ID CVE-2010-3183
Summary The LookupGetterOrSetter function in js3250.dll in Mozilla Firefox before 3.5.14 and 3.6.x before 3.6.11, Thunderbird before 3.0.9 and 3.1.x before 3.1.5, and SeaMonkey before 2.0.9 does not properly support window.__lookupGetter__ function calls that lack arguments, which allows remote attackers to execute arbitrary code or cause a denial of service (incorrect pointer dereference and application crash) via vectors involving a "dangling pointer" and the JS_ValueToId function.
References
Vulnerable Configurations
  • Mozilla Firefox 3.6.2
    cpe:2.3:a:mozilla:firefox:3.6.2
  • Mozilla Firefox 3.6.3
    cpe:2.3:a:mozilla:firefox:3.6.3
  • Mozilla Firefox 3.6.4
    cpe:2.3:a:mozilla:firefox:3.6.4
  • Mozilla Firefox 3.6.6
    cpe:2.3:a:mozilla:firefox:3.6.6
  • Mozilla Firefox 3.6.7
    cpe:2.3:a:mozilla:firefox:3.6.7
  • Mozilla Firefox 3.6
    cpe:2.3:a:mozilla:firefox:3.6
  • Mozilla Firefox 3.6.8
    cpe:2.3:a:mozilla:firefox:3.6.8
  • Mozilla Firefox 3.6.10
    cpe:2.3:a:mozilla:firefox:3.6.10
  • Mozilla Firefox 3.6.9
    cpe:2.3:a:mozilla:firefox:3.6.9
  • Mozilla SeaMonkey 1.0
    cpe:2.3:a:mozilla:seamonkey:1.0
  • Mozilla SeaMonkey 1.0.1
    cpe:2.3:a:mozilla:seamonkey:1.0.1
  • Mozilla SeaMonkey 1.0.2
    cpe:2.3:a:mozilla:seamonkey:1.0.2
  • Mozilla SeaMonkey 1.0.3
    cpe:2.3:a:mozilla:seamonkey:1.0.3
  • Mozilla SeaMonkey 1.0.4
    cpe:2.3:a:mozilla:seamonkey:1.0.4
  • Mozilla SeaMonkey 1.0.5
    cpe:2.3:a:mozilla:seamonkey:1.0.5
  • Mozilla SeaMonkey 1.0.6
    cpe:2.3:a:mozilla:seamonkey:1.0.6
  • Mozilla SeaMonkey 1.0.7
    cpe:2.3:a:mozilla:seamonkey:1.0.7
  • Mozilla SeaMonkey 1.0.8
    cpe:2.3:a:mozilla:seamonkey:1.0.8
  • Mozilla SeaMonkey 1.0.9
    cpe:2.3:a:mozilla:seamonkey:1.0.9
  • Mozilla SeaMonkey 1.1
    cpe:2.3:a:mozilla:seamonkey:1.1
  • Mozilla Seamonkey 1.1.1
    cpe:2.3:a:mozilla:seamonkey:1.1.1
  • Mozilla SeaMonkey 1.1.10
    cpe:2.3:a:mozilla:seamonkey:1.1.10
  • Mozilla SeaMonkey 1.0 alpha
    cpe:2.3:a:mozilla:seamonkey:1.0:alpha
  • Mozilla SeaMonkey 1.0 beta
    cpe:2.3:a:mozilla:seamonkey:1.0:beta
  • Mozilla SeaMonkey 1.1.11
    cpe:2.3:a:mozilla:seamonkey:1.1.11
  • Mozilla SeaMonkey 1.1.12
    cpe:2.3:a:mozilla:seamonkey:1.1.12
  • Mozilla SeaMonkey 1.1.13
    cpe:2.3:a:mozilla:seamonkey:1.1.13
  • Mozilla SeaMonkey 1.1.14
    cpe:2.3:a:mozilla:seamonkey:1.1.14
  • Mozilla SeaMonkey 1.1.15
    cpe:2.3:a:mozilla:seamonkey:1.1.15
  • Mozilla SeaMonkey 1.1.16
    cpe:2.3:a:mozilla:seamonkey:1.1.16
  • Mozilla SeaMonkey 1.1.17
    cpe:2.3:a:mozilla:seamonkey:1.1.17
  • Mozilla Seamonkey 1.1.18
    cpe:2.3:a:mozilla:seamonkey:1.1.18
  • Mozilla Seamonkey 1.1.19
    cpe:2.3:a:mozilla:seamonkey:1.1.19
  • Mozilla Seamonkey 1.1.2
    cpe:2.3:a:mozilla:seamonkey:1.1.2
  • Mozilla Seamonkey 1.1.3
    cpe:2.3:a:mozilla:seamonkey:1.1.3
  • Mozilla Seamonkey 1.1.4
    cpe:2.3:a:mozilla:seamonkey:1.1.4
  • Mozilla Seamonkey 1.1.5
    cpe:2.3:a:mozilla:seamonkey:1.1.5
  • Mozilla Seamonkey 1.1.6
    cpe:2.3:a:mozilla:seamonkey:1.1.6
  • Mozilla Seamonkey 1.1.7
    cpe:2.3:a:mozilla:seamonkey:1.1.7
  • Mozilla SeaMonkey 1.1.8
    cpe:2.3:a:mozilla:seamonkey:1.1.8
  • Mozilla SeaMonkey 1.1.9
    cpe:2.3:a:mozilla:seamonkey:1.1.9
  • Mozilla SeaMonkey 1.1 alpha
    cpe:2.3:a:mozilla:seamonkey:1.1:alpha
  • Mozilla SeaMonkey 1.1 beta
    cpe:2.3:a:mozilla:seamonkey:1.1:beta
  • Mozilla SeaMonkey 1.5.0.10
    cpe:2.3:a:mozilla:seamonkey:1.5.0.10
  • Mozilla SeaMonkey 1.5.0.8
    cpe:2.3:a:mozilla:seamonkey:1.5.0.8
  • Mozilla SeaMonkey 1.5.0.9
    cpe:2.3:a:mozilla:seamonkey:1.5.0.9
  • Mozilla SeaMonkey 2.0
    cpe:2.3:a:mozilla:seamonkey:2.0
  • Mozilla SeaMonkey 2.0.1
    cpe:2.3:a:mozilla:seamonkey:2.0.1
  • Mozilla SeaMonkey 2.0.2
    cpe:2.3:a:mozilla:seamonkey:2.0.2
  • Mozilla SeaMonkey 2.0.3
    cpe:2.3:a:mozilla:seamonkey:2.0.3
  • Mozilla SeaMonkey 2.0.4
    cpe:2.3:a:mozilla:seamonkey:2.0.4
  • Mozilla SeaMonkey 2.0 Alpha 1
    cpe:2.3:a:mozilla:seamonkey:2.0:alpha_1
  • Mozilla SeaMonkey 2.0 Alpha 2
    cpe:2.3:a:mozilla:seamonkey:2.0:alpha_2
  • Mozilla SeaMonkey 2.0 Alpha 3
    cpe:2.3:a:mozilla:seamonkey:2.0:alpha_3
  • Mozilla SeaMonkey 2.0 Beta 1
    cpe:2.3:a:mozilla:seamonkey:2.0:beta_1
  • Mozilla SeaMonkey 2.0 Beta 2
    cpe:2.3:a:mozilla:seamonkey:2.0:beta_2
  • Mozilla SeaMonkey 2.0 RC1
    cpe:2.3:a:mozilla:seamonkey:2.0:rc1
  • Mozilla SeaMonkey 2.0 RC2
    cpe:2.3:a:mozilla:seamonkey:2.0:rc2
  • Mozilla SeaMonkey 2.0.5
    cpe:2.3:a:mozilla:seamonkey:2.0.5
  • Mozilla SeaMonkey 2.0.6
    cpe:2.3:a:mozilla:seamonkey:2.0.6
  • Mozilla SeaMonkey 2.0.7
    cpe:2.3:a:mozilla:seamonkey:2.0.7
  • Mozilla SeaMonkey 2.0.8
    cpe:2.3:a:mozilla:seamonkey:2.0.8
  • Mozilla Thunderbird 3.0.1
    cpe:2.3:a:mozilla:thunderbird:3.0.1
  • Mozilla Thunderbird 3.0.2
    cpe:2.3:a:mozilla:thunderbird:3.0.2
  • Mozilla Thunderbird 3.0.5
    cpe:2.3:a:mozilla:thunderbird:3.0.5
  • Mozilla Thunderbird 3.0.3
    cpe:2.3:a:mozilla:thunderbird:3.0.3
  • Mozilla Thunderbird 3.0.4
    cpe:2.3:a:mozilla:thunderbird:3.0.4
  • Mozilla Thunderbird 3.0
    cpe:2.3:a:mozilla:thunderbird:3.0
  • Mozilla Thunderbird 2.0.0.1
    cpe:2.3:a:mozilla:thunderbird:2.0.0.1
  • Mozilla Thunderbird 2.0.0.0
    cpe:2.3:a:mozilla:thunderbird:2.0.0.0
  • Mozilla Thunderbird 2.0.0.3
    cpe:2.3:a:mozilla:thunderbird:2.0.0.3
  • Mozilla Thunderbird 2.0.0.2
    cpe:2.3:a:mozilla:thunderbird:2.0.0.2
  • Mozilla Thunderbird 2.0.0.19
    cpe:2.3:a:mozilla:thunderbird:2.0.0.19
  • Mozilla Thunderbird 2.0.0.12
    cpe:2.3:a:mozilla:thunderbird:2.0.0.12
  • Mozilla Thunderbird 2.0.0.5
    cpe:2.3:a:mozilla:thunderbird:2.0.0.5
  • Mozilla Thunderbird 2.0.0.4
    cpe:2.3:a:mozilla:thunderbird:2.0.0.4
  • Mozilla Thunderbird 2.0.0.8
    cpe:2.3:a:mozilla:thunderbird:2.0.0.8
  • Mozilla Thunderbird 2.0.0.7
    cpe:2.3:a:mozilla:thunderbird:2.0.0.7
  • Mozilla Thunderbird 2.0
    cpe:2.3:a:mozilla:thunderbird:2.0
  • Mozilla Thunderbird 2.0.0.21
    cpe:2.3:a:mozilla:thunderbird:2.0.0.21
  • Mozilla Thunderbird 2.0.0.16
    cpe:2.3:a:mozilla:thunderbird:2.0.0.16
  • Mozilla Thunderbird 2.0.0.14
    cpe:2.3:a:mozilla:thunderbird:2.0.0.14
  • Mozilla Thunderbird 2.0.0.17
    cpe:2.3:a:mozilla:thunderbird:2.0.0.17
  • Mozilla Thunderbird 2.0.0.22
    cpe:2.3:a:mozilla:thunderbird:2.0.0.22
  • Mozilla Thunderbird 2.0.0.9
    cpe:2.3:a:mozilla:thunderbird:2.0.0.9
  • Mozilla Thunderbird 2.0.0.23
    cpe:2.3:a:mozilla:thunderbird:2.0.0.23
  • Mozilla Thunderbird 2.0.0.6
    cpe:2.3:a:mozilla:thunderbird:2.0.0.6
  • Mozilla Thunderbird 2.0.0.18
    cpe:2.3:a:mozilla:thunderbird:2.0.0.18
  • Mozilla Thunderbird 1.5.0.9
    cpe:2.3:a:mozilla:thunderbird:1.5.0.9
  • Mozilla Thunderbird 1.5.0.8
    cpe:2.3:a:mozilla:thunderbird:1.5.0.8
  • Mozilla Thunderbird 1.5.2
    cpe:2.3:a:mozilla:thunderbird:1.5.2
  • Mozilla Thunderbird 1.5.1
    cpe:2.3:a:mozilla:thunderbird:1.5.1
  • Mozilla Thunderbird 1.5
    cpe:2.3:a:mozilla:thunderbird:1.5
  • Mozilla Thunderbird 1.5.0.3
    cpe:2.3:a:mozilla:thunderbird:1.5.0.3
  • Mozilla Thunderbird 1.5.0.4
    cpe:2.3:a:mozilla:thunderbird:1.5.0.4
  • Mozilla Thunderbird 1.5.0.6
    cpe:2.3:a:mozilla:thunderbird:1.5.0.6
  • Mozilla Thunderbird 1.5.0.7
    cpe:2.3:a:mozilla:thunderbird:1.5.0.7
  • Mozilla Thunderbird 1.5.0.1
    cpe:2.3:a:mozilla:thunderbird:1.5.0.1
  • Mozilla Thunderbird 1.5.0.10
    cpe:2.3:a:mozilla:thunderbird:1.5.0.10
  • Mozilla Thunderbird 1.5.0.11
    cpe:2.3:a:mozilla:thunderbird:1.5.0.11
  • Mozilla Thunderbird 1.5.0.2
    cpe:2.3:a:mozilla:thunderbird:1.5.0.2
  • Mozilla Thunderbird 1.5.0.12
    cpe:2.3:a:mozilla:thunderbird:1.5.0.12
  • Mozilla Thunderbird 1.5.0.5
    cpe:2.3:a:mozilla:thunderbird:1.5.0.5
  • Mozilla Thunderbird 1.5.0.13
    cpe:2.3:a:mozilla:thunderbird:1.5.0.13
  • Mozilla Thunderbird 1.5.0.14
    cpe:2.3:a:mozilla:thunderbird:1.5.0.14
  • Mozilla Thunderbird 1.5 Beta 2
    cpe:2.3:a:mozilla:thunderbird:1.5:beta2
  • Mozilla Thunderbird 1.0.6
    cpe:2.3:a:mozilla:thunderbird:1.0.6
  • Mozilla Thunderbird 1.0.7
