F-Secure
Tools
Firefox 3.6.9 Security Update
| Report ID: | SA201006507 |
| Source: | F-Secure |
| Date of Discovery: | 08.09.2010 |
| Criticality: | Critical |
| Affects: | Firefox Thunderbird SeaMonkey |
| Compromise From: | From remote |
| Compromise Type: | Cross site scripting Remote code execution DoS Exposure of system information |
Summary
The release of a security update for Firefox 3.6.9 addresses multiple vulnerabilities that could lead to application crash, cross site scripting attack and remote code execution.
Detailed Description
Mozilla has released Firefox 3.6.9 security update to resolves multiple vulnerabilities and issues reported in the previous version of the product. Those reported vulnerabilities and issues are as follows:
• Memory safety bugs in the browser engine could cause memory corruption, leading to arbitrary code execution.
• An integer overflow vulnerability in HTML frameset element could result in a heap buffer overflow and attacker-controlled memory execution.
• A dangling pointer vulnerability in navigator.plugins could be exploited to crash the browser and run arbitrary code.
• A Windows XP DLL loading vulnerability could load a malicious code library that has been planted on a victim's computer, and execute the malicious code.
• A heap buffer overflow in nsTextFrameUtils::Transform Text could result in a buffer overflow and attacker-controlled memory execution.
• A dangling pointer vulnerability in nsTreeSelection could free and reuse pointers held by a XUL tree selection, resulting in attacker-controlled memory execution.
• XUL <tree> objects could be manipulated to access deleted memory, causing a browser to crash and allowing an attacker to run arbitrary code.
• A dangling pointer vulnerability in nsTreeContentView could be manipulated to access deleted memory, and potentially allow an attacker to execute code after controlling the contents of deleted memory.
• Normalization code used to address a document's logical flaw could be leveraged to execute attacker-controlled memory.
• A specially crafted font could cause a crash on Mac systems, and possibly allow an attacker to execute code.
• A security wrapper class, SJOW, could create scope chains ending in outer object, leading to Javascript execution with chrome privileges.
• The <object> type attribute could override a framed HTML document charset and set it to UTF-7, leading to a cross site scripting attack.
• Copy-and-paste or drag-and-drop into designMode document could lead to a cross site scripting attack.
• The status text of an XMLHttpRequest could be read by requestor, revealing information about servers on internal private networks.
Solution
Update to Firefox 3.6.9, Firefox 3.5.12, Thunderbird 3.1.3, Thunderbird 3.0.7 or SeaMonkey 2.0.7.
Original Reference
Security Advisories for Firefox 3.6.9 (http://www.mozilla.org/security/known-vulnerabilities/firefox36.html)
CVE Reference
CVE-2010-2760
CVE-2010-2762
CVE-2010-2764
CVE-2010-2765
CVE-2010-2766
CVE-2010-2767
CVE-2010-2768
CVE-2010-2769
CVE-2010-2770
CVE-2010-3131
CVE-2010-3166
CVE-2010-3167
CVE-2010-3168
CVE-2010-3169
CVE-2010-2762
CVE-2010-2764
CVE-2010-2765
CVE-2010-2766
CVE-2010-2767
CVE-2010-2768
CVE-2010-2769
CVE-2010-2770
CVE-2010-3131
CVE-2010-3166
CVE-2010-3167
CVE-2010-3168
CVE-2010-3169