Multiple vulnerabilities have been identified in Mozilla Firefox and SeaMonkey, which could be exploited by attackers to take complete control of an affected system or bypass security restrictions.
The first issue is due to memory corruption errors in the layout, SVG and JavaScript engines, which could be exploited by attackers to crash a vulnerable application or execute arbitrary commands.
The second vulnerability is due to an error in the Mozilla parser that ignores invalid trailing characters in HTML tag attribute names, which could be exploited by attackers to bypass security restrictions and execute arbitrary scripting code.
The third flaw is due to an error when handling web pages that accept user content and do not specify the character set or encoding used, which could be exploited to bypass security restrictions and conduct cross site scripting attacks.
The fourth issue is due to an error when loading and caching certain documents, which could be exploited by attackers to steal sensitive data from a particular web page.
The fifth issue is due to an error when handling custom cursors, which could allow malicious websites to spoof browser UI elements (e.g. hostname or security indicators) by using a large cursor and adjusting the CSS3 hotspot property.
The sixth vulnerability is due to an error when handling blocked popups, which could be exploited by attackers to gain unauthorized read access to arbitrary files.
The seventh issue is due to buffer overflow errors in the Network Security Services (NSS) when processing a certificate with a public key too small to encrypt the "Master Secret" or when handling invalid parameters while negotiating an SSLv2 session, which could be exploited by attackers to crash a vulnerable application or execute arbitrary commands.
The eighth vulnerability is due to a memory corruption error when handling "onUnload" events and self-modifying "document.write()" calls, which could be exploited by attackers to crash a vulnerable application or execute arbitrary commands.
Other issues have also been fixed. For additional information, see : FrSIRT/ADV-2006-4662 - FrSIRT/ADV-2007-0032 - FrSIRT/ADV-2007-0624
Credits
Vulnerabilities reported by Jesse Ruderman, Martijn Wargers, Olli Pettay, Tom Ferris, Brian Crowder, Igor Bukanov, Johnny Stenback, moz_bug_r_a4, shutdown, Stefan Esser, Stefano Di Paola, Aad, David Eckel, Michal Zalewski, regenrecht and iDefense Labs.
ChangeLog
2007-02-24 : Initial release
2007-02-25 : Updated References
Vulnerability Management
Subscribe to FrSIRT VNS and receive real-time e-mail and SMS alerts when new vulnerabilities, exploits, or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form or by email to updates@frsirt.com.
French