    cpe:2.3:a:mozilla:thunderbird:1.0.7
  • Mozilla Thunderbird 1.0.8
    cpe:2.3:a:mozilla:thunderbird:1.0.8
  • Mozilla Thunderbird 1.0.2
    cpe:2.3:a:mozilla:thunderbird:1.0.2
  • Mozilla Thunderbird 1.0.3
    cpe:2.3:a:mozilla:thunderbird:1.0.3
  • Mozilla Thunderbird 1.0.4
    cpe:2.3:a:mozilla:thunderbird:1.0.4
  • Mozilla Thunderbird 1.0.5
    cpe:2.3:a:mozilla:thunderbird:1.0.5
  • Mozilla Thunderbird 1.0
    cpe:2.3:a:mozilla:thunderbird:1.0
  • Mozilla Thunderbird 1.0.1
    cpe:2.3:a:mozilla:thunderbird:1.0.1
  • Mozilla Thunderbird 0.7.2
    cpe:2.3:a:mozilla:thunderbird:0.7.2
  • Mozilla Thunderbird 0.7.3
    cpe:2.3:a:mozilla:thunderbird:0.7.3
  • Mozilla Thunderbird 0.7
    cpe:2.3:a:mozilla:thunderbird:0.7
  • Mozilla Thunderbird 0.7.1
    cpe:2.3:a:mozilla:thunderbird:0.7.1
  • Mozilla Thunderbird 0.8
    cpe:2.3:a:mozilla:thunderbird:0.8
  • Mozilla Thunderbird 0.9
    cpe:2.3:a:mozilla:thunderbird:0.9
  • Mozilla Thunderbird 0.1
    cpe:2.3:a:mozilla:thunderbird:0.1
  • Mozilla Thunderbird 0.2
    cpe:2.3:a:mozilla:thunderbird:0.2
  • Mozilla Thunderbird 0.5
    cpe:2.3:a:mozilla:thunderbird:0.5
  • Mozilla Thunderbird 0.6
    cpe:2.3:a:mozilla:thunderbird:0.6
  • Mozilla Thunderbird 0.3
    cpe:2.3:a:mozilla:thunderbird:0.3
  • Mozilla Thunderbird 0.4
    cpe:2.3:a:mozilla:thunderbird:0.4
  • Mozilla Thunderbird 3.0.6
    cpe:2.3:a:mozilla:thunderbird:3.0.6
  • Mozilla Thunderbird 3.0.7
    cpe:2.3:a:mozilla:thunderbird:3.0.7
  • Mozilla Thunderbird 3.0.8
    cpe:2.3:a:mozilla:thunderbird:3.0.8
  • Mozilla Firefox 3.5.1
    cpe:2.3:a:mozilla:firefox:3.5.1
  • Mozilla Firefox 3.5.2
    cpe:2.3:a:mozilla:firefox:3.5.2
  • Mozilla Firefox 3.5.3
    cpe:2.3:a:mozilla:firefox:3.5.3
  • Mozilla Firefox 3.5.4
    cpe:2.3:a:mozilla:firefox:3.5.4
  • Mozilla Firefox 3.5.5
    cpe:2.3:a:mozilla:firefox:3.5.5
  • Mozilla Firefox 3.5.6
    cpe:2.3:a:mozilla:firefox:3.5.6
  • Mozilla Firefox 3.5.7
    cpe:2.3:a:mozilla:firefox:3.5.7
  • Mozilla Firefox 3.5.10
    cpe:2.3:a:mozilla:firefox:3.5.10
  • Mozilla Firefox 3.5.9
    cpe:2.3:a:mozilla:firefox:3.5.9
  • Mozilla Firefox 3.5.8
    cpe:2.3:a:mozilla:firefox:3.5.8
  • Mozilla Firefox 3.5
    cpe:2.3:a:mozilla:firefox:3.5
  • Mozilla Firefox 3.0.17
    cpe:2.3:a:mozilla:firefox:3.0.17
  • Mozilla Firefox 3.0.16
    cpe:2.3:a:mozilla:firefox:3.0.16
  • Mozilla Firefox 3.0.15
    cpe:2.3:a:mozilla:firefox:3.0.15
  • Mozilla Firefox 3.0.14
    cpe:2.3:a:mozilla:firefox:3.0.14
  • Mozilla Firefox 3.0.13
    cpe:2.3:a:mozilla:firefox:3.0.13
  • Mozilla Firefox 3.0.12
    cpe:2.3:a:mozilla:firefox:3.0.12
  • Mozilla Firefox 3.0.11
    cpe:2.3:a:mozilla:firefox:3.0.11
  • Mozilla Firefox 3.0.10
    cpe:2.3:a:mozilla:firefox:3.0.10
  • Mozilla Firefox 3.0.9
    cpe:2.3:a:mozilla:firefox:3.0.9
  • Mozilla Firefox 3.0.8
    cpe:2.3:a:mozilla:firefox:3.0.8
  • Mozilla Firefox 3.0.7
    cpe:2.3:a:mozilla:firefox:3.0.7
  • Mozilla Firefox 3.0.6
    cpe:2.3:a:mozilla:firefox:3.0.6
  • Mozilla Firefox 3.0.5
    cpe:2.3:a:mozilla:firefox:3.0.5
  • Mozilla Firefox 3.0.4
    cpe:2.3:a:mozilla:firefox:3.0.4
  • Mozilla Firefox 3.0.3
    cpe:2.3:a:mozilla:firefox:3.0.3
  • Mozilla Firefox 3.0.2
    cpe:2.3:a:mozilla:firefox:3.0.2
  • Mozilla Firefox 3.0.1
    cpe:2.3:a:mozilla:firefox:3.0.1
  • Mozilla Firefox 3.0
    cpe:2.3:a:mozilla:firefox:3.0
  • Mozilla Firefox 2.0.0.14
    cpe:2.3:a:mozilla:firefox:2.0.0.14
  • Mozilla Firefox 2.0.0.12
    cpe:2.3:a:mozilla:firefox:2.0.0.12
  • Mozilla Firefox 2.0.0.19
    cpe:2.3:a:mozilla:firefox:2.0.0.19
  • Mozilla Firefox 2.0.0.20
    cpe:2.3:a:mozilla:firefox:2.0.0.20
  • Mozilla Firefox 2.0.0.8
    cpe:2.3:a:mozilla:firefox:2.0.0.8
  • Mozilla Firefox 2.0.0.9
    cpe:2.3:a:mozilla:firefox:2.0.0.9
  • Mozilla Firefox 2.0.0.17
    cpe:2.3:a:mozilla:firefox:2.0.0.17
  • Mozilla Firefox 2.0.0.10
    cpe:2.3:a:mozilla:firefox:2.0.0.10
  • Mozilla Firefox 2.0.0.16
    cpe:2.3:a:mozilla:firefox:2.0.0.16
  • Mozilla Firefox 2.0.0.11
    cpe:2.3:a:mozilla:firefox:2.0.0.11
  • Mozilla Firefox 2.0.0.15
    cpe:2.3:a:mozilla:firefox:2.0.0.15
  • Mozilla Firefox 2.0.0.13
    cpe:2.3:a:mozilla:firefox:2.0.0.13
  • Mozilla Firefox 2.0.0.7
    cpe:2.3:a:mozilla:firefox:2.0.0.7
  • Mozilla Firefox 2.0
    cpe:2.3:a:mozilla:firefox:2.0
  • Mozilla Firefox 2.0.0.18
    cpe:2.3:a:mozilla:firefox:2.0.0.18
  • Mozilla Firefox 2.0.0.6
    cpe:2.3:a:mozilla:firefox:2.0.0.6
  • Mozilla Firefox 2.0.0.5
    cpe:2.3:a:mozilla:firefox:2.0.0.5
  • Mozilla Firefox 2.0.0.4
    cpe:2.3:a:mozilla:firefox:2.0.0.4
  • Mozilla Firefox 2.0.0.3
    cpe:2.3:a:mozilla:firefox:2.0.0.3
  • Mozilla Firefox 2.0.0.2
    cpe:2.3:a:mozilla:firefox:2.0.0.2
  • Mozilla Firefox 2.0.0.1
    cpe:2.3:a:mozilla:firefox:2.0.0.1
  • Mozilla Firefox 1.5
    cpe:2.3:a:mozilla:firefox:1.5
  • Mozilla Firefox 1.5.0.4
    cpe:2.3:a:mozilla:firefox:1.5.0.4
  • Mozilla Firefox 1.5.0.5
    cpe:2.3:a:mozilla:firefox:1.5.0.5
  • Mozilla Firefox 1.5.0.2
    cpe:2.3:a:mozilla:firefox:1.5.0.2
  • Mozilla Firefox 1.5.0.3
    cpe:2.3:a:mozilla:firefox:1.5.0.3
  • Mozilla Firefox 1.5.0.11
    cpe:2.3:a:mozilla:firefox:1.5.0.11
  • Mozilla Firefox 1.5.0.12
    cpe:2.3:a:mozilla:firefox:1.5.0.12
  • Mozilla Firefox 1.5.0.1
    cpe:2.3:a:mozilla:firefox:1.5.0.1
  • Mozilla Firefox 1.5 Beta 1
    cpe:2.3:a:mozilla:firefox:1.5:beta1
  • Mozilla Firefox 1.5.0.10
    cpe:2.3:a:mozilla:firefox:1.5.0.10
  • Mozilla Firefox 1.5.3
    cpe:2.3:a:mozilla:firefox:1.5.3
  • Mozilla Firefox 1.5.4
    cpe:2.3:a:mozilla:firefox:1.5.4
  • Mozilla Firefox 1.5.1
    cpe:2.3:a:mozilla:firefox:1.5.1
  • Mozilla Firefox 1.5.2
    cpe:2.3:a:mozilla:firefox:1.5.2
  • Mozilla Firefox 1.5.0.8
    cpe:2.3:a:mozilla:firefox:1.5.0.8
  • Mozilla Firefox 1.5.0.9
    cpe:2.3:a:mozilla:firefox:1.5.0.9
  • Mozilla Firefox 1.5.0.6
    cpe:2.3:a:mozilla:firefox:1.5.0.6
  • Mozilla Firefox 1.5.0.7
    cpe:2.3:a:mozilla:firefox:1.5.0.7
  • Mozilla Firefox 1.5 Beta 2
    cpe:2.3:a:mozilla:firefox:1.5:beta2
  • Mozilla Firefox 1.5.8
    cpe:2.3:a:mozilla:firefox:1.5.8
  • Mozilla Firefox 1.5.7
    cpe:2.3:a:mozilla:firefox:1.5.7
  • Mozilla Firefox 1.5.6
    cpe:2.3:a:mozilla:firefox:1.5.6
  • Mozilla Firefox 1.5.5
    cpe:2.3:a:mozilla:firefox:1.5.5
  • Mozilla Firefox 1.0.1
    cpe:2.3:a:mozilla:firefox:1.0.1
  • Mozilla Firefox 1.0
    cpe:2.3:a:mozilla:firefox:1.0
  • Mozilla Firefox 1.0.3
    cpe:2.3:a:mozilla:firefox:1.0.3
  • Mozilla Firefox 1.0.2
    cpe:2.3:a:mozilla:firefox:1.0.2
  • Mozilla Firefox 1.0.5
    cpe:2.3:a:mozilla:firefox:1.0.5
  • Mozilla Firefox 1.0.4
    cpe:2.3:a:mozilla:firefox:1.0.4
  • Mozilla Firefox 1.0.7
    cpe:2.3:a:mozilla:firefox:1.0.7
  • Mozilla Firefox 1.0.6
    cpe:2.3:a:mozilla:firefox:1.0.6
  • Mozilla Firefox 1.0.8
    cpe:2.3:a:mozilla:firefox:1.0.8
  • Mozilla Firefox 1.0 Preview Release
    cpe:2.3:a:mozilla:firefox:1.0:preview_release
  • Mozilla Firefox 3.5.11
    cpe:2.3:a:mozilla:firefox:3.5.11
  • Mozilla Firefox 3.5.13
    cpe:2.3:a:mozilla:firefox:3.5.13
  • Mozilla Firefox 3.5.12
    cpe:2.3:a:mozilla:firefox:3.5.12
  • Mozilla Thunderbird 3.1.2
    cpe:2.3:a:mozilla:thunderbird:3.1.2
  • Mozilla Thunderbird 3.1.3
    cpe:2.3:a:mozilla:thunderbird:3.1.3
  • Mozilla Thunderbird 3.1.4
    cpe:2.3:a:mozilla:thunderbird:3.1.4
  • Mozilla Thunderbird 3.1
    cpe:2.3:a:mozilla:thunderbird:3.1
  • Mozilla Thunderbird 3.1.1
    cpe:2.3:a:mozilla:thunderbird:3.1.1
CVSS
Base: 9.3 (as of 22-10-2010 - 10:30)
Impact:
Exploitability:
CWE CWE-119
CAPEC
  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
  • Overflow Binary Resource File
    An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the attacker access to the execution stack and execute arbitrary code in the target process. This attack pattern is a variant of standard buffer overflow attacks using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The attacker is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application, for the victim to download. The attacker then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow.
