---------------------------------------------------------------------- Secunia CSI integrated with Microsoft WSUS and Microsoft SCCM for 3rd party Patch Management Free webinars http://secunia.com/vulnerability_scanning/corporate/webinars/ ---------------------------------------------------------------------- TITLE: Mozilla Firefox Multiple Vulnerabilities SECUNIA ADVISORY ID: SA40309 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/40309/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=40309 RELEASE DATE: 2010-06-29 DISCUSS ADVISORY: http://secunia.com/advisories/40309/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/40309/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=40309 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Some vulnerabilities have been reported in Mozilla Firefox, which can be exploited by malicious people to disclose sensitive information, bypass certain security restrictions, or to compromise a user's system. 1) Multiple errors in the browser engine can be exploited to corrupt memory and potentially execute arbitrary code. 2) An error in the handling of multipart/x-mixed-replace resources can be exploited to corrupt memory and potentially execute arbitrary code. This vulnerability only affects version 3.5.x. 3) Multiple errors in the Javascript engine can be exploited to corrupt memory and potentially execute arbitrary code. 4) Multiple errors in the Javascript engine can be exploited to corrupt memory and potentially execute arbitrary code. These errors only affect version 3.6.x. 5) A use-after-free error exists in "nsCycleCollector::MarkRoots()", which can result in the use of an invalid pointer and allows execution of arbitrary code. 6) A use-after-free error in the handling of object references among multiple plugin instances can be exploited to trigger the use of an invalid pointer and execute arbitrary code. 7) An integer overflow error exists in "nsGenericDOMDataNode::SetTextInternal" within the handling of text values for certain types of DOM nodes. This can be exploited to cause a heap-based buffer overflow via overly large strings. 8) An integer overflow error in a XSLT node sorting routine can be exploited to cause a buffer overflow and potentially execute arbitrary code via a node containing an overly large text value. 9) A weakness is caused due to "focus()" allowing to direct user input to unintended locations, e.g. an embedded iframe from another domain. 10) The HTTP "Content-Disposition: attachment" header is ignored when "Content-Type: multipart" is also present. This can result in security features being bypassed in sites that allow users to upload arbitrary files and specify a "Content-Type" but rely on "Content-Disposition: attachment" to prevent the content from being displayed inline. 11) A weakness exists due to the pseudo-random number generator being seeded only once per browsing session, which can be exploited to disclose the value used to seed "Math.random()" and potentially identify and track users across different web sites. SOLUTION: Update to version 3.5.10 or 3.6.4. PROVIDED AND/OR DISCOVERED BY: 8) Martin Barbella, reported via ZDI. 9) Michal Zalewski The vendor credits: 1) Olli Pettay, Martijn Wargers, Justin Lebar, Jesse Ruderman, Ben Turner, Jonathan Kew, and David Humphrey 2) boardraider and stedenon 3) Bob Clary, Igor Bukanov, Gary Kwong, and Andreas Gal 4) Gary Kwong and David Anderson 5) wushi of team509 6) Microsoft Vulnerability Research 7) Nils of MWR InfoSecurity 10) Ilja van Sprundel of IOActive 11) Amit Klein ORIGINAL ADVISORY: Mozilla Foundation: http://www.mozilla.org/security/announce/2010/mfsa2010-26.html http://www.mozilla.org/security/announce/2010/mfsa2010-27.html http://www.mozilla.org/security/announce/2010/mfsa2010-28.html http://www.mozilla.org/security/announce/2010/mfsa2010-29.html http://www.mozilla.org/security/announce/2010/mfsa2010-30.html http://www.mozilla.org/security/announce/2010/mfsa2010-31.html http://www.mozilla.org/security/announce/2010/mfsa2010-32.html http://www.mozilla.org/security/announce/2010/mfsa2010-33.html ZDI: http://www.zerodayinitiative.com/advisories/ZDI-10-113/ OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------