copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » By Operating... » UNIX (all) » Solaris » AL-2008.0014 -- [Win][UNIX/Linux] -- Multiple vulner...
 

AL-2008.0014 -- [Win][UNIX/Linux] -- Multiple vulnerabilities in Mozilla Firefox, Thunderbird, and SeaMonkey
Date: 08 February 2008
References: ESB-2008.0133  ESB-2008.0134  ESB-2008.0199  AA-2008.0051  AU-2008.0004  ESB-2008.0608  ESB-2008.0697  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T

                       AL-2008.0014 -- AUSCERT ALERT
                             [Win][UNIX/Linux]
  Multiple vulnerabilities in Mozilla Firefox, Thunderbird, and SeaMonkey
                              8 February 2008

===========================================================================

        AusCERT Alert Summary
        ---------------------

Product:              Mozilla Firefox 2.0.0.11 and prior
                      Mozilla Thunderbird 2.0.0.10 and prior
                      Mozilla SeaMonkey 1.1.7 and prior
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact:               Execute Arbitrary Code/Commands
                      Access Confidential Data
                      Read-only Data Access
                      Cross-site Scripting
                      Denial of Service
                      Inappropriate Access
                      Provide Misleading Information
Access:               Remote/Unauthenticated
CVE Names:            CVE-2008-0412 CVE-2008-0413 CVE-2008-0414
                      CVE-2008-0415 CVE-2008-0417 CVE-2008-0418
                      CVE-2008-0419 CVE-2008-0591 CVE-2008-0592
                      CVE-2008-0593 CVE-2008-0594
Member content until: Friday, March 07 2008

Original Bulletin:  
  http://www.mozilla.org/security/announce/2008/mfsa2008-01.html
  http://www.mozilla.org/security/announce/2008/mfsa2008-02.html
  http://www.mozilla.org/security/announce/2008/mfsa2008-03.html
  http://www.mozilla.org/security/announce/2008/mfsa2008-04.html
  http://www.mozilla.org/security/announce/2008/mfsa2008-05.html
  http://www.mozilla.org/security/announce/2008/mfsa2008-06.html
  http://www.mozilla.org/security/announce/2008/mfsa2008-08.html
  http://www.mozilla.org/security/announce/2008/mfsa2008-09.html
  http://www.mozilla.org/security/announce/2008/mfsa2008-10.html
  http://www.mozilla.org/security/announce/2008/mfsa2008-11.html

Comment: MFSA-2008-07 does not appear to exist.


OVERVIEW:

        Information has been released regarding multiple vulnerabilities in 
        various Mozilla products, the most serious of which allows the 
        remote execution of arbitrary code.


IMPACT: 

        The following vulnerabilities exist in Mozilla Firefox, Thunderbird
        and/or SeaMonkey:

          o MFSA-2007-01 (CVE-2008-0412, CVE-2008-0413) A vulnerability
            in the browser JavaScript engine could allow arbitrary code
            execution by a remote attacker.

          o MFSA-2007-02 (CVE-2008-0414) A variant of the input focus
            bugs reported previously, this vulnerability could allow an
            attacker to obtain arbitrary user files.

          o MFSA-2007-03 (CVE-2008-0415) This vulnerability could allow
            a specially crafted script to break out of the sandbox
            environment and inject a script into another site.

          o MFSA-2008-04 (CVE-2008-0417) When a user saves their password
            for a malicious site in the password store, the other passwords
            can become corrupted.

          o MFSA-2007-05 (CVE-2008-0418) Plugins that use "flat" packaging
            are vulnerable to a directory traversal attack that could allow
            loading of JavaScript, images and stylesheets.

          o MFSA-2007-06 (CVE-2008-0419) Pages that use "designMode" frames
            could change the history, crash the browser, and possibly
            execute arbitrary code.

          o MFSA-2008-08 (CVE-2008-0591) Timer-enables security dialogs
            can be subverted by changing focus. The user could then be
            tricked into clicking the dialog by bringing it back into
            focus.

          o MFSA-2007-09 (CVE-2008-0592) When a file with
            "Content-Disposition: attachment" and "Content-Type: plain/text"
            set is saved, text files will prompt the user to save rather
            than displaying the file.

          o MFSA-2007-10 (CVE-2008-0593) The "href" property on DOM nodes
            is updated to the final URI when following a 302 redirect.
            This could reveal sensitive information.

          o MFSA-2008-11 (CVE-2008-0594) If a page is contained in "div"
            tags with absolute positioning, a user will not see a forgery
            warning until switching off that tab and then back to it.


MITIGATION:

        The above mentioned vulnerabilities have been corrected by new 
        releases of Mozilla Firefox 2.0.0.12 [1], and SeaMonkey 1.1.8 [2].
        Users of these products are encouraged to upgrade to these new
        releases, which are available from the Mozilla web site. 

        Thunderbird 2.0.0.12 is referenced as having corrected the problems
        however currently only version 2.0.0.9 is available for download [3].

        Mitigation strategies have been identified for some, but not all 
        vulnerabilities.


REFERENCES:

        [1] Firefox web browser | Faster, more secure, & customizable
            http://www.mozilla.com/en-US/firefox/

        [2] The SeaMonkey Project
            http://www.seamonkey-project.org/

        [3] Thunderbird - Reclaim your inbox
            http://www.mozilla.com/en-US/thunderbird/


AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBR6vLZih9+71yA2DNAQJ0vQP+OeGSg32vZHvA8EO1ESIjYgxppGs9N3fs
46zpc6wntY8D8DKnvxTjcROqrVuHLrON3BMAhYJjM79x6f5Hu4FOmzg3Z4dloquH
JOQBInG2JCLz77RzpzKrolN0lgeIiPiuQo1WUXXBNvA8oBMt1y7uCAGpRkdKH7bk
Tk+Lxh4NfWs=
=kVL8
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/8761