Multiple vulnerabilities have been identified in Mozilla Firefox, Mozilla Suite, SeaMonkey, and Thunderbird, which may be exploited by remote attackers to take complete control of an affected system, bypass security restrictions, or disclose sensitive information.
The first issue is due to errors when handling JavaScript code that uses a modal alert to suspend an event handler while a new page is being loaded, which could be exploited by attackers to conduct cross domain scripting attacks and read cookies or arbitrary data from another domain via a malicious web page or email message.
The second flaw is due to memory corruption errors in the JavaScript engine that fails to properly protect certain temporary variables during garbage collection, which could be exploited by malicious web sites to execute arbitrary commands.
The third vulnerability is due to a memory corruption error in the CSS border-rendering code, which could be exploited by attackers to crash a vulnerable application or execute arbitrary commands.
The fourth flaw is due to a memory corruption error in the JavaScript engine when handling overly large regular expressions, which could be exploited by malicious web sites to crash a vulnerable application or execute arbitrary commands.
The fifth issue is due to errors when programmatically changing the "-moz-grid" and "-moz-grid-group" display styles, which could be exploited by malicious web sites to execute arbitrary commands.
The sixth flaw is due to a memory corruption error when handling a specially crafted "InstallTrigger.install()" method, which could be exploited by malicious web sites to crash a vulnerable application or execute arbitrary commands.
The seventh issue is due to an error when loading a secure site in a pop-up window then changing its location to a different site, which could be exploited by malicious web sites to spoof the browser's secure-site indicators (the lock icon, the site name in the URL field, the gold URL field background in Firefox).
The eighth vulnerability is due to an error when processing a web page that layers a transparent image link to an executable on top of a visible image, which could be exploited by attackers to right-click and choose "Save image as..." from the context menu and download a malicious executable masqueraded as a safe image file.
The ninth flaw is due to an error when handling JavaScript functions created using the eval associated with methods of an XBL binding, which could be exploited by attackers to execute arbitrary code with the full permission of the user running a vulnerable application.
The tenth issue is due to an error where the "clone parent" function object is accessible via the "Object.watch()" method, which could be exploited by attackers to compromise a vulnerable system.
The eleventh is due to an error where the compilation scope of privileged built-in XBL bindings is accessible via "valueOf.call()" and "valueOf.apply()" or via an XBL method inserted into the DOM's "document.body prototype" chain, which could be exploited by attackers to compromise a vulnerable system.
The twelfth vulnerability is due to an origin validation error when processing the "window.controllers" array, which could be exploited by attackers to conduct cross domain scripting attacks and read cookies or arbitrary data from another domain via a malicious web page.
The thirteenth flaw is due to a memory corruption error when handling malformed HTML tags, which could be exploited by malicious web sites to compromise a vulnerable system.
The fourteenth issue is due to an origin validation error when processing the ".valueOf.call()" and ".valueOf.apply()" functions, which could be exploited by attackers to conduct cross domain scripting attacks and read cookies or arbitrary data from another domain via a malicious web page.
The fifteenth vulnerability is due memory corruption errors when processing malformed DHTML tags, which could be exploited by malicious web sites to compromise a vulnerable system.
The sixteenth flaw is due to a heap overflow error when handling a specially crafted CSS "letter-spacing" property, which could be exploited by remote attackers to execute arbitrary commands via a malicious web page.
The seventeenth issue is due to an error when handling a specially crafted text input box, which could be exploited by malicious web sites to gain access to arbitrary files on a vulnerable system.
The eighteenth flaw is due to an error when processing a specially crafted "crypto.generateCRMFRequest" method, which could be exploited by malicious web sites to compromise a vulnerable system.
The nineteenth vulnerability is due to an error when a web page containing specially crafted scripts in an XBL control is viewed under "Print Preview", which could be exploited by malicious web sites to gain chrome privileges and execute arbitrary commands.
The twentieth flaw is due to an error when handling specially crafted "setTimeout()" and "ForEach" functions, which could be exploited by attackers to bypass security checks in "js_ValueToFunctionObject()" and execute arbitrary commands.
The twenty-first flaw is due to an error in the interaction between XUL content windows and the new faster history mechanism, which could be exploited by malicious web sites to conduct spoofing attacks.
The twenty-second vulnerability is due to an error in Thunderbird that fails to properly restrict access to remote content referenced by an HTML mail message, which could be exploited by attackers to determine valid email addresses or disclose sensitive information.
The twenty-third issue is due to an error when forwarding mail in-line while using the default HTML "rich mail" editor, which could be exploited by attackers to execute arbitrary JavaScript code embedded in a malicious email message.
The twenty-fourth flaw is due to a memory corruption error when handling an invalid and nonsensical ordering of table-related tags, which could be exploited by malicious web sites to compromise a vulnerable system.
Credits
Vulnerabilities reported by shutdown, moz_bug_r_a4, Igor Bukanov, Bernd Mielke, Alden D'Souza, Martijn Wargers, Bob Clary, Tristor, Michael Krax, TippingPoint, Claus Jørgensen, Georgi Guninski, and CrashFr.
ChangeLog
2006-04-13 : Initial release
2006-04-21 : Additional vulnerabilities disclosed
Vulnerability Management
Subscribe to FrSIRT VNS and receive real-time e-mail and SMS alerts when new vulnerabilities, exploits, or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form or by email to updates@frsirt.com.
French
