TITLE: Firefox Multiple Vulnerabilities SECUNIA ADVISORY ID: SA19631 VERIFY ADVISORY: http://secunia.com/advisories/19631/ CRITICAL: Highly critical IMPACT: Security Bypass, Cross Site Scripting, Spoofing, Exposure of sensitive information, DoS, System access WHERE: >From remote SOFTWARE: Mozilla Firefox 0.x http://secunia.com/product/3256/ Mozilla Firefox 1.x http://secunia.com/product/4227/ DESCRIPTION: Multiple vulnerabilities have been reported in Firefox, which can be exploited by malicious people to conduct cross-site scripting and phishing attacks, bypass certain security restrictions, disclose sensitive information, and potentially compromise a user's system. 1) An error exists where JavaScript can be injected into another page, which is currently loading. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site. 2) An error in the garbage collection in the JavaScript engine can be exploited to cause a memory corruption. Successful exploitation may allow execution of arbitrary code. 3) A boundary error in the CSS border rendering implementation may be exploited to write past the end of an array. 4) An integer overflow in the handling of overly long regular expressions in JavaScript may be exploited to execute arbitrary JavaScript bytecode. 5) Two errors in the handling of "-moz-grid" and "-moz-grid-group" display styles may be exploited to execute arbitrary code. 6) An error in the "InstallTrigger.install()" method can be exploited to cause a memory corruption. 7) An unspecified error can be exploited to spoof the secure lock icon and the address bar by changing the location of a pop-up window in certain situations. Successful exploitation requires that the "Entering secure site" dialog has been enabled (not enabled by default). 8) It is possible to trick users into downloading malicious files via the "Save image as..." menu option. 9) A JavaScript function created via an "eval()" call associated with a method of an XBL binding may be compiled with incorrect privileges. This can be exploited to execute arbitrary code. 10) An error where the "Object.watch()" method exposes the internal "clone parent" function object can be exploited to execute arbitrary JavaScript code with escalated privileges. Successful exploitation allows execution of arbitrary code. 11) An error in the protection of the compilation scope of built-in privileged XBL bindings can be exploited to execute arbitrary JavaScript code with escalated privileges. Successful exploitation allows execution of arbitrary code. 12) An unspecified error can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site via the window.controllers array. 13) An error in the processing of a certain sequence of HTML tags can be exploited to cause a memory corruption. Successful exploitation allows execution of arbitrary code. 14) An error in the "valueOf.call()" and "valueOf.apply()" methods can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site. 15) Some errors in the DHTML implementation can be exploited to cause a memory corruption. Successful exploitation may allow execution of arbitrary code. 16) An integer overflow error in the processing of the CSS letter-spacing property can be exploited to cause a heap-based buffer overflow. Successful exploitation allows execution of arbitrary code. 17) An error in the handling of file upload controls can be exploited to upload arbitrary files from a user's system by e.g. dynamically changing a text input box to a file upload control. 18) An unspecified error in the "crypto.generateCRMFRequest()" method can be exploited to execute arbitrary code. 19) An error in the handling of scripts in XBL controls can be exploited to gain chrome privileges via the "Print Preview" functionality. 20) An error in a security check in the "js_ValueToFunctionObject()" method can be exploited to execute arbitrary code via "setTimeout()" and "ForEach". 21) An error in the interaction between XUL content windows and the history mechanism can be exploited to trick users into interacting with a browser user interface which is not visible. Successful exploitation may allow execution of arbitrary code. SOLUTION: Update to versions 1.0.8 or 1.5.0.2. http://www.mozilla.com/firefox/ PROVIDED AND/OR DISCOVERED BY: 1, 9, 10, 12, 18, 20) shutdown 2) Igor Bukanov 3) Bernd Mielke 4) Alden D'Souza 5) Martijn Wargers 6) Bob Clary 7) Tristor 8) Michael Krax 11, 14, 21) moz_bug_r_a4 13, 16) TippingPoint and the Zero Day Initiative 17) Claus Jørgensen and Jesse Ruderman 19) Georgi Guninski ORIGINAL ADVISORY: http://www.mozilla.org/security/announce/2006/mfsa2006-09.html http://www.mozilla.org/security/announce/2006/mfsa2006-10.html http://www.mozilla.org/security/announce/2006/mfsa2006-11.html http://www.mozilla.org/security/announce/2006/mfsa2006-12.html http://www.mozilla.org/security/announce/2006/mfsa2006-13.html http://www.mozilla.org/security/announce/2006/mfsa2006-14.html http://www.mozilla.org/security/announce/2006/mfsa2006-15.html http://www.mozilla.org/security/announce/2006/mfsa2006-16.html http://www.mozilla.org/security/announce/2006/mfsa2006-17.html http://www.mozilla.org/security/announce/2006/mfsa2006-18.html http://www.mozilla.org/security/announce/2006/mfsa2006-19.html http://www.mozilla.org/security/announce/2006/mfsa2006-20.html http://www.mozilla.org/security/announce/2006/mfsa2006-22.html http://www.mozilla.org/security/announce/2006/mfsa2006-23.html http://www.mozilla.org/security/announce/2006/mfsa2006-24.html http://www.mozilla.org/security/announce/2006/mfsa2006-25.html http://www.mozilla.org/security/announce/2006/mfsa2006-28.html http://www.mozilla.org/security/announce/2006/mfsa2006-29.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------