  • Buffer Overflow via Symbolic Links
    This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
  • Overflow Variables and Tags
    This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.
  • Buffer Overflow via Parameter Expansion
    In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
  • Buffer Overflow in an API Call
    This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.
  • Buffer Overflow in Local Command-Line Utilities
    This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201301-01.NASL
    description The remote host is affected by the vulnerability described in GLSA-201301-01 (Mozilla Products: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Mozilla Firefox, Thunderbird, SeaMonkey, NSS, GNU IceCat, and XULRunner. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could entice a user to view a specially crafted web page or email, possibly resulting in execution of arbitrary code or a Denial of Service condition. Furthermore, a remote attacker may be able to perform Man-in-the-Middle attacks, obtain sensitive information, bypass restrictions and protection mechanisms, force file downloads, conduct XML injection attacks, conduct XSS attacks, bypass the Same Origin Policy, spoof URL’s for phishing attacks, trigger a vertical scroll, spoof the location bar, spoof an SSL indicator, modify the browser’s font, conduct clickjacking attacks, or have other unspecified impact. A local attacker could gain escalated privileges, obtain sensitive information, or replace an arbitrary downloaded file. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-11-19
    plugin id 63402
    published 2013-01-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=63402
    title GLSA-201301-01 : Mozilla Products: Multiple vulnerabilities (BEAST)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_3_MOZILLA-XULRUNNER191-101028.NASL
    description This update brings Mozilla XULRunner to version 1.9.1.15, fixing various bugs and security issues. The following security issues were fixed: MFSA 2010-49 / CVE-2010-3169: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. MFSA 2010-50 / CVE-2010-2765: Security researcher Chris Rohlf of Matasano Security reported that the implementation of the HTML frameset element contained an integer overflow vulnerability. The code responsible for parsing the frameset columns used an 8-byte counter for the column numbers, so when a very large number of columns was passed in the counter would overflow. When this counter was subsequently used to allocate memory for the frameset, the memory buffer would be too small, potentially resulting in a heap buffer overflow and execution of attacker-controlled memory. MFSA 2010-51 / CVE-2010-2767: Security researcher Sergey Glazunov reported a dangling pointer vulnerability in the implementation of navigator.plugins in which the navigator object could retain a pointer to the plugins array even after it had been destroyed. An attacker could potentially use this issue to crash the browser and run arbitrary code on a victim's computer. MFSA 2010-52 / CVE-2010-3131: Security researcher Haifei Li of FortiGuard Labs reported that Firefox could be used to load a malicious code library that had been planted on a victim's computer. Firefox attempts to load dwmapi.dll upon startup as part of its platform detection, so on systems that don't have this library, such as Windows XP, Firefox will subsequently attempt to load the library from the current working directory. An attacker could use this vulnerability to trick a user into downloading a HTML file and a malicious copy of dwmapi.dll into the same directory on their computer and opening the HTML file with Firefox, thus causing the malicious code to be executed. If the attacker was on the same network as the victim, the malicious DLL could also be loaded via a UNC path. The attack also requires that Firefox not currently be running when it is asked to open the HTML file and accompanying DLL. As this is a Windows only problem, it does not affect the Linux version. It is listed for completeness only. MFSA 2010-53 / CVE-2010-3166: Security researcher wushi of team509 reported a heap buffer overflow in code routines responsible for transforming text runs. A page could be constructed with a bidirectional text run which upon reflow could result in an incorrect length being calculated for the run of text. When this value is subsequently used to allocate memory for the text too small a buffer may be created potentially resulting in a buffer overflow and the execution of attacker controlled memory. MFSA 2010-54 / CVE-2010-2760: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that there was a remaining dangling pointer issue leftover from the fix to CVE-2010-2753. Under certain circumstances one of the pointers held by a XUL tree selection could be freed and then later reused, potentially resulting in the execution of attacker-controlled memory. MFSA 2010-55 / CVE-2010-3168: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that XUL objects could be manipulated such that the setting of certain properties on the object would trigger the removal of the tree from the DOM and cause certain sections of deleted memory to be accessed. In products based on Gecko version 1.9.2 (Firefox 3.6, Thunderbird 3.1) and newer this memory has been overwritten by a value that will cause an unexploitable crash. In products based on Gecko version 1.9.1 (Firefox 3.5, Thunderbird 3.0, and SeaMonkey 2.0) and older an attacker could potentially use this vulnerability to crash a victim's browser and run arbitrary code on their computer. MFSA 2010-56 / CVE-2010-3167: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that the implementation of XUL's content view contains a dangling pointer vulnerability. One of the content view's methods for accessing the internal structure of the tree could be manipulated into removing a node prior to accessing it, resulting in the accessing of deleted memory. If an attacker can control the contents of the deleted memory prior to its access they could use this vulnerability to run arbitrary code on a victim's machine. MFSA 2010-57 / CVE-2010-2766: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that code used to normalize a document contained a logical flaw that could be leveraged to run arbitrary code. When the normalization code ran, a static count of the document's child nodes was used in the traversal, so a page could be constructed that would remove DOM nodes during this normalization which could lead to the accessing of a deleted object and potentially the execution of attacker-controlled memory. MFSA 2010-58 / CVE-2010-2770: Security researcher Marc Schoenefeld reported that a specially crafted font could be applied to a document and cause a crash on Mac systems. The crash showed signs of memory corruption and presumably could be used by an attacker to execute arbitrary code on a victim's computer. This issue probably does not affect the Linux builds and so is listed for completeness. MFSA 2010-59 / CVE-2010-2762: Mozilla developer Blake Kaplan reported that the wrapper class XPCSafeJSObjectWrapper (SJOW), a security wrapper that allows content-defined objects to be safely accessed by privileged code, creates scope chains ending in outer objects. Users of SJOWs which expect the scope chain to end on an inner object may be handed a chrome privileged object which could be leveraged to run arbitrary JavaScript with chrome privileges. Michal Zalewski's recent contributions helped to identify this architectural weakness. MFSA 2010-60 / CVE-2010-2763: Mozilla security researcher mozbugr_a4 reported that the wrapper class XPCSafeJSObjectWrapper (SJOW) on the Mozilla 1.9.1 development branch has a logical error in its scripted function implementation that allows the caller to run the function within the context of another site. This is a violation of the same-origin policy and could be used to mount an XSS attack. MFSA 2010-61 / CVE-2010-2768: Security researchers David Huang and Collin Jackson of Carnegie Mellon University CyLab (Silicon Valley campus) reported that the type attribute of an tag can override the charset of a framed HTML document, even when the document is included across origins. A page could be constructed containing such an tag which sets the charset of the framed document to UTF-7. This could potentially allow an attacker to inject UTF-7 encoded JavaScript into a site, bypassing the site's XSS filters, and then executing the code using the above technique. MFSA 2010-62 / CVE-2010-2769: Security researcher Paul Stone reported that when an HTML selection containing JavaScript is copy-and-pasted or dropped onto a document with designMode enabled the JavaScript will be executed within the context of the site where the code was dropped. A malicious site could leverage this issue in an XSS attack by persuading a user into taking such an action and in the process running malicious JavaScript within the context of another site. MFSA 2010-63 / CVE-2010-2764: Matt Haggard reported that the statusText property of an XMLHttpRequest object is readable by the requestor even when the request is made across origins. This status information reveals the presence of a web server and could be used to gather information about servers on internal private networks. This issue was also independently reported to Mozilla by Nicholas Berthaume. MFSA 2010-64: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. References Paul Nickerson, Jesse Ruderman, Olli Pettay, Igor Bukanov and Josh Soref reported memory safety problems that affected Firefox 3.6 and Firefox 3.5. - Memory safety bugs - Firefox 3.6, Firefox 3.5 - CVE-2010-3176 Jesse Ruderman reported a crash which affected Firefox 3.5 only. - https://bugzilla.mozilla.org/show_bug.cgi?id=476547 - CVE-2010-3174 MFSA 2010-65 / CVE-2010-3179: Security researcher Alexander Miller reported that passing an excessively long string to document.write could cause text rendering routines to end up in an inconsistent state with sections of stack memory being overwritten with the string data. An attacker could use this flaw to crash a victim's browser and potentially run arbitrary code on their computer. MFSA 2010-66 / CVE-2010-3180: Security researcher Sergey Glazunov reported that it was possible to access the locationbar property of a window object after it had been closed. Since the closed window's memory could have been subsequently reused by the system it was possible that an attempt to access the locationbar property could result in the execution of attacker-controlled memory. MFSA 2010-67 / CVE-2010-3183: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that when window.__lookupGetter__ is called with no arguments the code assumes the top JavaScript stack value is a property name. Since there were no arguments passed into the function, the top value could represent uninitialized memory or a pointer to a previously freed JavaScript object. Under such circumstances the value is passed to another subroutine which calls through the dangling pointer, potentially executing attacker-controlled memory. MFSA 2010-68 / CVE-2010-3177: Google security researcher Robert Swiecki reported that functions used by the Gopher parser to convert text to HTML tags could be exploited to turn text into executable JavaScript. If an attacker could create a file or directory on a Gopher server with the encoded script as part of its name the script would then run in a victim's browser within the context of the site. MFSA 2010-69 / CVE-2010-3178: Security researcher Eduardo Vela Nava reported that if a web page opened a new window and used a javascript: URL to make a modal call, such as alert(), then subsequently navigated the page to a different domain, once the modal call returned the opener of the window could get access to objects in the navigated window. This is a violation of the same-origin policy and could be used by an attacker to steal information from another website. MFSA 2010-70 / CVE-2010-3170: Security researcher Richard Moore reported that when an SSL certificate was created with a common name containing a wildcard followed by a partial IP address a valid SSL connection could be established with a server whose IP address matched the wildcard range by browsing directly to the IP address. It is extremely unlikely that such a certificate would be issued by a Certificate Authority. MFSA 2010-71 / CVE-2010-3182: Dmitri Gribenko reported that the script used to launch Mozilla applications on Linux was effectively including the current working directory in the LD_LIBRARY_PATH environment variable. If an attacker was able to place into the current working directory a malicious shared library with the same name as a library that the bootstrapping script depends on the attacker could have their library loaded instead of the legitimate library. MFSA 2010-73 / CVE-2010-3765: Morten Kråkvik of Telenor SOC reported an exploit targeting particular versions of Firefox 3.6 on Windows XP that Telenor found while investigating an intrusion attempt on a customer network. The underlying vulnerability, however, was present on both the Firefox 3.5 and Firefox 3.6 development branches and affected all supported platforms.
