The Mozilla product set has been updated. Please patch accordingly.
INFORMATION SHARING AND ANALYSIS CENTER CYBER SECURITY
Vulnerabilities in Mozilla Products Could Allow Remote Code
vulnerabilities have been discovered in the Mozilla Firefox, Mozilla Thunderbird
and Mozilla SeaMonkey applications which could allow remote code execution.
Mozilla Firefox is a web browser used to access the Internet. Mozilla
Thunderbird is an email client. Mozilla SeaMonkey is a cross platform Internet
suite of tools ranging from a web browser to an email client.
vulnerabilities may be exploited if a user visits, or is redirected to a web
page or opens a malicious file that is specifically designed to take advantage
of these vulnerabilities. Successful exploitation of these vulnerabilities will
result in either an attacker gaining the same privileges as the logged on user,
or gaining session authentication credentials. Depending on the privileges
associated with the user, an attacker could install programs; view, change, or
delete data; or create new accounts with full user rights. Failed exploit
attempts may result in a denial-of-service condition.
Firefox 3.5.0 – 3.5.12
Firefox 3.6 – 3.6.10
Sea Monkey 2.0 – 2.0.7
Thunderbird 3.0 – 3.0.7
Thunderbird 3.1.1 – 3.1.4
and medium government entities: High
government entities: High
and medium business entities: High
business entities: High
vulnerabilities have been discovered in Mozilla Firefox, Mozilla Thunderbird,
and Mozilla SeaMonkey. Details of these vulnerabilities are as
Miscellaneous memory safety
hazards (MFSA 2010-64)
vulnerabilities have been identified in the browser engine.
Buffer overflow and memory
corruption using document.write (MFSA 2010-65)
vulnerability has been identified as a result of an excessively long string that
is passed to ‘document.write’.
Use-after-free error in nsBarProp
A use-after-free error affects the
‘locationbar’ property of a closed window object.
Dangling pointer vulnerability in
LookupGetterOrSetter (MFSA 2010-67)
A dangling pointer
issue affects the ‘LookupGetterOrSetter()’ function of ‘js3250.dll’ when called
with no arguments
XSS in gopher parser when parsing
hrefs (MFSA 2010-68)
A cross-site scripting
vulnerability has been identified in Mozilla Firefox and SeaMonkey in the Gopher
parser when processing ‘hrefs’.
Cross-site information disclosure
via modal calls (MFSA 2010-69)
information disclosure vulnerability has been reported that affects multiple
Mozilla products which affects ‘modal’ calls.
SSL wildcard certificate matching
IP addresses (MFSA 2010-70)
It has been reported that
if an SSL certificate is created with a common name containing a wildcard
followed by a partial IP address that a valid SSL connection could be
established with a server whose IP address matched the wildcard
library loading vulnerabilities (MFSA
Multiple Mozilla products have been reported
as unsafely loading external libraries from the current working directory. An
attacker can take advantage of this vulnerability by placing a malicious DLL in
the current working directory
Insecure Diffie-Hellman key
exchange (MFSA 2010-72)
A vulnerability has been
identified in the SSL implementation when using the Diffie-Hellman Ephermal mode
Successful exploitation of these vulnerabilities will result in
either an attacker gaining the same privileges as the logged on user, or gaining
session authentication credentials. Depending on the privileges associated with
the user, an attacker could install programs; view, change, or delete data; or
create new accounts with full user rights. Failed exploit attempts may result in
a denial-of-service condition.
recommend the following actions be taken:
Mozilla products as needed immediately after appropriate
users not to open e-mail attachments from unknown users or suspicious e-mails
from un-trusted sources.
all software as a non-privileged user (one without administrative privileges) to
diminish the effects of a successful attack.
users not to visit un-trusted websites or follow links provided by unknown or