copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » By Operating... » UNIX (all) » Solaris » AL-2006.0127 -- [Win][UNIX/Linux][OSX] -- Mozilla Pr...
 

AL-2006.0127 -- [Win][UNIX/Linux][OSX] -- Mozilla Products Contain Multiple Vulnerabilities
Date: 20 December 2006
References: ESB-2007.0100  ESB-2006.0930  ESB-2006.0931  ESB-2006.0932  ESB-2007.0056  ESB-2007.0084  ESB-2007.0147  ESB-2007.0155  ESB-2007.0186  ESB-2007.0195  
ESB-2007.0257  ESB-2007.0401  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T

                       AL-2006.0127 -- AUSCERT ALERT
                          [Win][UNIX/Linux][OSX]
             Mozilla Products Contain Multiple Vulnerabilities
                             20 December 2006

===========================================================================

        AusCERT Alert Summary
        ---------------------

Product:              Firefox versions prior to 2.0.0.1
                      Firefox versions prior to 1.5.0.9
                      Thunderbird versions prior to 1.5.0.9
                      SeaMonkey versions prior to 1.0.7
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact:               Execute Arbitrary Code/Commands
                      Access Privileged Data
                      Increased Privileges
                      Cross-site Scripting
                      Denial of Service
Access:               Remote/Unauthenticated
CVE Names:            CVE-2006-6497 CVE-2006-6498 CVE-2006-6499
                      CVE-2006-6500 CVE-2006-6501 CVE-2006-6502
                      CVE-2006-6503 CVE-2006-6504 CVE-2006-6505
                      CVE-2006-6506 CVE-2006-6507
Member content until: Wednesday, January 17 2007

Original Bulletin:
    http://www.mozilla.org/security/announce/2006/mfsa2006-68.html
    http://www.mozilla.org/security/announce/2006/mfsa2006-69.html
    http://www.mozilla.org/security/announce/2006/mfsa2006-70.html
    http://www.mozilla.org/security/announce/2006/mfsa2006-71.html
    http://www.mozilla.org/security/announce/2006/mfsa2006-72.html
    http://www.mozilla.org/security/announce/2006/mfsa2006-73.html
    http://www.mozilla.org/security/announce/2006/mfsa2006-74.html
    http://www.mozilla.org/security/announce/2006/mfsa2006-75.html
    http://www.mozilla.org/security/announce/2006/mfsa2006-76.html


OVERVIEW:
        
        Multiple vulnerabilities have been discovered in various Mozilla 
        products, the most serious of which allow the remote execution of
        arbitrary code.


IMPACT: 

        The vulnerabilities MFSA-2006-68, MFSA-2006-69 MFSA-2006-71, 
        MFSA-2006-73, MFSA-2006-74, may allow the execution of 
        arbitrary code in Firefox, Thunderbird and Seamonkey (with the 
        exception of MFSA-2006-73 and MFSA-2006-74). 
        
        MFSA-2006-70 may allow privilege escalation.

        MFSA-2006-71 and MFSA-2006-76 may allow cross-site script 
        injection.

        MFSA-2006-75 may allow the disclosure of information, but only 
        affects Firefox 2.0.


MITIGATION:

        The above mentioned vulnerabilities have been corrected by new 
        releases of Mozilla Firefox, Thunderbird and Seamonkey. Users of 
        these products are encouraged to upgrade to these new releases, 
        which are available from the Mozilla web site [1]. 

        Mitigation strategies have been identified for some, but not all 
        vulnerabilities.


REFERENCES:

        [1] Mozilla
            http://www.mozilla.org/

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBRYiMNih9+71yA2DNAQKSNQP/XHxNNf5GC+D2Vj/7iWczSzHqIkpD4aeO
wSpzEPQSOi47QX3lw3VfYslEs+9DKDjbBRjdJvew8xh8I40oRrWsgD6Twh82/SXI
aHlqsslTdUhM/s5URzN/pB1fmOPPrxYShiVEOG06qH7tD5FY1zFjrraaCgkrnm1l
+s3Zyfriphc=
=E8nn
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/render.html?cid=33&it=7122