Date: 31 May 2007
References: ESB-2007.0362 ESB-2007.0363 ESB-2007.0364 ESB-2007.0389 ESB-2007.0410 ESB-2007.0414 ESB-2007.0425 ESB-2007.0552 AA-2009.0101
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
A U S C E R T A L E R T
AL-2007.0070 -- AUSCERT ALERT
[Win][UNIX/Linux]
Updates for various Mozilla products: Firefox, Thunderbird amd SeaMonkey
31 May 2007
===========================================================================
AusCERT Alert Summary
---------------------
Product: Firefox versions prior to 2.0.0.4
Thunderbird versions prior to 1.5.0.12
SeaMonkey versions prior to 1.1.2 and 1.0.9
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact: Execute Arbitrary Code/Commands
Access Privileged Data
Cross-site Scripting
Provide Misleading Information
Denial of Service
Access: Remote/Unauthenticated
CVE Names: CVE-2007-2871 CVE-2007-2870 CVE-2007-2869
CVE-2007-2868 CVE-2007-2867 CVE-2007-1558
CVE-2007-1362
Member content until: Thursday, June 28 2007
Original Bulletin:
http://www.mozilla.org/security/announce/2007/mfsa2007-12.html
http://www.mozilla.org/security/announce/2007/mfsa2007-13.html
http://www.mozilla.org/security/announce/2007/mfsa2007-14.html
http://www.mozilla.org/security/announce/2007/mfsa2007-15.html
http://www.mozilla.org/security/announce/2007/mfsa2007-16.html
http://www.mozilla.org/security/announce/2007/mfsa2007-17.html
OVERVIEW:
Information has been released regarding multiple vulnerabilities in
various Mozilla products, the most serious of which allow the
remote execution of arbitrary code.
IMPACT:
The following vulnerabilities exist in Mozilla products:
o MFSA-2007-12 (CVE-2007-2867, CVE-2007-2868) describes several
stability bug fixes, some of which result in memory corruption
and the potential to execute arbitrary code.
o MFSA-2007-13 (CVE-2007-2869) describes a denial of service
vulnerability in Firefox which may be triggered by visiting a
malicious web page.
o MFSA-2007-14 (CVE-2007-1362) describes two vulnerabilities in
the way Firefox and SeaMonkey handle cookies with the potential
to cause a denial of service.
o MFSA-2007-15 (CVE-2007-1558) describes a vulnerability in
Thunderbird and SeaMonkey APOP authentication functionality
which may allow disclosure of the first part of APOP password
if connecting to a malicious mail server.
o MFSA-2007-16 (CVE-2007-2870) describes a cross site scripting
vulnerability in the addEventListener function of Firefox and
SeaMonkey.
o MFSA-2007-17 (CVE-2007-2871) describes a vulnerability in
Firefox and SeaMonkey which allows XUL popups to be spoofed,
providing misleading infomation to the user.
MITIGATION:
The above mentioned vulnerabilities have been corrected by new
releases of Mozilla Firefox, Thunderbird and Seamonkey. Users of
these products are encouraged to upgrade to these new releases,
which are available from the Mozilla web site [1].
Mitigation strategies have been identified for some, but not all
vulnerabilities.
REFERENCES:
[1] Mozilla Downloads
http://www.mozilla.org/download.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRl5RDSh9+71yA2DNAQIWxQP/bVNLCAcJi3eGiDS2BAu8YwrBTwWGfWPS
K3PLHf+fxZAzwkruDi841UZ9MqWMWFzYR3adO4FP98JvfgHb/vS6LgaHeoN2KTv8
tU5DvadylJo+oX6/nwu2ZA4Londnxlzz5zMWnT743uWjuABUVVZVhsgeiryv0xyO
77UUEGjLDW4=
=A4i/
-----END PGP SIGNATURE-----
|