    last seen 2019-02-21
    modified 2014-06-13
    plugin id 75671
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75671
    title openSUSE Security Update : mozilla-xulrunner191 (mozilla-xulrunner191-3421)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_1_MOZILLA-XULRUNNER191-101028.NASL
    description This update brings Mozilla XULRunner to version 1.9.1.15, fixing various bugs and security issues. The following security issues were fixed: MFSA 2010-49 / CVE-2010-3169: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. MFSA 2010-50 / CVE-2010-2765: Security researcher Chris Rohlf of Matasano Security reported that the implementation of the HTML frameset element contained an integer overflow vulnerability. The code responsible for parsing the frameset columns used an 8-byte counter for the column numbers, so when a very large number of columns was passed in the counter would overflow. When this counter was subsequently used to allocate memory for the frameset, the memory buffer would be too small, potentially resulting in a heap buffer overflow and execution of attacker-controlled memory. MFSA 2010-51 / CVE-2010-2767: Security researcher Sergey Glazunov reported a dangling pointer vulnerability in the implementation of navigator.plugins in which the navigator object could retain a pointer to the plugins array even after it had been destroyed. An attacker could potentially use this issue to crash the browser and run arbitrary code on a victim's computer. MFSA 2010-52 / CVE-2010-3131: Security researcher Haifei Li of FortiGuard Labs reported that Firefox could be used to load a malicious code library that had been planted on a victim's computer. Firefox attempts to load dwmapi.dll upon startup as part of its platform detection, so on systems that don't have this library, such as Windows XP, Firefox will subsequently attempt to load the library from the current working directory. An attacker could use this vulnerability to trick a user into downloading a HTML file and a malicious copy of dwmapi.dll into the same directory on their computer and opening the HTML file with Firefox, thus causing the malicious code to be executed. If the attacker was on the same network as the victim, the malicious DLL could also be loaded via a UNC path. The attack also requires that Firefox not currently be running when it is asked to open the HTML file and accompanying DLL. As this is a Windows only problem, it does not affect the Linux version. It is listed for completeness only. MFSA 2010-53 / CVE-2010-3166: Security researcher wushi of team509 reported a heap buffer overflow in code routines responsible for transforming text runs. A page could be constructed with a bidirectional text run which upon reflow could result in an incorrect length being calculated for the run of text. When this value is subsequently used to allocate memory for the text too small a buffer may be created potentially resulting in a buffer overflow and the execution of attacker controlled memory. MFSA 2010-54 / CVE-2010-2760: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that there was a remaining dangling pointer issue leftover from the fix to CVE-2010-2753. Under certain circumstances one of the pointers held by a XUL tree selection could be freed and then later reused, potentially resulting in the execution of attacker-controlled memory. MFSA 2010-55 / CVE-2010-3168: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that XUL objects could be manipulated such that the setting of certain properties on the object would trigger the removal of the tree from the DOM and cause certain sections of deleted memory to be accessed. In products based on Gecko version 1.9.2 (Firefox 3.6, Thunderbird 3.1) and newer this memory has been overwritten by a value that will cause an unexploitable crash. In products based on Gecko version 1.9.1 (Firefox 3.5, Thunderbird 3.0, and SeaMonkey 2.0) and older an attacker could potentially use this vulnerability to crash a victim's browser and run arbitrary code on their computer. MFSA 2010-56 / CVE-2010-3167: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that the implementation of XUL's content view contains a dangling pointer vulnerability. One of the content view's methods for accessing the internal structure of the tree could be manipulated into removing a node prior to accessing it, resulting in the accessing of deleted memory. If an attacker can control the contents of the deleted memory prior to its access they could use this vulnerability to run arbitrary code on a victim's machine. MFSA 2010-57 / CVE-2010-2766: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that code used to normalize a document contained a logical flaw that could be leveraged to run arbitrary code. When the normalization code ran, a static count of the document's child nodes was used in the traversal, so a page could be constructed that would remove DOM nodes during this normalization which could lead to the accessing of a deleted object and potentially the execution of attacker-controlled memory. MFSA 2010-58 / CVE-2010-2770: Security researcher Marc Schoenefeld reported that a specially crafted font could be applied to a document and cause a crash on Mac systems. The crash showed signs of memory corruption and presumably could be used by an attacker to execute arbitrary code on a victim's computer. This issue probably does not affect the Linux builds and so is listed for completeness. MFSA 2010-59 / CVE-2010-2762: Mozilla developer Blake Kaplan reported that the wrapper class XPCSafeJSObjectWrapper (SJOW), a security wrapper that allows content-defined objects to be safely accessed by privileged code, creates scope chains ending in outer objects. Users of SJOWs which expect the scope chain to end on an inner object may be handed a chrome privileged object which could be leveraged to run arbitrary JavaScript with chrome privileges. Michal Zalewski's recent contributions helped to identify this architectural weakness. MFSA 2010-60 / CVE-2010-2763: Mozilla security researcher mozbugr_a4 reported that the wrapper class XPCSafeJSObjectWrapper (SJOW) on the Mozilla 1.9.1 development branch has a logical error in its scripted function implementation that allows the caller to run the function within the context of another site. This is a violation of the same-origin policy and could be used to mount an XSS attack. MFSA 2010-61 / CVE-2010-2768: Security researchers David Huang and Collin Jackson of Carnegie Mellon University CyLab (Silicon Valley campus) reported that the type attribute of an tag can override the charset of a framed HTML document, even when the document is included across origins. A page could be constructed containing such an tag which sets the charset of the framed document to UTF-7. This could potentially allow an attacker to inject UTF-7 encoded JavaScript into a site, bypassing the site's XSS filters, and then executing the code using the above technique. MFSA 2010-62 / CVE-2010-2769: Security researcher Paul Stone reported that when an HTML selection containing JavaScript is copy-and-pasted or dropped onto a document with designMode enabled the JavaScript will be executed within the context of the site where the code was dropped. A malicious site could leverage this issue in an XSS attack by persuading a user into taking such an action and in the process running malicious JavaScript within the context of another site. MFSA 2010-63 / CVE-2010-2764: Matt Haggard reported that the statusText property of an XMLHttpRequest object is readable by the requestor even when the request is made across origins. This status information reveals the presence of a web server and could be used to gather information about servers on internal private networks. This issue was also independently reported to Mozilla by Nicholas Berthaume. MFSA 2010-64: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. References Paul Nickerson, Jesse Ruderman, Olli Pettay, Igor Bukanov and Josh Soref reported memory safety problems that affected Firefox 3.6 and Firefox 3.5. - Memory safety bugs - Firefox 3.6, Firefox 3.5 - CVE-2010-3176 Jesse Ruderman reported a crash which affected Firefox 3.5 only. - https://bugzilla.mozilla.org/show_bug.cgi?id=476547 - CVE-2010-3174 MFSA 2010-65 / CVE-2010-3179: Security researcher Alexander Miller reported that passing an excessively long string to document.write could cause text rendering routines to end up in an inconsistent state with sections of stack memory being overwritten with the string data. An attacker could use this flaw to crash a victim's browser and potentially run arbitrary code on their computer. MFSA 2010-66 / CVE-2010-3180: Security researcher Sergey Glazunov reported that it was possible to access the locationbar property of a window object after it had been closed. Since the closed window's memory could have been subsequently reused by the system it was possible that an attempt to access the locationbar property could result in the execution of attacker-controlled memory. MFSA 2010-67 / CVE-2010-3183: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that when window.__lookupGetter__ is called with no arguments the code assumes the top JavaScript stack value is a property name. Since there were no arguments passed into the function, the top value could represent uninitialized memory or a pointer to a previously freed JavaScript object. Under such circumstances the value is passed to another subroutine which calls through the dangling pointer, potentially executing attacker-controlled memory. MFSA 2010-68 / CVE-2010-3177: Google security researcher Robert Swiecki reported that functions used by the Gopher parser to convert text to HTML tags could be exploited to turn text into executable JavaScript. If an attacker could create a file or directory on a Gopher server with the encoded script as part of its name the script would then run in a victim's browser within the context of the site. MFSA 2010-69 / CVE-2010-3178: Security researcher Eduardo Vela Nava reported that if a web page opened a new window and used a javascript: URL to make a modal call, such as alert(), then subsequently navigated the page to a different domain, once the modal call returned the opener of the window could get access to objects in the navigated window. This is a violation of the same-origin policy and could be used by an attacker to steal information from another website. MFSA 2010-70 / CVE-2010-3170: Security researcher Richard Moore reported that when an SSL certificate was created with a common name containing a wildcard followed by a partial IP address a valid SSL connection could be established with a server whose IP address matched the wildcard range by browsing directly to the IP address. It is extremely unlikely that such a certificate would be issued by a Certificate Authority. MFSA 2010-71 / CVE-2010-3182: Dmitri Gribenko reported that the script used to launch Mozilla applications on Linux was effectively including the current working directory in the LD_LIBRARY_PATH environment variable. If an attacker was able to place into the current working directory a malicious shared library with the same name as a library that the bootstrapping script depends on the attacker could have their library loaded instead of the legitimate library. MFSA 2010-73 / CVE-2010-3765: Morten Kråkvik of Telenor SOC reported an exploit targeting particular versions of Firefox 3.6 on Windows XP that Telenor found while investigating an intrusion attempt on a customer network. The underlying vulnerability, however, was present on both the Firefox 3.5 and Firefox 3.6 development branches and affected all supported platforms.
