Multiple vulnerabilities have been identified in Mozilla Firefox and SeaMonkey, which could be exploited by attackers to bypass security restrictions, disclose sensitive information, cause a denial of service or take complete control of an affected system.
The first issue is caused by memory corruption errors in the browser and JavaScript engines when parsing malformed data, which could be exploited by attackers to crash a vulnerable application or execute arbitrary code.
The second weakness is caused by an error related to focus shifting in file input controls, which could be exploited to force a user to upload arbitrary files.
The third vulnerability is caused by errors when processing JavaScript, which could be exploited by malicious web sites to execute arbitrary code or conduct cross-domain scripting attacks.
The fourth weakness is caused by an input validation error when saving passwords in the password store, which could be exploited by malicious web sites to inject newlines into Firefox's password store and corrupt saved passwords for other sites.
The fifth vulnerability is caused by an input validation error when handling "chrome:" URIs, which could be exploited by attackers to load JavaScript, images, and stylesheets from local files in known locations. For additional information, see : FrSIRT/ADV-2008-0263
The sixth vulnerability is caused by an error in the way images are handled by the browser when a user leaves a page which utilizes designMode frames, which could be exploited by attackers to steal a user's navigation history, forward navigation information, crash a vulnerable browser or execute arbitrary code.
The seventh issue is caused by an error when displaying timer-enabled security dialogs, which could be exploited by attackers to trick a user into confirming a security dialog by bringing the dialog back into focus right before a user clicked in a predictable time and place.
The eighth weakness is caused by an error when saving files with "Content-Disposition: attachment" and improper "Content-Type: plain/text", which could cause the browser to no longer open local files with "txt" extensions for viewing, but would rather prompt the user to save the file.
The ninth vulnerability is caused by an error when handling the "href" property of stylesheet DOM nodes, which could potentially be exploited to reveal sensitive URL parameters.
The tenth issue is caused by an error when displaying page contents enclosed in a "div" tag with absolute positioning, which could be exploited to cause the browser to not display a web forgery warning dialog.
The eleventh vulnerbility is caused by an error in the BMP decoder when handling methods associated with the "canvas" feature, which could be exploited by attackers to reveal small chunks of uninitialized memory that might contain sensitive data from other pages or other programs.
The twelfth issue is caused by a buffer overflow error in SeaMonkey when handling email messages with an external MIME body, which could be exploited to crash an affected application or execute arbitrary code.
Credits
Vulnerabilities reported by Jesse Ruderman, Kai Engert, Martijn Wargers, Mats Palmgren, Paul Nickerson, Carsten Book, Wesley Garland, Igor Bukanov, moz_bug_r_a4, shutdown, Philip Taylor, tgirmann, hong, Gregory Fleischer, Boris Zbarsky, Justin Dolske, Gerry Eisenhaur, David Bloom, Michal Zalewski, oo.rio.oo, Martin Straka, Emil Ljungdahl, Lars-Olof Moilanen, Gynvael Coldwind, regenrecht and iDefense Labs.
ChangeLog
2008-02-08 : Initial release
2008-02-20 : Updated Advisory
2008-02-27 : Updated Description
Vulnerability Management
Subscribe to FrSIRT VNS and receive real-time e-mail and SMS alerts when new vulnerabilities, exploits, or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form or by email to updates@frsirt.com.
French
