French Security Incident Response Team

FrSIRT   

      

   français French  anglais English

 
Vulnerability Notification Service
 FrSIRT Partner Program
 14-Day Free Trial
Contact FrSIRT Sales Dept.
 

Security Advisories
Linux Security Advisories
Virus and Threats Advisories
Latest Security News
Latest Zero Day Threats
Advisories and vulnerabilities by Vendor
Advisories and vulnerabilities by Keyword
 

Report a security incident
Report a new vulnerability
Security Mailinglist
 

Our Company
FrSIRT in the News
Advertise on FrSIRT.COM
Security Researchers and Exploit Writers Jobs
Contact Us

Mozilla Products Multiple Memory Corruption and Security Bypass Issues

Title : Mozilla Products Multiple Memory Corruption and Security Bypass Issues
Advisory ID : FrSIRT/ADV-2006-0413
CVE ID : CVE-2005-4134 - CVE-2006-0292 - CVE-2006-0293 - CVE-2006-0294 - CVE-2006-0295 - CVE-2006-0296 - CVE-2006-0297 - CVE-2006-0298 - CVE-2006-0299
Rated as : Critical 
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2006-02-02

Advisory Details
 
  Description
  Affected Products
  Solution
  References
Technical Description    Receive FrSIRT alerts in a Text format  Receive FrSIRT alerts in a PDF format  Receive FrSIRT alerts in an XML format  Receive FrSIRT notifications by SMS 

Multiple vulnerabilities were identified in Mozilla Suite, Mozilla Firefox and Thunderbird, which may be exploited by remote attackers to take complete control of an affected system or bypass security restrictions.

The first issue is due to errors in the JavaScript engine that fails to properly protect certain temporary variables during garbage collection, which could be exploited by malicious web sites to cause a memory corruption and potentially execute arbitrary commands.

The second flaw is due to a memory corruption error when dynamically changing the style of an element from "position:relative" to "position:static", which could be exploited by remote attackers to compromise a vulnerable system.

The third vulnerability is due to an error when handling large history information passed the the "history.dat" file (e.g. an overly large title), which could be exploited via a specially crafted Web page to cause a vulnerable application to crash or consume a large amount of system resources. For additional information, see : FrSIRT/ADV-2005-2805

The fourth issue is due to a memory corruption error when calling the "QueryInterface" method of the built-in Location and Navigator objects, which could be exploited by remote attackers to execute arbitrary commands.

The fifth flaw is due to an error in the "XULDocument.persist()" function that does not properly validate the attribute name, which could be exploited by attackers to execute arbitrary JavaScript commands with the permissions of the browser by injecting XML into "localstore.rdf".

The sixth vulnerability is due to integer overflow errors in the E4X, SVG, and Canvas features, which could be exploited by malicious web sites to execute arbitrary commands.

The seventh issue is due to an error in the XML parser, which could be exploited by remote attackers to crash a vulnerable application and potentially incorporate private data into the DOM of an XML document.

The eighth flaw is due to an error in the E4X implementation that exposes the internal "AnyName" object to web content, which could be exploited by malicious web sites to bypass security restrictions.

Note : A fully functional exploit has been released.

Credits

Vulnerabilities reported by Igor Bukanov, Martijn Wargers, ZIPLOCK, Georgi Guninski, moz_bug_r_a4, Johnny Stenback and Brendan Eich.

ChangeLog

2006-02-02 : Initial release
2006-02-07 : Exploit released

Vulnerability Management

Subscribe to FrSIRT VNS and receive real-time e-mail and SMS alerts when new vulnerabilities, exploits, or patches relevant to your systems and network configurations are available.

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form or by email to updates@frsirt.com.
 
 

Search
      

Mailinglist
    
 

Apple Mac OS X Command Execution and Security Bypass Issues

Apple Safari for Mac OS X Remote Code Execution Vulnerability

Apple Mac OS X ARDAgent Local Privilege Escalation Vulnerability

Apple Safari Code Execution and Information Disclosure Vulnerabilities

Apple QuickTime Multiple File Handling Code Execution Vulnerabilities

Apple Safari for Windows Remote Code Execution Vulnerability

Apple Mac OS X Command Execution and Security Bypass Issues

Sun Solaris Tomcat JSP/Servlet Container Multiple Vulnerabilities

Sun Java System Access Manager XSLT Code Execution Vulnerability

Sun Solaris 10 Adobe Reader Multiple Code Execution Vulnerabilities

Sun Solaris "snmpXdmid" Packet Handling Denial of Service Vulnerability

Sun Solaris FreeType2 Library Multiple Memory Corruption Vulnerabilities

Sun Java System Calendar Server Denial of Service Vulnerability

Sun Solaris SMA SNMPv3 Authentication Bypass Vulnerability

Mozilla Products Remote Code Execution and Security Bypass Issues

Mozilla Firefox Unspecified Remote Command Execution Vulnerability

Mozilla JavaScript Garbage Collector Code Execution Vulnerability

Mozilla Thunderbird Code Execution and Cross Site Scripting Issues

Mozilla Firefox and SeaMonkey Multiple Remote Code Execution Issues

Mozilla Thunderbird Multiple Security Bypass and Code Execution Issues

Mozilla Firefox and SeaMonkey Multiple Remote Code Execution Issues

Copyright 2003-2008 © FrSIRT.COM - Privacy Policy