
<< Back

07-27-2006 The following CERT alert has been issued on Mozilla products:
National Cyber Alert System Technical Cyber Security Alert TA06-208A Mozilla Products Contain Multiple Vulnerabilities Original release date: July 27, 2006 Source: US-CERT Systems Affected * Mozilla SeaMonkey * Mozilla Firefox * Mozilla Thunderbird Any products based on Mozilla components, specifically Gecko, may also be affected. The Mozilla web browser and derived products contain several vulnerabilities, the most serious of which could allow a remote attacker to execute arbitrary code on an affected system. I. Description Several vulnerabilities have been reported in the Mozilla web browser and derived products. More detailed information is available in the individual vulnerability notes, including the following: VU#476724 - Mozilla products fail to properly handle frame references. Mozilla products fail to properly handle frame or window references. This may allow a remote attacker to execute arbitrary code on a vulnerable system. (CVE-2006-3801) VU#670060 - Mozilla fails to properly release JavaScript references. Mozilla products fail to properly release memory. This vulnerability may allow a remote attacker to execute code on a vulnerable system. (CVE-2006-3677) VU#239124 - Mozilla fails to properly handle simultaneous XPCOM events. Mozilla products are vulnerable to memory corruption via simultaneous XPCOM events. This may allow a remote attacker to execute arbitrary code on a vulnerable system. (CVE-2006-3113) VU#265964 - Mozilla products contain a race condition. Mozilla products contain a race condition. This vulnerability may allow a remote attacker to execute code on a vulnerable system. (CVE-2006-3803) VU#897540 - Mozilla products VCard attachment buffer overflow. Mozilla products fail to properly handle malformed VCard attachments, allowing a buffer overflow to occur. This vulnerability may allow a remote attacker to execute arbitrary code on a vulnerable system. (CVE-2006-3804) VU#876420 - Mozilla fails to properly handle garbage collection. The Mozilla JavaScript engine fails to properly perform garbage collection, which may allow a remote attacker to execute arbitrary code on a vulnerable system. (CVE-2006-3805) VU#655892 - Mozilla JavaScript engine contains multiple integer overflows. The Mozilla JavaScript engine contains multiple integer overflows. This vulnerability may allow a remote attacker to execute arbitrary code on a vulnerable system. (CVE-2006-3806) VU#687396 - Mozilla products fail to properly validate JavaScript constructors. Mozilla products fail to properly validate references returned by JavaScript constructors. This vulnerability may allow a remote attacker to execute arbitrary code on a vulnerable system. (CVE-2006-3807) VU#527676 - Mozilla contains multiple memory corruption vulnerabilities. Mozilla products contain multiple vulnerabilities that can cause memory corruption. This may allow a remote attacker to execute arbitrary code on a vulnerable system. (CVE-2006-3811) II. Impact A remote, unauthenticated attacker could execute arbitrary code on a vulnerable system. An attacker may also be able to cause the vulnerable application to crash. III. Solution Upgrade to Mozilla Firefox 1.5.0.5, Mozilla Thunderbird 1.5.0.5, or SeaMonkey 1.0.3. Disable JavaScript and Java These vulnerabilities can be mitigated by disabling JavaScript and Java in all affected products. Instructions for disabling Java in Firefox can be found in the "Securing Your Web Browser" document. Appendix A. References * US-CERT Vulnerability Notes Related to July Mozilla Security Advisories - http://www.kb.cert.org/vuls/byid?searchview&query=firefox_1505 * CVE-2006-3081 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3801 * CVE-2006-3677 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3677 * CVE-2006-3113 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3113 * CVE-2006-3803 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3803 * CVE-2006-3804 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3804 * CVE-2006-3805 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3805 * CVE-2006-3806 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3806 * CVE-2006-3807 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3807 * CVE-2006-3811 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3811 * Mozilla Foundation Security Advisories - http://www.mozilla.org/security/announce/ * Known Vulnerabilities in Mozilla Products - http://www.mozilla.org/projects/security/known-vulnerabilities.html * Securing Your Web Browser - http://www.us-cert.gov/reading_room/securing_browser/browser _ security.html#Mozilla_Firefox The most recent version of this document can be found at: http://www.us-cert.gov/cas/techalerts/TA06-208A.html Feedback can be directed to US-CERT Technical Staff. Please send email to cert@cert.org with "TA06-208A Feedback VU#239124" in the subject. For instructions on subscribing to or unsubscribing from this mailing list, visit http://www.us-cert.gov/cas/signup.html Produced 2006 by US-CERT, a government organization. Terms of use: http://www.us-cert.gov/legal.html

07-27-2006
The following CERT alert has been issued on Mozilla products:

National Cyber Alert System

Technical Cyber Security Alert TA06-208A

Mozilla Products Contain Multiple Vulnerabilities Original release date: July 27, 2006

Source: US-CERT

Systems Affected

* Mozilla SeaMonkey

* Mozilla Firefox

* Mozilla Thunderbird

Any products based on Mozilla components, specifically Gecko, may also be affected.