    last seen 2019-02-21
    modified 2014-06-13
    plugin id 50462
    published 2010-11-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50462
    title openSUSE Security Update : mozilla-xulrunner191 (mozilla-xulrunner191-3421)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2124.NASL
    description Several vulnerabilities have been discovered in Xulrunner, the component that provides the core functionality of Iceweasel, Debian's variant of Mozilla's browser technology. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2010-3765 Xulrunner allows remote attackers to execute arbitrary code via vectors related to nsCSSFrameConstructor::ContentAppended, the appendChild method, incorrect index tracking, and the creation of multiple frames, which triggers memory corruption. - CVE-2010-3174 CVE-2010-3176 Multiple unspecified vulnerabilities in the browser engine in Xulrunner allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. - CVE-2010-3177 Multiple cross-site scripting (XSS) vulnerabilities in the Gopher parser in Xulrunner allow remote attackers to inject arbitrary web script or HTML via a crafted name of a (1) file or (2) directory on a Gopher server. - CVE-2010-3178 Xulrunner does not properly handle certain modal calls made by javascript: URLs in circumstances related to opening a new window and performing cross-domain navigation, which allows remote attackers to bypass the Same Origin Policy via a crafted HTML document. - CVE-2010-3179 Stack-based buffer overflow in the text-rendering functionality in Xulrunner allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a long argument to the document.write method. - CVE-2010-3180 Use-after-free vulnerability in the nsBarProp function in Xulrunner allows remote attackers to execute arbitrary code by accessing the locationbar property of a closed window. - CVE-2010-3183 The LookupGetterOrSetter function in Xulrunner does not properly support window.__lookupGetter__ function calls that lack arguments, which allows remote attackers to execute arbitrary code or cause a denial of service (incorrect pointer dereference and application crash) via a crafted HTML document. In addition, this security update includes corrections for regressions caused by the fixes for CVE-2010-0654 and CVE-2010-2769 in DSA-2075-1 and DSA-2106-1.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 50453
    published 2010-11-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50453
    title Debian DSA-2124-1 : xulrunner - several vulnerabilities
  • NASL family Windows
    NASL id SEAMONKEY_209.NASL
    description The installed version of SeaMonkey is earlier than 2.0.9. Such versions are potentially affected by the following security issues : - Multiple memory safety bugs could lead to memory corruption, potentially resulting in arbitrary code execution. (MFSA 2010-64) - By passing an excessively long string to 'document.write', it may be possible to trigger a buffer overflow condition resulting in arbitrary code execution on the remote system. (MFSA 2010-65) - A use-after-free error in nsBarProp could allow arbitrary code execution on the remote system. (MFSA 2010-66) - A dangling pointer vulnerability in LookupGetterOrSetter could allow arbitrary code execution. (MFSA 2010-67) - The Gopher parser is affected by a cross-site scripting vulnerability. (MFSA 2010-68) - It is possible to steal information from a site in a different domain using modal calls. (MFSA 2010-69) - It is possible to establish a valid SSL connection to a remote host, provided the SSL certificate was created with a common name containing a wild card followed by partial IP address of the remote host. (MFSA 2010-70) - A function used to load external libraries on Windows platform could allow loading of unsafe DLLs thus allowing binary planting attacks. (MFSA 2010-71) - The SSL implementation allows servers to use Diffie-Hellman Ephemeral mode (DHE) with a very short key length. Such key lengths could be easily breakable with modern hardware. (MFSA 2010-72)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 50088
    published 2010-10-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50088
    title SeaMonkey < 2.0.9 Multiple Vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_MOZILLAFIREFOX-7208.NASL
    description This update brings Mozilla Firefox to version 3.5.15, fixing various bugs and security issues. The following security issues were fixed : - Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. (MFSA 2010-49 / CVE-2010-3169) - Security researcher Chris Rohlf of Matasano Security reported that the implementation of the HTML frameset element contained an integer overflow vulnerability. The code responsible for parsing the frameset columns used an 8-byte counter for the column numbers, so when a very large number of columns was passed in the counter would overflow. When this counter was subsequently used to allocate memory for the frameset, the memory buffer would be too small, potentially resulting in a heap buffer overflow and execution of attacker-controlled memory. (MFSA 2010-50 / CVE-2010-2765) - Security researcher Sergey Glazunov reported a dangling pointer vulnerability in the implementation of navigator.plugins in which the navigator object could retain a pointer to the plugins array even after it had been destroyed. An attacker could potentially use this issue to crash the browser and run arbitrary code on a victim's computer. (MFSA 2010-51 / CVE-2010-2767) - Security researcher Haifei Li of FortiGuard Labs reported that Firefox could be used to load a malicious code library that had been planted on a victim's computer. Firefox attempts to load dwmapi.dll upon startup as part of its platform detection, so on systems that don't have this library, such as Windows XP, Firefox will subsequently attempt to load the library from the current working directory. An attacker could use this vulnerability to trick a user into downloading a HTML file and a malicious copy of dwmapi.dll into the same directory on their computer and opening the HTML file with Firefox, thus causing the malicious code to be executed. If the attacker was on the same network as the victim, the malicious DLL could also be loaded via a UNC path. The attack also requires that Firefox not currently be running when it is asked to open the HTML file and accompanying DLL. As this is a Windows only problem, it does not affect the Linux version. It is listed for completeness only. (MFSA 2010-52 / CVE-2010-3131) - Security researcher wushi of team509 reported a heap buffer overflow in code routines responsible for transforming text runs. A page could be constructed with a bidirectional text run which upon reflow could result in an incorrect length being calculated for the run of text. When this value is subsequently used to allocate memory for the text too small a buffer may be created potentially resulting in a buffer overflow and the execution of attacker controlled memory. (MFSA 2010-53 / CVE-2010-3166) - Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that there was a remaining dangling pointer issue leftover from the fix to CVE-2010-2753. Under certain circumstances one of the pointers held by a XUL tree selection could be freed and then later reused, potentially resulting in the execution of attacker-controlled memory. (MFSA 2010-54 / CVE-2010-2760) - Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that XUL objects could be manipulated such that the setting of certain properties on the object would trigger the removal of the tree from the DOM and cause certain sections of deleted memory to be accessed. In products based on Gecko version 1.9.2 (Firefox 3.6, Thunderbird 3.1) and newer this memory has been overwritten by a value that will cause an unexploitable crash. In products based on Gecko version 1.9.1 (Firefox 3.5, Thunderbird 3.0, and SeaMonkey 2.0) and older an attacker could potentially use this vulnerability to crash a victim's browser and run arbitrary code on their computer. (MFSA 2010-55 / CVE-2010-3168) - Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that the implementation of XUL's content view contains a dangling pointer vulnerability. One of the content view's methods for accessing the internal structure of the tree could be manipulated into removing a node prior to accessing it, resulting in the accessing of deleted memory. If an attacker can control the contents of the deleted memory prior to its access they could use this vulnerability to run arbitrary code on a victim's machine. (MFSA 2010-56 / CVE-2010-3167) - Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that code used to normalize a document contained a logical flaw that could be leveraged to run arbitrary code. When the normalization code ran, a static count of the document's child nodes was used in the traversal, so a page could be constructed that would remove DOM nodes during this normalization which could lead to the accessing of a deleted object and potentially the execution of attacker-controlled memory. (MFSA 2010-57 / CVE-2010-2766) - Security researcher Marc Schoenefeld reported that a specially crafted font could be applied to a document and cause a crash on Mac systems. The crash showed signs of memory corruption and presumably could be used by an attacker to execute arbitrary code on a victim's computer. This issue probably does not affect the Linux builds and so is listed for completeness. (MFSA 2010-58 / CVE-2010-2770) - Mozilla developer Blake Kaplan reported that the wrapper class XPCSafeJSObjectWrapper (SJOW), a security wrapper that allows content-defined objects to be safely accessed by privileged code, creates scope chains ending in outer objects. Users of SJOWs which expect the scope chain to end on an inner object may be handed a chrome privileged object which could be leveraged to run arbitrary JavaScript with chrome privileges. Michal Zalewski's recent contributions helped to identify this architectural weakness. (MFSA 2010-59 / CVE-2010-2762) - Mozilla security researcher mozbugr_a4 reported that the wrapper class XPCSafeJSObjectWrapper (SJOW) on the Mozilla 1.9.1 development branch has a logical error in its scripted function implementation that allows the caller to run the function within the context of another site. This is a violation of the same-origin policy and could be used to mount an XSS attack. (MFSA 2010-60 / CVE-2010-2763) - Security researchers David Huang and Collin Jackson of Carnegie Mellon University CyLab (Silicon Valley campus) reported that the type attribute of an tag can override the charset of a framed HTML document, even when the document is included across origins. A page could be constructed containing such an tag which sets the charset of the framed document to UTF-7. This could potentially allow an attacker to inject UTF-7 encoded JavaScript into a site, bypassing the site's XSS filters, and then executing the code using the above technique. (MFSA 2010-61 / CVE-2010-2768) - Security researcher Paul Stone reported that when an HTML selection containing JavaScript is copy-and-pasted or dropped onto a document with designMode enabled the JavaScript will be executed within the context of the site where the code was dropped. A malicious site could leverage this issue in an XSS attack by persuading a user into taking such an action and in the process running malicious JavaScript within the context of another site. (MFSA 2010-62 / CVE-2010-2769) - Matt Haggard reported that the statusText property of an XMLHttpRequest object is readable by the requestor even when the request is made across origins. This status information reveals the presence of a web server and could be used to gather information about servers on internal private networks. This issue was also independently reported to Mozilla by Nicholas Berthaume. (MFSA 2010-63 / CVE-2010-2764) - Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. References. (MFSA 2010-64) Paul Nickerson, Jesse Ruderman, Olli Pettay, Igor Bukanov and Josh Soref reported memory safety problems that affected Firefox 3.6 and Firefox 3.5. o Memory safety bugs - Firefox 3.6, Firefox 3.5 o CVE-2010-3176 Jesse Ruderman reported a crash which affected Firefox 3.5 only. o https://bugzilla.mozilla.org/show_bug.cgi?id=476547 o CVE-2010-3174 - Security researcher Alexander Miller reported that passing an excessively long string to document.write could cause text rendering routines to end up in an inconsistent state with sections of stack memory being overwritten with the string data. An attacker could use this flaw to crash a victim's browser and potentially run arbitrary code on their computer. (MFSA 2010-65 / CVE-2010-3179) - Security researcher Sergey Glazunov reported that it was possible to access the locationbar property of a window object after it had been closed. Since the closed window's memory could have been subsequently reused by the system it was possible that an attempt to access the locationbar property could result in the execution of attacker-controlled memory. (MFSA 2010-66 / CVE-2010-3180) - Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that when window.__lookupGetter__ is called with no arguments the code assumes the top JavaScript stack value is a property name. Since there were no arguments passed into the function, the top value could represent uninitialized memory or a pointer to a previously freed JavaScript object. Under such circumstances the value is passed to another subroutine which calls through the dangling pointer, potentially executing attacker-controlled memory. (MFSA 2010-67 / CVE-2010-3183) - Google security researcher Robert Swiecki reported that functions used by the Gopher parser to convert text to HTML tags could be exploited to turn text into executable JavaScript. If an attacker could create a file or directory on a Gopher server with the encoded script as part of its name the script would then run in a victim's browser within the context of the site. (MFSA 2010-68 / CVE-2010-3177) - Security researcher Eduardo Vela Nava reported that if a web page opened a new window and used a javascript: URL to make a modal call, such as alert(), then subsequently navigated the page to a different domain, once the modal call returned the opener of the window could get access to objects in the navigated window. This is a violation of the same-origin policy and could be used by an attacker to steal information from another web site. (MFSA 2010-69 / CVE-2010-3178) - Security researcher Richard Moore reported that when an SSL certificate was created with a common name containing a wildcard followed by a partial IP address a valid SSL connection could be established with a server whose IP address matched the wildcard range by browsing directly to the IP address. It is extremely unlikely that such a certificate would be issued by a Certificate Authority. (MFSA 2010-70 / CVE-2010-3170) - Dmitri Gribenko reported that the script used to launch Mozilla applications on Linux was effectively including the current working directory in the LD_LIBRARY_PATH environment variable. If an attacker was able to place into the current working directory a malicious shared library with the same name as a library that the bootstrapping script depends on the attacker could have their library loaded instead of the legitimate library. (MFSA 2010-71 / CVE-2010-3182)
    last seen 2019-02-21
    modified 2012-06-14
    plugin id 50488
    published 2010-11-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50488
    title SuSE 10 Security Update : Mozilla Firefox (ZYPP Patch Number 7208)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2010-211.NASL
