New Mozilla vulnerabilities??

David Eisenstein deisenst at gtw.net
Sat Jun 3 19:36:13 UTC 2006 

Hello all,

Yesterday, I received a notice from US-CERT regarding Technical Cyber
Security Alert TA06-153A -- Mozilla Products Contain Multiple
Vulnerabilities, (available at
<http://www.us-cert.gov/cas/techalerts/TA06-153A.html>).

It mentions a bunch of vulnerabilities (all of which seem to affect
Seamonkey, Thunderbird, and Firefox).  After looking at each VU#, it appears
that none of the announcements mention the Mozilla suite.  Also, at least as
of last night, none of them mention any CVE #'s.

What's going on with this?  Are any Mozilla Suite products affected by these
vulnerabilities?  Some of these sound critical -- and if there are no
patches available for mozilla-1.7.13, well, it seems bad!

   "Several vulnerabilities have been reported in the Mozilla web browser
   and derived products. More detailed information is available in the
   individual vulnerability notes, including:

   "VU#237257 - Mozilla privilege escalation using addSelectionListener
   A privilege escalation vulnerability exists in the Mozilla
   addSelectionListener method. This may allow a remote attacker to
   execute arbitrary code.

   "VU#421529 - Mozilla contains a buffer overflow vulnerability in
   crypto.signText()
   Mozilla products contain a buffer overflow in the crypto.signText()
   method. This may allow a remote attacker to execute arbitrary code.

   "VU#575969 - Mozilla may process content-defined setters on object
   prototypes with elevated privileges
   Mozilla allows content-defined setters on object prototypes to execute
   with elevated privileges. This may allow a remote attacker to execute
   arbitrary code.

   "VU#243153 - Mozilla may associate persisted XUL attributes with an
   incorrect URL
   Mozilla can allow persisted XUL attributes to associate with the wrong
   URL. This may allow a remote attacker to execute arbitrary code.

   "VU#466673 - Mozilla contains multiple memory corruption
   vulnerabilities
   Mozilla contains several memory corruption vulnerabilities. This may
   allow a remote attacker to execute arbitrary code."

-David

More information about the Fedora-security-list mailing list