---------------------------------------------------------------------- Use WSUS to deploy 3rd party patches Public BETA http://secunia.com/vulnerability_scanning/corporate/wsus_3rd_third_party_patching/ ---------------------------------------------------------------------- TITLE: Mozilla Firefox Multiple Vulnerabilities SECUNIA ADVISORY ID: SA37242 VERIFY ADVISORY: http://secunia.com/advisories/37242/ DESCRIPTION: Some vulnerabilities have been reported in Mozilla Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks or compromise a user's system. 1) An error exists when handling out-of-memory conditions. This can be exploited to trigger a memory corruption and execute arbitrary code via a specially crafted web page. 2) Multiple errors in the browser engine can be exploited to corrupt memory and potentially execute arbitrary code. 3) An error exists in the implementation of Web Worker array data types when processing posted messages. This can be exploited to corrupt memory and potentially execute arbitrary code. 4) An error exists in the implementation of the "showModalDialog()" function. This can be exploited to potentially execute arbitrary JavaScript code in the context of a domain calling the affected function with external parameters. 5) An error exists when processing SVG documents served with a Content-Type of "application/octet-stream". This can be exploited to execute arbitrary JavaScript code in the context of a domain hosting the SVG document. The vulnerabilities are reported in versions prior to 3.5.8 and 3.0.18. SOLUTION: Update to version 3.0.18 or 3.5.8. The vulnerabilities are also fixed in version 3.6. PROVIDED AND/OR DISCOVERED BY: 1) Alin Rad Pop, Secunia Research 4) an anonymous researcher, reported via ZDI The vendor also credits: 2) Henri Sivonen, Boris Zbarsky, Zack Weinberg, Bob Clary, Martijn Wargers, and Paul Nickerson 3) Orlando Barrera II via ZDI 4) Hidetake Jo, Microsoft Vulnerability Research 5) Georgi Guninski, Mozilla CHANGELOG: 2010-02-22: Added ZDI link to the "Original Advisory" section and updated credits. ORIGINAL ADVISORY: Mozilla: http://www.mozilla.org/security/announce/2010/mfsa2010-01.html http://www.mozilla.org/security/announce/2010/mfsa2010-02.html http://www.mozilla.org/security/announce/2010/mfsa2010-03.html http://www.mozilla.org/security/announce/2010/mfsa2010-04.html http://www.mozilla.org/security/announce/2010/mfsa2010-05.html Secunia Research: http://secunia.com/secunia_research/2009-45/ ZDI: http://www.zerodayinitiative.com/advisories/ZDI-10-019/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------