    description Security issues were identified and fixed in mozilla-thunderbird : The SSL implementation in Mozilla Firefox before 3.5.14 and 3.6.x before 3.6.11, Thunderbird before 3.0.9 and 3.1.x before 3.1.5, and SeaMonkey before 2.0.9 does not properly set the minimum key length for Diffie-Hellman Ephemeral (DHE) mode, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack (CVE-2010-3173). Unspecified vulnerability in the browser engine in Mozilla Firefox 3.5.x before 3.5.14, Thunderbird before 3.0.9, and SeaMonkey before 2.0.9 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors (CVE-2010-3174, CVE-2010-3175, CVE-2010-3176). Mozilla Firefox before 3.5.14 and 3.6.x before 3.6.11, Thunderbird before 3.0.9 and 3.1.x before 3.1.5, and SeaMonkey before 2.0.9 do not properly handle certain modal calls made by javascript: URLs in circumstances related to opening a new window and performing cross-domain navigation, which allows remote attackers to bypass the Same Origin Policy via a crafted HTML document (CVE-2010-3178). Stack-based buffer overflow in the text-rendering functionality in Mozilla Firefox before 3.5.14 and 3.6.x before 3.6.11, Thunderbird before 3.0.9 and 3.1.x before 3.1.5, and SeaMonkey before 2.0.9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a long argument to the document.write method (CVE-2010-3179). Use-after-free vulnerability in the nsBarProp function in Mozilla Firefox before 3.5.14 and 3.6.x before 3.6.11, Thunderbird before 3.0.9 and 3.1.x before 3.1.5, and SeaMonkey before 2.0.9 allows remote attackers to execute arbitrary code by accessing the locationbar property of a closed window (CVE-2010-3180). A certain application-launch script in Mozilla Firefox before 3.5.14 and 3.6.x before 3.6.11, Thunderbird before 3.0.9 and 3.1.x before 3.1.5, and SeaMonkey before 2.0.9 on Linux places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse shared library in the current working directory (CVE-2010-3182). The LookupGetterOrSetter function in Mozilla Firefox before 3.5.14 and 3.6.x before 3.6.11, Thunderbird before 3.0.9 and 3.1.x before 3.1.5, and SeaMonkey before 2.0.9 does not properly support window.__lookupGetter__ function calls that lack arguments, which allows remote attackers to execute arbitrary code or cause a denial of service (incorrect pointer dereference and application crash) via a crafted HTML document (CVE-2010-3183). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&products_id=4 90 Additionally, some packages which require so, have been rebuilt and are being provided as updates.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 50315
    published 2010-10-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50315
    title Mandriva Linux Security Advisory : mozilla-thunderbird (MDVSA-2010:211)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2010-0861.NASL
    description Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. A race condition flaw was found in the way Firefox handled Document Object Model (DOM) element properties. Malicious HTML content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2010-3765) Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2010-3175, CVE-2010-3176, CVE-2010-3179, CVE-2010-3183, CVE-2010-3180) A flaw was found in the way the Gopher parser in Firefox converted text into HTML. A malformed file name on a Gopher server could, when accessed by a victim running Firefox, allow arbitrary JavaScript to be executed in the context of the Gopher domain. (CVE-2010-3177) A same-origin policy bypass flaw was found in Firefox. An attacker could create a malicious web page that, when viewed by a victim, could steal private data from a different website the victim had loaded with Firefox. (CVE-2010-3178) A flaw was found in the script that launches Firefox. The LD_LIBRARY_PATH variable was appending a '.' character, which could allow a local attacker to execute arbitrary code with the privileges of a different user running Firefox, if that user ran Firefox from within an attacker-controlled directory. (CVE-2010-3182) For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.6.11 and 3.6.12. You can find links to the Mozilla advisories in the References section of this erratum. All Firefox users should upgrade to these updated packages, which contain Firefox version 3.6.12, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 50633
    published 2010-11-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50633
    title RHEL 6 : firefox (RHSA-2010:0861)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_2_SEAMONKEY-101021.NASL
    description This update brings Mozilla SeaMonkey to version 2.0.9, fixing various bugs and security issues. The following security issues were fixed: MFSA 2010-49 / CVE-2010-3169: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. MFSA 2010-50 / CVE-2010-2765: Security researcher Chris Rohlf of Matasano Security reported that the implementation of the HTML frameset element contained an integer overflow vulnerability. The code responsible for parsing the frameset columns used an 8-byte counter for the column numbers, so when a very large number of columns was passed in the counter would overflow. When this counter was subsequently used to allocate memory for the frameset, the memory buffer would be too small, potentially resulting in a heap buffer overflow and execution of attacker-controlled memory. MFSA 2010-51 / CVE-2010-2767: Security researcher Sergey Glazunov reported a dangling pointer vulnerability in the implementation of navigator.plugins in which the navigator object could retain a pointer to the plugins array even after it had been destroyed. An attacker could potentially use this issue to crash the browser and run arbitrary code on a victim's computer. MFSA 2010-52 / CVE-2010-3131: Security researcher Haifei Li of FortiGuard Labs reported that Firefox could be used to load a malicious code library that had been planted on a victim's computer. Firefox attempts to load dwmapi.dll upon startup as part of its platform detection, so on systems that don't have this library, such as Windows XP, Firefox will subsequently attempt to load the library from the current working directory. An attacker could use this vulnerability to trick a user into downloading a HTML file and a malicious copy of dwmapi.dll into the same directory on their computer and opening the HTML file with Firefox, thus causing the malicious code to be executed. If the attacker was on the same network as the victim, the malicious DLL could also be loaded via a UNC path. The attack also requires that Firefox not currently be running when it is asked to open the HTML file and accompanying DLL. As this is a Windows only problem, it does not affect the Linux version. It is listed for completeness only. MFSA 2010-53 / CVE-2010-3166: Security researcher wushi of team509 reported a heap buffer overflow in code routines responsible for transforming text runs. A page could be constructed with a bidirectional text run which upon reflow could result in an incorrect length being calculated for the run of text. When this value is subsequently used to allocate memory for the text too small a buffer may be created potentially resulting in a buffer overflow and the execution of attacker controlled memory. MFSA 2010-54 / CVE-2010-2760: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that there was a remaining dangling pointer issue leftover from the fix to CVE-2010-2753. Under certain circumstances one of the pointers held by a XUL tree selection could be freed and then later reused, potentially resulting in the execution of attacker-controlled memory. MFSA 2010-55 / CVE-2010-3168: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that XUL objects could be manipulated such that the setting of certain properties on the object would trigger the removal of the tree from the DOM and cause certain sections of deleted memory to be accessed. In products based on Gecko version 1.9.2 (Firefox 3.6, Thunderbird 3.1) and newer this memory has been overwritten by a value that will cause an unexploitable crash. In products based on Gecko version 1.9.1 (Firefox 3.5, Thunderbird 3.0, and SeaMonkey 2.0) and older an attacker could potentially use this vulnerability to crash a victim's browser and run arbitrary code on their computer. MFSA 2010-56 / CVE-2010-3167: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that the implementation of XUL's content view contains a dangling pointer vulnerability. One of the content view's methods for accessing the internal structure of the tree could be manipulated into removing a node prior to accessing it, resulting in the accessing of deleted memory. If an attacker can control the contents of the deleted memory prior to its access they could use this vulnerability to run arbitrary code on a victim's machine. MFSA 2010-57 / CVE-2010-2766: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that code used to normalize a document contained a logical flaw that could be leveraged to run arbitrary code. When the normalization code ran, a static count of the document's child nodes was used in the traversal, so a page could be constructed that would remove DOM nodes during this normalization which could lead to the accessing of a deleted object and potentially the execution of attacker-controlled memory. MFSA 2010-58 / CVE-2010-2770: Security researcher Marc Schoenefeld reported that a specially crafted font could be applied to a document and cause a crash on Mac systems. The crash showed signs of memory corruption and presumably could be used by an attacker to execute arbitrary code on a victim's computer. This issue probably does not affect the Linux builds and so is listed for completeness. MFSA 2010-59 / CVE-2010-2762: Mozilla developer Blake Kaplan reported that the wrapper class XPCSafeJSObjectWrapper (SJOW), a security wrapper that allows content-defined objects to be safely accessed by privileged code, creates scope chains ending in outer objects. Users of SJOWs which expect the scope chain to end on an inner object may be handed a chrome privileged object which could be leveraged to run arbitrary JavaScript with chrome privileges. Michal Zalewski's recent contributions helped to identify this architectural weakness. MFSA 2010-60 / CVE-2010-2763: Mozilla security researcher mozbugr_a4 reported that the wrapper class XPCSafeJSObjectWrapper (SJOW) on the Mozilla 1.9.1 development branch has a logical error in its scripted function implementation that allows the caller to run the function within the context of another site. This is a violation of the same-origin policy and could be used to mount an XSS attack. MFSA 2010-61 / CVE-2010-2768: Security researchers David Huang and Collin Jackson of Carnegie Mellon University CyLab (Silicon Valley campus) reported that the type attribute of an tag can override the charset of a framed HTML document, even when the document is included across origins. A page could be constructed containing such an tag which sets the charset of the framed document to UTF-7. This could potentially allow an attacker to inject UTF-7 encoded JavaScript into a site, bypassing the site's XSS filters, and then executing the code using the above technique. MFSA 2010-62 / CVE-2010-2769: Security researcher Paul Stone reported that when an HTML selection containing JavaScript is copy-and-pasted or dropped onto a document with designMode enabled the JavaScript will be executed within the context of the site where the code was dropped. A malicious site could leverage this issue in an XSS attack by persuading a user into taking such an action and in the process running malicious JavaScript within the context of another site. MFSA 2010-63 / CVE-2010-2764: Matt Haggard reported that the statusText property of an XMLHttpRequest object is readable by the requestor even when the request is made across origins. This status information reveals the presence of a web server and could be used to gather information about servers on internal private networks. This issue was also independently reported to Mozilla by Nicholas Berthaume. MFSA 2010-64: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. References Paul Nickerson, Jesse Ruderman, Olli Pettay, Igor Bukanov and Josh Soref reported memory safety problems that affected Firefox 3.6 and Firefox 3.5. - Memory safety bugs - Firefox 3.6, Firefox 3.5 - CVE-2010-3176 Jesse Ruderman reported a crash which affected Firefox 3.5 only. - https://bugzilla.mozilla.org/show_bug.cgi?id=476547 - CVE-2010-3174 MFSA 2010-65 / CVE-2010-3179: Security researcher Alexander Miller reported that passing an excessively long string to document.write could cause text rendering routines to end up in an inconsistent state with sections of stack memory being overwritten with the string data. An attacker could use this flaw to crash a victim's browser and potentially run arbitrary code on their computer. MFSA 2010-66 / CVE-2010-3180: Security researcher Sergey Glazunov reported that it was possible to access the locationbar property of a window object after it had been closed. Since the closed window's memory could have been subsequently reused by the system it was possible that an attempt to access the locationbar property could result in the execution of attacker-controlled memory. MFSA 2010-67 / CVE-2010-3183: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that when window.__lookupGetter__ is called with no arguments the code assumes the top JavaScript stack value is a property name. Since there were no arguments passed into the function, the top value could represent uninitialized memory or a pointer to a previously freed JavaScript object. Under such circumstances the value is passed to another subroutine which calls through the dangling pointer, potentially executing attacker-controlled memory. MFSA 2010-68 / CVE-2010-3177: Google security researcher Robert Swiecki reported that functions used by the Gopher parser to convert text to HTML tags could be exploited to turn text into executable JavaScript. If an attacker could create a file or directory on a Gopher server with the encoded script as part of its name the script would then run in a victim's browser within the context of the site. MFSA 2010-69 / CVE-2010-3178: Security researcher Eduardo Vela Nava reported that if a web page opened a new window and used a javascript: URL to make a modal call, such as alert(), then subsequently navigated the page to a different domain, once the modal call returned the opener of the window could get access to objects in the navigated window. This is a violation of the same-origin policy and could be used by an attacker to steal information from another website. MFSA 2010-70 / CVE-2010-3170: Security researcher Richard Moore reported that when an SSL certificate was created with a common name containing a wildcard followed by a partial IP address a valid SSL connection could be established with a server whose IP address matched the wildcard range by browsing directly to the IP address. It is extremely unlikely that such a certificate would be issued by a Certificate Authority. MFSA 2010-71 / CVE-2010-3182: Dmitri Gribenko reported that the script used to launch Mozilla applications on Linux was effectively including the current working directory in the LD_LIBRARY_PATH environment variable. If an attacker was able to place into the current working directory a malicious shared library with the same name as a library that the bootstrapping script depends on the attacker could have their library loaded instead of the legitimate library.
