[SingCERT] Mozilla Products Multiple Vulnerabilities

Last Updated on Friday, 10 December 2010 16:37

[ Summary ]

Multiple vulnerabilities were identified in Mozilla Firefox, Thunderbird and SeaMonkey.

Mozilla Foundation has released the following security advisories:

• MFSA 2010-84 XSS hazard in multiple character encodings
• MFSA 2010-83 Location bar SSL spoofing using network error page
• MFSA 2010-82 Incomplete fix for CVE-2010-0179
• MFSA 2010-81 Integer overflow vulnerability in NewIdArray
• MFSA 2010-80 Use-after-free error with nsDOMAttribute MutationObserver
• MFSA 2010-79 Java security bypass from LiveConnect loaded via data: URL meta refresh
• MFSA 2010-78 Add support for OTS font sanitizer
• MFSA 2010-77 Crash and remote code execution using HTML tags inside a XUL tree
• MFSA 2010-76 Chrome privilege escalation with window.open and isindex element
• MFSA 2010-75 Buffer overflow while line breaking after document.write with long string
• MFSA 2010-74 Miscellaneous memory safety hazards (rv:1.9.2.13/ 1.9.1.16)

[ Affected Systems ]

• Mozilla Firefox versions prior to 3.6.13
• Mozilla Firefox versions prior to 3.5.16
• Mozilla Thunderbird versions prior to 3.1.7
• Mozilla Thunderbird versions prior to 3.0.11
• Mozilla SeaMonkey versions prior to 2.0.11

[ Impact Analysis ]

Attackers can exploit these vulnerabilities to execute arbitrary machine code in the context of the user running the application, crash the application, elevate privileges or obtain sensitive information. Some of these issues may not require specific exploit code and may be trivial to exploit.

[ Solution/Workaround ]

Updates are available:

• Mozilla Firefox version 3.6.13 or 3.5.16
• Mozilla Thunderbird version 3.1.7 or 3.0.11
• Mozilla SeaMonkey version 2.0.11

[ Reference ]

• http://www.mozilla.org/security/announce/