U.S. Flag Official website of the Department of Homeland Security

Note: This page is part of the us-cert.gov archive.This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact info@us-cert.gov if you have any questions about the US-CERT website archive.

TLP:WHITE

Alert (TA06-153A)

Mozilla Products Contain Multiple Vulnerabilities

Original release date: June 02, 2006

Systems Affected

  • Mozilla SeaMonkey
  • Firefox web browser
  • Thunderbird email client
Any products based on Mozilla components, particularly Gecko, may also be affected.

Overview

The Mozilla web browser and derived products contain several vulnerabilities, the most serious of which could allow a remote attacker to execute arbitrary code on an affected system.

Description

Several vulnerabilities have been reported in the Mozilla web browser and derived products. More detailed information is available in the individual vulnerability notes, including:

VU#237257 - Mozilla privilege escalation using addSelectionListener

A privilege escalation vulnerability exists in the Mozilla addSelectionListener method. This may allow a remote attacker to execute arbitrary code.

VU#421529 - Mozilla contains a buffer overflow vulnerability in crypto.signText()

Mozilla products contain a buffer overflow in the crypto.signText() method. This may allow a remote attacker to execute arbitrary code.

VU#575969 - Mozilla may process content-defined setters on object prototypes with elevated privileges

Mozilla allows content-defined setters on object prototypes to execute with elevated privileges. This may allow a remote attacker to execute arbitrary code.

VU#243153 - Mozilla may associate persisted XUL attributes with an incorrect URL

Mozilla can allow persisted XUL attributes to associate with the wrong URL. This may allow a remote attacker to execute arbitrary code.

VU#466673 - Mozilla contains multiple memory corruption vulnerabilities

Mozilla contains several memory corruption vulnerabilities. This may allow a remote attacker to execute arbitrary code.

Impact

The most severe impact of these vulnerabilities could allow a remote attacker to execute arbitrary code with the privileges of the user running the affected application. Other effects include a denial of service or local information disclosure.

Solution

Upgrade

Upgrade to Mozilla Firefox 1.5.0.4, Mozilla Thunderbird 1.5.0.4, or SeaMonkey 1.0.2.

Disable JavaScript

These vulnerabilities can be mitigated by disabling JavaScript.

Appendix A. References


Feedback can be directed to the US-CERT Technical Staff

Produced by US-CERT, a government organization. Terms of use

Revision History

  • June 2, 2006: Initial release

    Last updated

This product is provided subject to this Notification and this Privacy & Use policy.

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top