CS-Reloaded Banner
Welcome, Guest. Please Login or Register.
Download Third Map Pack!
Get more packs here

Home Help Search Login Register

CSReloaded Forums  |  General Category  |  Off-Topic (Moderators: Porter, Father Ribs, Deuce, Kaoz)  |  Topic: Firefox not as secure as we like to think?
Pages: [1] Reply Notify of replies
   Author  Topic: Firefox not as secure as we like to think?  (Read 65 times)
Guardian_Tenshi
Global Moderator
*****
Karma: +53/-26

Offline

Gender: Male
Posts: 1114

276733708 276733708 clanguardian2003 Ol+Grimmy
View Profile WWW E-Mail
Firefox not as secure as we like to think?
« on: April 18, 2006, 10:49:36 AM »
Reply with quote

Thanks, Sylvia!


Mozilla Products Contain Multiple Vulnerabilitie


FYI.

Sylvia

Originally sent from:
Jason Richardson
Manager, Security Systems
Enterprise Systems Support
Northern Illinois University

>>> CERT Advisory <cert-advisory@cert.org> 04/17/06 2:40 PM >>>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



                        National Cyber Alert System

                Technical Cyber Security Alert TA06-107A


Mozilla Products Contain Multiple Vulnerabilities

  Original release date: April 17, 2006
  Last revised: --
  Source: US-CERT


Systems Affected

    * Mozilla web browser, email and newsgroup client
    * Mozilla SeaMonkey
    * Firefox web browser
    * Thunderbird email client
    * Mozilla Suite

  Any products based on Mozilla components, particularly Gecko may
also
  be affected.


Overview

  The Mozilla web browser and derived products contain several
  vulnerabilities, the most serious of which could allow a remote
  attacker to execute arbitrary code on an affected system.


I. Description

  Several vulnerabilities have been reported in the Mozilla web
browser
  and derived products. More detailed information is available in the
  individual vulnerability notes, including:

  VU#932734 - Mozilla crypto.generateCRMFRequest() vulnerability

  A vulnerability exists in the Mozilla JavaScript routine
  generateCRMFRequest() that may allow a remote attacker to execute
  arbitrary code.
  (CVE-2006-1728)

  VU#968814 - Mozilla JavaScript security bypass vulnerability

  Mozilla products fail to properly enforce security restrictions in
  JavaScript. This vulnerability may allow a remote, unauthenticated
  attacker to execute arbitrary code.
  (CVE-2006-1726)

  VU#179014 - Mozilla CSS integer overflow vulnerability

  Mozilla products contain an integer overflow that could allow a
  remote, unauthenticated attacker to execute arbitrary code.
  (CVE-2006-1730)

  VU#488774 - Mozilla XBL binding vulnerability

  Mozilla products fail to properly restrict access to privileged XBL
  bindings. This vulnerability may allow a remote, unauthenticated
  attacker to execute arbitrary code.
  (CVE-2006-1733)

  VU#842094 - Mozilla JavaScript cloned parent vulnerability

  Mozilla products fail to properly restrict access to a JavaScript
  functions cloned parent. This vulnerability may allow a remote
  attacker to execute arbitrary code on a vulnerable system.
  (CVE-2006-1734)

  VU#813230 - Mozilla products vulnerable to privilege escalation via
  XBL.method.eval

  A vulnerability in the way Mozilla products and derivative programs
  handle certain XBL methods could allow a remote attacker to execute
  arbitrary code on a vulnerable system.
  (CVE-2006-1735)

  VU#736934 - Mozilla products vulnerable to memory corruption via a
  particular sequence of HTML tags

  A vulnerability in the way Mozilla products and derivative programs
  handle certain HTML tags could allow a remote attacker to execute
  arbitrary code on a vulnerable system.
  (CVE-2006-0749)

  VU#935556 - Mozilla products may allow CSS border-rendering code to
  write past the end of an array

  A vulnerability in the way Mozilla products and derivative programs
  handle certain CSS methods could allow a remote attacker to crash
the
  application or execute arbitrary code on a vulnerable system.
  (CVE-2006-1739)

  VU#350262 - Mozilla DHTML memory corruption vulnerabilities

  Mozilla products contain to multiple, unspecified vulnerabilities
in
  the way they handle DHTML. These vulnerabilities may allow a remote
  attacker to execute arbitrary code or cause a denial-of-service
  condition.
  (CVE-2006-1724)

  VU#252324 - Mozilla display style vulnerability

  Mozilla products contain an unspecified vulnerability in the way
they
  handle display styles. This vulnerability may allow a remote
attacker
  to execute arbitrary code or cause a denial-of-service condition.

  VU#329500 - Mozilla products vulnerable to memory corruption via
large
  regular expression in JavaScript

  A vulnerability in the way the JavaScript engine of Mozilla
products
  and derivative programs handles a large regular expression could
allow
  a remote attacker to crash the application or execute arbitrary
code
  on a vulnerable system.


II. Impact

  The most severe impact of these vulnerabilities could allow a
remote
  attacker to execute arbitrary code with the privileges of the user
  running the affected application. Other effects include a denial of
  service or local information disclosure.


III. Solution

Upgrade

  Upgrade to Mozilla Firefox 1.5.0.2, Mozilla Thunderbird 1.5.0.2, or
  SeaMonkey 1.0.1. According to Mozilla.org, Thunderbird 1.5.0.2 is
  to be released on April 18, 2006.

  Users are strongly encourages to apply the workarounds described in
  the individual vulnerability notes until updates can be applied.