    last seen 2019-02-21
    modified 2014-08-21
    plugin id 50376
    published 2010-10-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50376
    title openSUSE Security Update : seamonkey (seamonkey-3372)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_1_MOZILLAFIREFOX-101028.NASL
    description This update brings Mozilla Firefox to version 3.6.12, fixing various bugs and security issues. The following security issues were fixed: MFSA 2010-64: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. References Paul Nickerson, Jesse Ruderman, Olli Pettay, Igor Bukanov and Josh Soref reported memory safety problems that affected Firefox 3.6 and Firefox 3.5. - Memory safety bugs - Firefox 3.6, Firefox 3.5 - CVE-2010-3176 Gary Kwong, Martijn Wargers and Siddharth Agarwal reported memory safety problems that affected Firefox 3.6 only. - Memory safety bugs - Firefox 3.6 - CVE-2010-3175 MFSA 2010-65 / CVE-2010-3179: Security researcher Alexander Miller reported that passing an excessively long string to document.write could cause text rendering routines to end up in an inconsistent state with sections of stack memory being overwritten with the string data. An attacker could use this flaw to crash a victim's browser and potentially run arbitrary code on their computer. MFSA 2010-66 / CVE-2010-3180: Security researcher Sergey Glazunov reported that it was possible to access the locationbar property of a window object after it had been closed. Since the closed window's memory could have been subsequently reused by the system it was possible that an attempt to access the locationbar property could result in the execution of attacker-controlled memory. MFSA 2010-67 / CVE-2010-3183: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that when window.__lookupGetter__ is called with no arguments the code assumes the top JavaScript stack value is a property name. Since there were no arguments passed into the function, the top value could represent uninitialized memory or a pointer to a previously freed JavaScript object. Under such circumstances the value is passed to another subroutine which calls through the dangling pointer, potentially executing attacker-controlled memory. MFSA 2010-68 / CVE-2010-3177: Google security researcher Robert Swiecki reported that functions used by the Gopher parser to convert text to HTML tags could be exploited to turn text into executable JavaScript. If an attacker could create a file or directory on a Gopher server with the encoded script as part of its name the script would then run in a victim's browser within the context of the site. MFSA 2010-69 / CVE-2010-3178: Security researcher Eduardo Vela Nava reported that if a web page opened a new window and used a javascript: URL to make a modal call, such as alert(), then subsequently navigated the page to a different domain, once the modal call returned the opener of the window could get access to objects in the navigated window. This is a violation of the same-origin policy and could be used by an attacker to steal information from another website. MFSA 2010-70 / CVE-2010-3170: Security researcher Richard Moore reported that when an SSL certificate was created with a common name containing a wildcard followed by a partial IP address a valid SSL connection could be established with a server whose IP address matched the wildcard range by browsing directly to the IP address. It is extremely unlikely that such a certificate would be issued by a Certificate Authority. MFSA 2010-71 / CVE-2010-3182: Dmitri Gribenko reported that the script used to launch Mozilla applications on Linux was effectively including the current working directory in the LD_LIBRARY_PATH environment variable. If an attacker was able to place into the current working directory a malicious shared library with the same name as a library that the bootstrapping script depends on the attacker could have their library loaded instead of the legitimate library. MFSA 2010-73 / CVE-2010-3765: Morten Kråkvik of Telenor SOC reported an exploit targeting particular versions of Firefox 3.6 on Windows XP that Telenor found while investigating an intrusion attempt on a customer network. The underlying vulnerability, however, was present on both the Firefox 3.5 and Firefox 3.6 development branches and affected all supported platforms.
    last seen 2019-02-21
    modified 2014-06-13
    plugin id 50460
    published 2010-11-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50460
    title openSUSE Security Update : MozillaFirefox (MozillaFirefox-3422)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_2_MOZILLAFIREFOX-101028.NASL
    description This update brings Mozilla Firefox to version 3.6.12, fixing various bugs and security issues. The following security issues were fixed: MFSA 2010-64: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. References Paul Nickerson, Jesse Ruderman, Olli Pettay, Igor Bukanov and Josh Soref reported memory safety problems that affected Firefox 3.6 and Firefox 3.5. - Memory safety bugs - Firefox 3.6, Firefox 3.5 - CVE-2010-3176 Gary Kwong, Martijn Wargers and Siddharth Agarwal reported memory safety problems that affected Firefox 3.6 only. - Memory safety bugs - Firefox 3.6 - CVE-2010-3175 MFSA 2010-65 / CVE-2010-3179: Security researcher Alexander Miller reported that passing an excessively long string to document.write could cause text rendering routines to end up in an inconsistent state with sections of stack memory being overwritten with the string data. An attacker could use this flaw to crash a victim's browser and potentially run arbitrary code on their computer. MFSA 2010-66 / CVE-2010-3180: Security researcher Sergey Glazunov reported that it was possible to access the locationbar property of a window object after it had been closed. Since the closed window's memory could have been subsequently reused by the system it was possible that an attempt to access the locationbar property could result in the execution of attacker-controlled memory. MFSA 2010-67 / CVE-2010-3183: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that when window.__lookupGetter__ is called with no arguments the code assumes the top JavaScript stack value is a property name. Since there were no arguments passed into the function, the top value could represent uninitialized memory or a pointer to a previously freed JavaScript object. Under such circumstances the value is passed to another subroutine which calls through the dangling pointer, potentially executing attacker-controlled memory. MFSA 2010-68 / CVE-2010-3177: Google security researcher Robert Swiecki reported that functions used by the Gopher parser to convert text to HTML tags could be exploited to turn text into executable JavaScript. If an attacker could create a file or directory on a Gopher server with the encoded script as part of its name the script would then run in a victim's browser within the context of the site. MFSA 2010-69 / CVE-2010-3178: Security researcher Eduardo Vela Nava reported that if a web page opened a new window and used a javascript: URL to make a modal call, such as alert(), then subsequently navigated the page to a different domain, once the modal call returned the opener of the window could get access to objects in the navigated window. This is a violation of the same-origin policy and could be used by an attacker to steal information from another website. MFSA 2010-70 / CVE-2010-3170: Security researcher Richard Moore reported that when an SSL certificate was created with a common name containing a wildcard followed by a partial IP address a valid SSL connection could be established with a server whose IP address matched the wildcard range by browsing directly to the IP address. It is extremely unlikely that such a certificate would be issued by a Certificate Authority. MFSA 2010-71 / CVE-2010-3182: Dmitri Gribenko reported that the script used to launch Mozilla applications on Linux was effectively including the current working directory in the LD_LIBRARY_PATH environment variable. If an attacker was able to place into the current working directory a malicious shared library with the same name as a library that the bootstrapping script depends on the attacker could have their library loaded instead of the legitimate library. MFSA 2010-73 / CVE-2010-3765: Morten Kråkvik of Telenor SOC reported an exploit targeting particular versions of Firefox 3.6 on Windows XP that Telenor found while investigating an intrusion attempt on a customer network. The underlying vulnerability, however, was present on both the Firefox 3.5 and Firefox 3.6 development branches and affected all supported platforms.
    last seen 2019-02-21
    modified 2014-06-13
    plugin id 50464
    published 2010-11-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50464
    title openSUSE Security Update : MozillaFirefox (MozillaFirefox-3422)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2010-0782.NASL
    description Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Network Security Services (NSS) is a set of libraries designed to support the development of security-enabled client and server applications. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2010-3175, CVE-2010-3176, CVE-2010-3179, CVE-2010-3183, CVE-2010-3180) A flaw was found in the way the Gopher parser in Firefox converted text into HTML. A malformed file name on a Gopher server could, when accessed by a victim running Firefox, allow arbitrary JavaScript to be executed in the context of the Gopher domain. (CVE-2010-3177) A same-origin policy bypass flaw was found in Firefox. An attacker could create a malicious web page that, when viewed by a victim, could steal private data from a different website the victim has loaded with Firefox. (CVE-2010-3178) A flaw was found in the script that launches Firefox. The LD_LIBRARY_PATH variable was appending a '.' character, which could allow a local attacker to execute arbitrary code with the privileges of a different user running Firefox, if that user ran Firefox from within an attacker-controlled directory. (CVE-2010-3182) This update also provides NSS version 3.12.8 which is required by the updated Firefox version, fixing the following security issues : It was found that the SSL DHE (Diffie-Hellman Ephemeral) mode implementation for key exchanges in Firefox accepted DHE keys that were 256 bits in length. This update removes support for 256 bit DHE keys, as such keys are easily broken using modern hardware. (CVE-2010-3173) A flaw was found in the way NSS matched SSL certificates when the certificates had a Common Name containing a wildcard and a partial IP address. NSS incorrectly accepted connections to IP addresses that fell within the SSL certificate's wildcard range as valid SSL connections, possibly allowing an attacker to conduct a man-in-the-middle attack. (CVE-2010-3170) For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.6.11. You can find a link to the Mozilla advisories in the References section of this erratum. All Firefox users should upgrade to these updated packages, which contain Firefox version 3.6.11, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 50793
    published 2010-11-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50793
    title CentOS 4 / 5 : firefox (CESA-2010:0782)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_1_SEAMONKEY-101021.NASL
    description This update brings Mozilla SeaMonkey to version 2.0.9, fixing various bugs and security issues. The following security issues were fixed: MFSA 2010-49 / CVE-2010-3169: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. MFSA 2010-50 / CVE-2010-2765: Security researcher Chris Rohlf of Matasano Security reported that the implementation of the HTML frameset element contained an integer overflow vulnerability. The code responsible for parsing the frameset columns used an 8-byte counter for the column numbers, so when a very large number of columns was passed in the counter would overflow. When this counter was subsequently used to allocate memory for the frameset, the memory buffer would be too small, potentially resulting in a heap buffer overflow and execution of attacker-controlled memory. MFSA 2010-51 / CVE-2010-2767: Security researcher Sergey Glazunov reported a dangling pointer vulnerability in the implementation of navigator.plugins in which the navigator object could retain a pointer to the plugins array even after it had been destroyed. An attacker could potentially use this issue to crash the browser and run arbitrary code on a victim's computer. MFSA 2010-52 / CVE-2010-3131: Security researcher Haifei Li of FortiGuard Labs reported that Firefox could be used to load a malicious code library that had been planted on a victim's computer. Firefox attempts to load dwmapi.dll upon startup as part of its platform detection, so on systems that don't have this library, such as Windows XP, Firefox will subsequently attempt to load the library from the current working directory. An attacker could use this vulnerability to trick a user into downloading a HTML file and a malicious copy of dwmapi.dll into the same directory on their computer and opening the HTML file with Firefox, thus causing the malicious code to be executed. If the attacker was on the same network as the victim, the malicious DLL could also be loaded via a UNC path. The attack also requires that Firefox not currently be running when it is asked to open the HTML file and accompanying DLL. As this is a Windows only problem, it does not affect the Linux version. It is listed for completeness only. MFSA 2010-53 / CVE-2010-3166: Security researcher wushi of team509 reported a heap buffer overflow in code routines responsible for transforming text runs. A page could be constructed with a bidirectional text run which upon reflow could result in an incorrect length being calculated for the run of text. When this value is subsequently used to allocate memory for the text too small a buffer may be created potentially resulting in a buffer overflow and the execution of attacker controlled memory. MFSA 2010-54 / CVE-2010-2760: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that there was a remaining dangling pointer issue leftover from the fix to CVE-2010-2753. Under certain circumstances one of the pointers held by a XUL tree selection could be freed and then later reused, potentially resulting in the execution of attacker-controlled memory. MFSA 2010-55 / CVE-2010-3168: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that XUL objects could be manipulated such that the setting of certain properties on the object would trigger the removal of the tree from the DOM and cause certain sections of deleted memory to be accessed. In products based on Gecko version 1.9.2 (Firefox 3.6, Thunderbird 3.1) and newer this memory has