Multiple Vulnerabilities in Mozilla Products
Mozilla software, including the following, is affected:
- Mozilla web browser, email and newsgroup client
- Mozilla SeaMonkey
- Firefox web browser
- Thunderbird email client
Several vulnerabilities exist in the Mozilla web browser and derived products, the most serious of which could allow a remote attacker to execute arbitrary code on an affected system.
Several vulnerabilities have been reported in the Mozilla web browser and derived products. More detailed information is available in the individual vulnerability notes, including:
VU#592425 - Mozilla-based products fail to validate user input to the attribute name in "XULDocument.persist"
VU#759273 - Mozilla QueryInterface memory corruption vulnerability
Mozilla Firefox web browser and Thunderbird mail client contain a memory corruption vulnerability that may allow a remote attacker to execute arbitrary code.
The most severe impact of these vulnerabilities could allow a remote attacker to execute arbitrary code with the privileges of the user running the affected application. Other impacts include a denial of service or local information disclosure.
UpgradeUpgrade to Mozilla Firefox 188.8.131.52 or SeaMonkey 1.0.
Appendix A. References
- Mozilla Foundation Security Advisories - http://www.mozilla.org/security/announce/
- Mozilla Foundation Security Advisories - http://www.mozilla.org/projects/security/known-vulnerabilities.html
- US-CERT Vulnerability Note VU#592425 - http://www.kb.cert.org/vuls/id/592425
- US-CERT Vulnerability Note VU#759273 - http://www.kb.cert.org/vuls/id/759273
- US-CERT Vulnerability Notes Related to February Mozilla Security Advisories - http://www.kb.cert.org/vuls/byid?searchview&query=mozilla_feb_2006
- CVE-2006-0296 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0296
- CVE-2006-0295 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0295
- Firefox - Rediscover the Web - http://www.mozilla.com/firefox/
- The SeaMonkey Project - http://www.mozilla.org/projects/seamonkey/
Feedback can be directed to the US-CERT Technical Staff
February 7, 2006: Initial release