Threat Level: green Handler on Duty: Russ McRee

SANS ISC: InfoSec Handlers Diary Blog - Security patches for Mozilla Firefox/Thunderbird/SeaMonkey InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Security patches for Mozilla Firefox/Thunderbird/SeaMonkey

Published: 2006-07-26
Last Updated: 2006-07-26 23:37:47 UTC
by Bojan Zdrnja (Version: 1)
0 comment(s)
The Mozilla Foundation released new versions of Firefox, Thunderbird and SeaMonkey products.

New versions fix numerous security vulnerabilities, of which some are rated critical. Here's a short overview of the vulnerabilities that have been fixed:

MFSA 2006-44 (http://www.mozilla.org/security/announce/2006/mfsa2006-44.html): Code execution through deleted frame reference.
This vulnerability allows remote execution and affects only Firefox 1.5 and SeaMonkey 1.0. As Thunderbird uses the same browser engine as Firefox it is vulnerable to this as well, but the JavaScript parsing function in e-mails is not turned on by default (and we recommend that it stays turned off).

MFSA 2006-45 (http://www.mozilla.org/security/announce/2006/mfsa2006-45.html): Javascript navigator Object Vulnerability.
Another remote execution vulnerability, affects Firefox 1.5 and SeaMonkey.

MFSA 2006-46 (http://www.mozilla.org/security/announce/2006/mfsa2006-46.html): Memory corruption with simultaneous events.
Remote execution vulnerability, affects Firefox and SeaMonkey.

MFSA 2006-47 (http://www.mozilla.org/security/announce/2006/mfsa2006-47.html): Native DOM methods can be hijacked across domains.
Information leaking vulnerability, can be combined with XSS, although limited. Affects Firefox and SeaMonkey.

MFSA 2006-48 (http://www.mozilla.org/security/announce/2006/mfsa2006-48.html): JavaScript new Function race condition.
Remote execution vulnerability, affects Firefox, Thunderbird and SeaMonkey.

MFSA 2006-49 (http://www.mozilla.org/security/announce/2006/mfsa2006-49.html): Heap buffer overwrite on malformed vCard, affects Thunderbird and SeaMonkey.

MFSA 2006-50 (http://www.mozilla.org/security/announce/2006/mfsa2006-50.html): JavaScript engine vulnerabilities
Multiple vulnerabilities which can lead to remote execution, affect Firefox, Thunderbird and SeaMonkey.

MFSA 2006-51 (http://www.mozilla.org/security/announce/2006/mfsa2006-51.html): Privilege escalation using named-functions and redefined "new Object()".
Remote execution vulnerability, affects Firefox, Thunderbird, SeaMonkey.

MFSA 2006-52 (http://www.mozilla.org/security/announce/2006/mfsa2006-52.html): PAC privilege escalation using Function.prototype.call
Remote script execution vulnerability through a "poisoned" PAC file. Affects Firefox and SeaMonkey.

MFSA 2006-53 (http://www.mozilla.org/security/announce/2006/mfsa2006-53.html): UniversalBrowserRead privilege escalation.
Remote script execution vulnerability, affects Firefox, Thunderbird and SeaMonkey.

MFSA 2006-54 (http://www.mozilla.org/security/announce/2006/mfsa2006-54.html): XSS with XPCNativeWrapper(window).Function(?).
XSS vulnerability using the XPCNativeWrapper construct. Affects Firefox, Thunderbird and SeaMonkey.

MFSA 2006-55 (http://www.mozilla.org/security/announce/2006/mfsa2006-55.html): Crashes with evidence of memory corruption (rv:1.8.0.5).
Probably just a DoS attack, but there is a possibility that it could be turned into a remote execution vulnerability. Affects Firefox, Thunderbird and SeaMonkey.

MFSA 2006-56 (http://www.mozilla.org/security/announce/2006/mfsa2006-56.html): chrome: scheme loading remote content
Remote script execution vulnerability that affects Firefox and SeaMonkey.


As some of these vulnerabilities are critical, it would be good if you can upgrade as soon as possible; otherwise, check for potential workarounds in the original advisories - in most cases the vulnerabilities are JavaScript related, so turning off JavaScript will help (and that goes in general).


Keywords:
0 comment(s)
Diary Archives