The Mozilla web browser and derived products contain several vulnerabilities, the most serious of which could allow a remote attacker to execute arbitrary code on an affected system.

I. Description

Several vulnerabilities have been reported in the Mozilla web browser and derived products. More detailed information is available in the individual vulnerability notes, including the following:

VU#476724 - Mozilla products fail to properly handle frame references. Mozilla products fail to properly handle frame or window references. This may allow a remote attacker to execute arbitrary code on a vulnerable system. (CVE-2006-3801)

VU#670060 - Mozilla fails to properly release JavaScript references. Mozilla products fail to properly release memory. This vulnerability may allow a remote attacker to execute code on a vulnerable system. (CVE-2006-3677)

VU#239124 - Mozilla fails to properly handle simultaneous XPCOM events. Mozilla products are vulnerable to memory corruption via simultaneous XPCOM events. This may allow a remote attacker to execute arbitrary code on a vulnerable system. (CVE-2006-3113)

VU#265964 - Mozilla products contain a race condition. Mozilla products contain a race condition. This vulnerability may allow a remote attacker to execute code on a vulnerable system. (CVE-2006-3803)

VU#897540 - Mozilla products VCard attachment buffer overflow. Mozilla products fail to properly handle malformed VCard attachments, allowing a buffer overflow to occur. This vulnerability may allow a remote attacker to execute arbitrary code on a vulnerable system. (CVE-2006-3804)

VU#876420 - Mozilla fails to properly handle garbage collection. The Mozilla JavaScript engine fails to properly perform garbage collection, which may allow a remote attacker to execute arbitrary code on a vulnerable system. (CVE-2006-3805)

VU#655892 - Mozilla JavaScript engine contains multiple integer overflows. The Mozilla JavaScript engine contains multiple integer overflows. This vulnerability may allow a remote attacker to execute arbitrary code on a vulnerable system. (CVE-2006-3806)

VU#687396 - Mozilla products fail to properly validate JavaScript constructors. Mozilla products fail to properly validate references returned by JavaScript constructors. This vulnerability may allow a remote attacker to execute arbitrary code on a vulnerable system. (CVE-2006-3807)

VU#527676 - Mozilla contains multiple memory corruption vulnerabilities. Mozilla products contain multiple vulnerabilities that can cause memory corruption. This may allow a remote attacker to execute arbitrary code on a vulnerable system. (CVE-2006-3811)

II. Impact

A remote, unauthenticated attacker could execute arbitrary code on a vulnerable system. An attacker may also be able to cause the vulnerable application to crash.

III. Solution

Upgrade to Mozilla Firefox 1.5.0.5, Mozilla Thunderbird 1.5.0.5, or SeaMonkey 1.0.3. Disable JavaScript and Java These vulnerabilities can be mitigated by disabling JavaScript and Java in all affected products. Instructions for disabling Java in Firefox can be found in the "Securing Your Web Browser" document.

Appendix A. References * US-CERT Vulnerability Notes Related to July Mozilla Security Advisories - http://www.kb.cert.org/vuls/byid?searchview&query=firefox_1505

* CVE-2006-3081 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3801

* CVE-2006-3677 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3677

* CVE-2006-3113 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3113

* CVE-2006-3803 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3803

* CVE-2006-3804 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3804

* CVE-2006-3805 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3805

* CVE-2006-3806 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3806

* CVE-2006-3807 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3807

* CVE-2006-3811 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3811

* Mozilla Foundation Security Advisories - http://www.mozilla.org/security/announce/

* Known Vulnerabilities in Mozilla Products - http://www.mozilla.org/projects/security/known-vulnerabilities.html

* Securing Your Web Browser - http://www.us-cert.gov/reading_room/securing_browser/browser _ security.html#Mozilla_Firefox

The most recent version of this document can be found at: http://www.us-cert.gov/cas/techalerts/TA06-208A.html

Feedback can be directed to US-CERT Technical Staff. Please send email to cert@cert.org with "TA06-208A Feedback VU#239124" in the subject.

For instructions on subscribing to or unsubscribing from this mailing list, visit http://www.us-cert.gov/cas/signup.html Produced 2006 by US-CERT, a government organization. Terms of use: http://www.us-cert.gov/legal.html