Multiple vulnerabilities have been identified in Mozilla Firefox, SeaMonkey, and Thunderbird, which may be exploited by remote attackers to take complete control of an affected system, bypass security restrictions, disclose sensitive information, or execute arbitrary scripting code.
The first issue is due to an error when handling javascript run via "EvalInSandbox", which could be exploited by malicious web sites to bypass the sandbox and gain elevated privilege via "valueOf()".
The second flaw is due to memory corruption errors when handling malformed HTML or JavaScript code, which could be exploited by malicious web sites to crash a vulnerable application or execute arbitrary commands.
The third vulnerability is due to errors when handling HTTP headers received through certain proxy servers, which could be exploited by malicious people to conduct HTTP response smuggling attacks.
The fourth issue is due to an error when processing broken images accessed via the "View Image" feature, which could be exploited by malicious web sites to conduct cross site scripting attacks.
The fifth vulnerability is due to an error where certain persisted XUL attributes are associated with the wrong URL, which could be exploited by attackers to compromise a vulnerable system.
The sixth issue is due to an error when handling specially crafted Javascript code and "PLUGINSPAGE" attributes, which could be exploited by attackers to execute arbitrary scripting code.
The seventh vulnerability is due to an error where content-defined setters on an object prototype are called by privileged UI code, which could be exploited by attackers to compromise a vulnerable system.
The eighth flaw is due to a buffer overflow error in "crypto.signText()", which could be exploited by attackers to compromise a vulnerable system.
The ninth issue is due to an error when right-clicking and choosing "View Image" on a broken image referencing a local resource, which could be exploited by attackers to bypass security restrictions and disclose sensitive information.
The tenth flaw is due to a double-free error when processing a large VCard containing invalid base64 characters, which could be exploited by attackers to execute arbitrary commands.
The eleventh issue is due to an error when handling a specially crafted text input box, which could be exploited by malicious web sites to gain access to arbitrary files on a vulnerable system.
The twelfth vulnerability is due to an error where Unicode Byte-order-Mark (BOM) is stripped from UTF-8 pages during Unicode conversion, which could be exploited by attackers to bypass security restrictions and conduct cross site scripting attacks.
The thirteenth flaw is due to an error related to the "nsISelectionPrivate" interface, which could be exploited by malicious web sites to execute arbitrary commands.
Credits
Vulnerabilities reported by moz_bug_r_a4, Jesse Ruderman, Boris Zbarsky, Neil Rashbrook, Georgi Guninski, L. David Baron, Kazuho Oku, Paul Nickerson, Jonas Sicking, Mikolaj J. Habryn, Eric Foley, Masatoshi Kimura, Chuck McAuley, and Masatoshi Kimura.
ChangeLog
2006-06-02 : Initial release
Vulnerability Management
Subscribe to FrSIRT VNS and receive real-time e-mail and SMS alerts when new vulnerabilities, exploits, or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form or by email to updates@frsirt.com.
French
