabilities can be mitigated by disabling JavaScript and
Java in all affected products. Instructions for disabling Java in
Firefox can be found in the "Securing Your Web Browser" document.


Appendix A. References

* US-CERT Vulnerability Notes Related to July Mozilla Security
Advisories -
<http://www.kb.cert.org/vuls/byid?searchview&query=firefox_1505>

* CVE-2006-3081 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3801>

* CVE-2006-3677 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3677>

* CVE-2006-3113 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3113>

* CVE-2006-3803 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3803>

* CVE-2006-3804 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3804>

* CVE-2006-3805 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3805>

* CVE-2006-3806 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3806>

* CVE-2006-3807 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3807>

* CVE-2006-3811 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3811>

* Mozilla Foundation Security Advisories -
<http://www.mozilla.org/security/announce/>

* Known Vulnerabilities in Mozilla Products -
<http://www.mozilla.org/projects/security/known-vulnerabilities.html>

* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/browser_security.html#Mozilla_Firefox>


__________________________________________________ __________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA06-208A.html>
__________________________________________________ __________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-208A Feedback VU#239124" in the
subject.
__________________________________________________ __________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
__________________________________________________ __________________

Produced 2006 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
__________________________________________________ __________________


Revision History

Jul 27, 2006: Initial release





-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRMkgNexOF3G+ig+rAQIFsAgAoWoMkxxhkzb+xgLVCJ F7h4k4EBCgJGWa
   
Reply With Quote
 
Old
  (#2)
MetalFox
Maha Guru
 
MetalFox's Avatar
 
Videocard: GTX670 DCII
Processor: 2500K @ 5Ghz
Mainboard: P8Z68V
Memory: 16Gb
Soundcard: x-fi
PSU: Corsair
Default 07-28-2006, 13:12 | posts: 907 | Location: Finland
Well, those problems get fixed.

It's not IE.
   
Reply With Quote
Old
  (#3)
Animatrix
Ancient Guru
 
Animatrix's Avatar
 
Videocard: BFG 8800GT OC2 512
Processor: Intel Core 2 Duo E6750
Mainboard: ABIT IP35 Pro
Memory: Corsair XMS2 4x1GB
Soundcard: SoundBlaster Audigy 2 ZS
PSU: Corsair VX550W
Default 07-29-2006, 03:51 | posts: 6,852 | Location: Denmark
What are we doing here...counting bugs or counting fixes ?

The mention bugs are 9 of the 12 fixes found in Firefox 1.5.0.5.
http://www.mozilla.org/projects/secu...s.html#Firefox


Oh and just to be clear about it, there is NO such thing as perfect code, you can brake most code if you try hard enough.
   
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump



Powered by vBulletin®
Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
vBulletin Skin developed by: vBStyles.com
Copyright (c) 1995-2012, All Rights Reserved. The Guru of 3D, the Hardware Guru, and 3D Guru are trademarks owned by Hilbert Hagedoorn.

Contact Us - The Guru of 3D - Archive - Privacy Statement - Top