Appendix A. References

    * Mozilla Foundation Security Advisories -
      <http://www.mozilla.org/security/announce/>

    * Mozilla Foundation Security Advisories -

<<http://www.mozilla.org/projects/security/known-vulnerabilities.ht>http://www.mozilla.org/projects/security/known-vulnerabilities.ht
      ml>

    * US-CERT Vulnerability Note VU#932734 -
      <http://www.kb.cert.org/vuls/id/932734>

    * US-CERT Vulnerability Note VU#968814 -
      <http://www.kb.cert.org/vuls/id/968814>

    * US-CERT Vulnerability Note VU#179014 -
      <http://www.kb.cert.org/vuls/id/179014>

    * US-CERT Vulnerability Note VU#488774 -
      <http://www.kb.cert.org/vuls/id/488774>

    * US-CERT Vulnerability Note VU#842094 -
      <http://www.kb.cert.org/vuls/id/842094>

    * US-CERT Vulnerability Note VU#813230 -
      <http://www.kb.cert.org/vuls/id/813230>

    * US-CERT Vulnerability Note VU#736934 -
      <http://www.kb.cert.org/vuls/id/736934>

    * US-CERT Vulnerability Note VU#935556 -
      <http://www.kb.cert.org/vuls/id/935556>

    * US-CERT Vulnerability Note VU#350262 -
      <http://www.kb.cert.org/vuls/id/350262>

    * US-CERT Vulnerability Note VU#252324 -
      <http://www.kb.cert.org/vuls/id/252324>

    * US-CERT Vulnerability Note VU#329500 -
      <http://www.kb.cert.org/vuls/id/329500>

    * US-CERT Vulnerability Notes Related to April Mozilla Security
      Advisories -

<<http://www.kb.cert.org/vuls/byid?searchview&query=mozilla_April_2>http://www.kb.cert.org/vuls/byid?searchview&query=mozilla_April_2
      006>

    * CVE-2006-1726 -
      <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1726>

    * CVE-2006-1728 -
      <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1728>

    * CVE-2006-1730 -
      <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1730>

    * CVE-2006-1733 -
      <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1733>

    * CVE-2006-1734 -
      <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1734>

    * CVE-2006-1735 -
      <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1735>

    * CVE-2006-0749 -
      <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0749>

    * CVE-2006-1739 -
      <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1739>

    * CVE-2006-1724 -
      <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1724>

    * Firefox - Rediscover the Web -
<http://www.mozilla.com/firefox/>

    * Thunderbird - Reclaim your inbox -
      <http://www.mozilla.com/thunderbird/>

    * The SeaMonkey Project -
      <http://www.mozilla.org/projects/seamonkey/>

    * Mozilla Suite - The All-in-One Internet Application Suite -
      <http://www.mozilla.org/products/mozilla1.x/>

    * Securing Your Web Browser -

<<http://www.us-cert.gov/reading_room/securing_browser/browser_secu>http://www.us-cert.gov/reading_room/securing_browser/browser_secu
      rity.html#Mozilla_Firefox>


____________________________________________________________________

  The most recent version of this document can be found at:

    <http://www.us-cert.gov/cas/techalerts/TA06-107A.html>
____________________________________________________________________

  Feedback can be directed to US-CERT Technical Staff. Please send
  email to <cert@cert.org> with "TA06-107A Feedback VU#968814" in the
  subject.
____________________________________________________________________

  For instructions on subscribing to or unsubscribing from this
  mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________

  Produced 2006 by US-CERT, a government organization.

  Terms of use:

    <http://www.us-cert.gov/legal.html>
____________________________________________________________________


Sylvia Gorman
Associate Director
Enterprise Systems Support
Northern Illinois University
Logged

Porter
[Wumpa]
Board Admin
*****
Karma: +176/--88

Offline

Gender: Male
Posts: 3910

Wumpa+Porter
View Profile WWW E-Mail
Re:Firefox not as secure as we like to think?
« Reply #1 on: April 20, 2006, 02:42:33 PM »
Reply with quote

I don't think anybody ever claimed that Firefox was perfect, but it's a hell of a lot better than IE if for no other reason than the lack of ActiveX support. Plus, the Mozilla team *tend to* do a better job at patching their software in a timely manner than MS does theirs.
« Last Edit: April 21, 2006, 09:40:36 PM by Porter » Logged

[Wumpa] Porter
  --Silent, professional, lethal... sometimes.
Terraji
Admin Team
CSR Connoisseur
*****
Karma: +35/-15

Offline

Gender: Male
Posts: 789

terraji@hotmail.com
View Profile E-Mail
Re:Firefox not as secure as we like to think?
« Reply #2 on: April 20, 2006, 05:45:07 PM »
Reply with quote

I'm not exactly worried.

Of course things bad things [i]can[/p] happen with firefox since it does execute downloaded scripts, but my faith in the open model for security is a lot higher.
Logged
Pages: [1] Reply Notify of replies 
CSReloaded Forums  |  General Category  |  Off-Topic (Moderators: Porter, Father Ribs, Deuce, Kaoz)  |  Topic: Firefox not as secure as we like to think?
Jump to: 

Powered by PHP CSReloaded Forums | Powered by YaBB SE
© 2001-2003, YaBB SE Dev Team. All Rights Reserved.
Powered by MySQL
:[ Site Design by Ryo, scripts and backends by Porter and Ryo, banner by Supafly! Powered by PHP and MySQL ]:
Page created in 0.077 seconds.