Multiple vulnerabilities have been identified in Mozilla Firefox, SeaMonkey, and Thunderbird, which may be exploited by remote attackers to take complete control of an affected system, bypass security restrictions, or disclose sensitive information.
The first issue is due to an error where JavaScript references to "frame" or "window" objects are not properly cleared when the referenced content is deleted, which could be exploited by attackers to execute arbitrary commands via a malicious web page or email.
The second vulnerability is due to an error when assigning specially crafted values to the "window.navigator" object, which could be exploited by attackers to compromise a vulnerable system by tricking a user into visiting a malicious web page.
The third flaw is due to a memory corruption error when handling simultaneous XPCOM events, which could be exploited by attackers to execute arbitrary commands via a malicious web page or email.
The fourth flaw is due to an error when accessing native DOM methods, which could be exploited by remote attackers to gain unauthorized access to sensitive data (e.g. cookies).
The fifth issue is due to an error when deleting temporary variables being used in the creation of new Function objects, which could be exploited by attackers to compromise a vulnerable system via a malicious web page or email message.
The sixth vulnerability is due to a heap overflow error when processing a VCard attachment containing a malformed base64 field (e.g. photo), which could be exploited by attackers to execute arbitrary commands.
The seventh issue is due to an error when deleting temporary objects, which could be exploited by attackers to compromise a vulnerable system via a malicious web page or email message.
The eighth vulnerability is due to integer overflow errors when processing overly long strings passed to the "toSource()" methods, which could be exploited by attackers to execute arbitrary commands.
The ninth flaw is due to an error in the "Object()" constructor, which could be exploited by attackers to compromise a vulnerable system via a malicious web page or email message.
The tenth issue is due to a privilege escalation error when handling specially crafted Proxy AutoConfig (PAC) scripts, which could be exploited by remote attackers to bypass security restrictions.
The eleventh flaw is due to errors in the "UniversalBrowserRead" and "UniversalBrowserWrite" permissions, which could be exploited by malicious scripts to obtain elevated privileges and install arbitrary programs on a vulnerable system.
The twelfth vulnerability is due to an error when processing specially crafted "XPCNativeWrapper" objects, which could be exploited by malicious people to conduct cross site scripting attacks.
The thirteenth flaw is due to various memory corruption errors, which could be exploited by malicious people to compromise a vulnerable system via a malicious web page.
The fourteenth issue is due to an error when handling chrome URLs, which could be exploited by malicious people to execute arbitrary scripts with elevated privileges.
Credits
Vulnerabilities reported by Thilo Girmann, ZDI, Secunia Research, Thor Larholm, H. D. Moore, Daniel Veditz, Igor Bukanov, shutdown, Georgi Guninski, moz_bug_r_a4, Boris Zbarsky, Darin Fisher, Daniel Veditz, Jesse Ruderman, and Martijn Wargers.
ChangeLog
2006-07-26 : Initial release
Vulnerability Management
Subscribe to FrSIRT VNS and receive real-time e-mail and SMS alerts when new vulnerabilities, exploits, or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form or by email to updates@frsirt.com.
French