been overwritten by a value that will cause an unexploitable crash. In products based on Gecko version 1.9.1 (Firefox 3.5, Thunderbird 3.0, and SeaMonkey 2.0) and older an attacker could potentially use this vulnerability to crash a victim's browser and run arbitrary code on their computer. MFSA 2010-56 / CVE-2010-3167: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that the implementation of XUL's content view contains a dangling pointer vulnerability. One of the content view's methods for accessing the internal structure of the tree could be manipulated into removing a node prior to accessing it, resulting in the accessing of deleted memory. If an attacker can control the contents of the deleted memory prior to its access they could use this vulnerability to run arbitrary code on a victim's machine. MFSA 2010-57 / CVE-2010-2766: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that code used to normalize a document contained a logical flaw that could be leveraged to run arbitrary code. When the normalization code ran, a static count of the document's child nodes was used in the traversal, so a page could be constructed that would remove DOM nodes during this normalization which could lead to the accessing of a deleted object and potentially the execution of attacker-controlled memory. MFSA 2010-58 / CVE-2010-2770: Security researcher Marc Schoenefeld reported that a specially crafted font could be applied to a document and cause a crash on Mac systems. The crash showed signs of memory corruption and presumably could be used by an attacker to execute arbitrary code on a victim's computer. This issue probably does not affect the Linux builds and so is listed for completeness. MFSA 2010-59 / CVE-2010-2762: Mozilla developer Blake Kaplan reported that the wrapper class XPCSafeJSObjectWrapper (SJOW), a security wrapper that allows content-defined objects to be safely accessed by privileged code, creates scope chains ending in outer objects. Users of SJOWs which expect the scope chain to end on an inner object may be handed a chrome privileged object which could be leveraged to run arbitrary JavaScript with chrome privileges. Michal Zalewski's recent contributions helped to identify this architectural weakness. MFSA 2010-60 / CVE-2010-2763: Mozilla security researcher mozbugr_a4 reported that the wrapper class XPCSafeJSObjectWrapper (SJOW) on the Mozilla 1.9.1 development branch has a logical error in its scripted function implementation that allows the caller to run the function within the context of another site. This is a violation of the same-origin policy and could be used to mount an XSS attack. MFSA 2010-61 / CVE-2010-2768: Security researchers David Huang and Collin Jackson of Carnegie Mellon University CyLab (Silicon Valley campus) reported that the type attribute of an tag can override the charset of a framed HTML document, even when the document is included across origins. A page could be constructed containing such an tag which sets the charset of the framed document to UTF-7. This could potentially allow an attacker to inject UTF-7 encoded JavaScript into a site, bypassing the site's XSS filters, and then executing the code using the above technique. MFSA 2010-62 / CVE-2010-2769: Security researcher Paul Stone reported that when an HTML selection containing JavaScript is copy-and-pasted or dropped onto a document with designMode enabled the JavaScript will be executed within the context of the site where the code was dropped. A malicious site could leverage this issue in an XSS attack by persuading a user into taking such an action and in the process running malicious JavaScript within the context of another site. MFSA 2010-63 / CVE-2010-2764: Matt Haggard reported that the statusText property of an XMLHttpRequest object is readable by the requestor even when the request is made across origins. This status information reveals the presence of a web server and could be used to gather information about servers on internal private networks. This issue was also independently reported to Mozilla by Nicholas Berthaume. MFSA 2010-64: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. References Paul Nickerson, Jesse Ruderman, Olli Pettay, Igor Bukanov and Josh Soref reported memory safety problems that affected Firefox 3.6 and Firefox 3.5. - Memory safety bugs - Firefox 3.6, Firefox 3.5 - CVE-2010-3176 Jesse Ruderman reported a crash which affected Firefox 3.5 only. - https://bugzilla.mozilla.org/show_bug.cgi?id=476547 - CVE-2010-3174 MFSA 2010-65 / CVE-2010-3179: Security researcher Alexander Miller reported that passing an excessively long string to document.write could cause text rendering routines to end up in an inconsistent state with sections of stack memory being overwritten with the string data. An attacker could use this flaw to crash a victim's browser and potentially run arbitrary code on their computer. MFSA 2010-66 / CVE-2010-3180: Security researcher Sergey Glazunov reported that it was possible to access the locationbar property of a window object after it had been closed. Since the closed window's memory could have been subsequently reused by the system it was possible that an attempt to access the locationbar property could result in the execution of attacker-controlled memory. MFSA 2010-67 / CVE-2010-3183: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that when window.__lookupGetter__ is called with no arguments the code assumes the top JavaScript stack value is a property name. Since there were no arguments passed into the function, the top value could represent uninitialized memory or a pointer to a previously freed JavaScript object. Under such circumstances the value is passed to another subroutine which calls through the dangling pointer, potentially executing attacker-controlled memory. MFSA 2010-68 / CVE-2010-3177: Google security researcher Robert Swiecki reported that functions used by the Gopher parser to convert text to HTML tags could be exploited to turn text into executable JavaScript. If an attacker could create a file or directory on a Gopher server with the encoded script as part of its name the script would then run in a victim's browser within the context of the site. MFSA 2010-69 / CVE-2010-3178: Security researcher Eduardo Vela Nava reported that if a web page opened a new window and used a javascript: URL to make a modal call, such as alert(), then subsequently navigated the page to a different domain, once the modal call returned the opener of the window could get access to objects in the navigated window. This is a violation of the same-origin policy and could be used by an attacker to steal information from another website. MFSA 2010-70 / CVE-2010-3170: Security researcher Richard Moore reported that when an SSL certificate was created with a common name containing a wildcard followed by a partial IP address a valid SSL connection could be established with a server whose IP address matched the wildcard range by browsing directly to the IP address. It is extremely unlikely that such a certificate would be issued by a Certificate Authority. MFSA 2010-71 / CVE-2010-3182: Dmitri Gribenko reported that the script used to launch Mozilla applications on Linux was effectively including the current working directory in the LD_LIBRARY_PATH environment variable. If an attacker was able to place into the current working directory a malicious shared library with the same name as a library that the bootstrapping script depends on the attacker could have their library loaded instead of the legitimate library.
    last seen 2019-02-21
    modified 2014-08-21
    plugin id 50371
    published 2010-10-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50371
    title openSUSE Security Update : seamonkey (seamonkey-3372)
  • NASL family Windows
    NASL id MOZILLA_THUNDERBIRD_309.NASL
    description The installed version of Thunderbird is earlier than 3.0.9. Such versions are potentially affected by the following security issues : - Multiple memory safety bugs could lead to memory corruption, potentially resulting in arbitrary code execution. (MFSA 2010-64) - By passing an excessively long string to 'document.write', it may be possible to trigger a buffer overflow condition resulting in arbitrary code execution on the remote system. (MFSA 2010-65) - A use-after-free error in nsBarProp could allow arbitrary code execution on the remote system. (MFSA 2010-66) - A dangling pointer vulnerability in LookupGetterOrSetter could allow arbitrary code execution. (MFSA 2010-67) - It is possible to steal information from a site in a different domain using modal calls. (MFSA 2010-69) - It is possible to establish a valid SSL connection to a remote host, provided the SSL certificate was created with a common name containing a wild card followed by partial IP address of the remote host. (MFSA 2010-70) - A function used to load external libraries on Windows platform could allow loading of unsafe DLLs thus allowing binary planting attacks. (MFSA 2010-71) - The SSL implementation allows servers to use Diffie-Hellman Ephemeral mode (DHE) with a very short key length. Such key lengths could be easily breakable with modern hardware. (MFSA 2010-72)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 50086
    published 2010-10-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50086
    title Mozilla Thunderbird < 3.0.9 Multiple Vulnerabilities
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2010-16885.NASL
    description Update to new upstream Firefox version 3.5.15, fixing multiple security issues detailed in the upstream advisories : - http://www.mozilla.org/security/known-vulnerabilities/fi refox35.html#firefox3.5.14 - http://www.mozilla.org/security/known-vulnerabilities/ firefox35.html#firefox3.5.15 Update also includes packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-05-20
    plugin id 50422
    published 2010-11-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50422
    title Fedora 12 : firefox-3.5.15-1.fc12 / galeon-2.0.7-27.fc12 / gnome-python2-extras-2.25.3-22.fc12 / etc (2010-16885)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_C4F067B9DC4A11DF8E32000F20797EDE.NASL
    description The Mozilla Project reports : MFSA 2010-64 Miscellaneous memory safety hazards (rv:1.9.2.11/ 1.9.1.14) MFSA 2010-65 Buffer overflow and memory corruption using document.write MFSA 2010-66 Use-after-free error in nsBarProp MFSA 2010-67 Dangling pointer vulnerability in LookupGetterOrSetter MFSA 2010-68 XSS in gopher parser when parsing hrefs MFSA 2010-69 Cross-site information disclosure via modal calls MFSA 2010-70 SSL wildcard certificate matching IP addresses MFSA 2010-71 Unsafe library loading vulnerabilities MFSA 2010-72 Insecure Diffie-Hellman key exchange
    last seen 2019-02-21
    modified 2018-11-23
    plugin id 50074
    published 2010-10-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50074
    title FreeBSD : mozilla -- multiple vulnerabilities (c4f067b9-dc4a-11df-8e32-000f20797ede)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_1_MOZILLATHUNDERBIRD-101021.NASL
    description This update brings Mozilla Thunderbird to version 3.0.9, fixing various bugs and security issues. The following security issues were fixed: MFSA 2010-49 / CVE-2010-3169: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. MFSA 2010-50 / CVE-2010-2765: Security researcher Chris Rohlf of Matasano Security reported that the implementation of the HTML frameset element contained an integer overflow vulnerability. The code responsible for parsing the frameset columns used an 8-byte counter for the column numbers, so when a very large number of columns was passed in the counter would overflow. When this counter was subsequently used to allocate memory for the frameset, the memory buffer would be too small, potentially resulting in a heap buffer overflow and execution of attacker-controlled memory. MFSA 2010-51 / CVE-2010-2767: Security researcher Sergey Glazunov reported a dangling pointer vulnerability in the implementation of navigator.plugins in which the navigator object could retain a pointer to the plugins array even after it had been destroyed. An attacker could potentially use this issue to crash the browser and run arbitrary code on a victim's computer. MFSA 2010-52 / CVE-2010-3131: Security researcher Haifei Li of FortiGuard Labs reported that Firefox could be used to load a malicious code library that had been planted on a victim's computer. Firefox attempts to load dwmapi.dll upon startup as part of its platform detection, so on systems that don't have this library, such as Windows XP, Firefox will subsequently attempt to load the library from the current working directory. An attacker could use this vulnerability to trick a user into downloading a HTML file and a malicious copy of dwmapi.dll into the same directory on their computer and opening the HTML file with Firefox, thus causing the malicious code to be executed. If the attacker was on the same network as the victim, the malicious DLL could also be loaded via a UNC path. The attack also requires that Firefox not currently be running when it is asked to open the HTML file and accompanying DLL. As this is a Windows only problem, it does not affect the Linux version. It is listed for completeness only. MFSA 2010-53 / CVE-2010-3166: Security researcher wushi of team509 reported a heap buffer overflow in code routines responsible for transforming text runs. A page could be constructed with a bidirectional text run which upon reflow could result in an incorrect length being calculated for the run of text. When this value is subsequently used to allocate memory for the text too small a buffer may be created potentially resulting in a buffer overflow and the execution of attacker controlled memory. MFSA 2010-54 / CVE-2010-2760: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that there was a remaining dangling pointer issue leftover from the fix to CVE-2010-2753. Under certain circumstances one of the pointers held by a XUL tree selection could be freed and then later reused, potentially resulting in the execution of attacker-controlled memory. MFSA 2010-55 / CVE-2010-3168: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that XUL objects could be manipulated such that the setting of certain properties on the object would trigger the removal of the tree from the DOM and cause certain sections of deleted memory to be accessed. In products based on Gecko version 1.9.2 (Firefox 3.6, Thunderbird 3.1) and newer this memory has been overwritten by a value that will cause an unexploitable crash. In products based on Gecko version 1.9.1 (Firefox 3.5, Thunderbird 3.0, and SeaMonkey 2.0) and older an attacker could potentially use this vulnerability to crash a victim's browser and run arbitrary code on their computer. MFSA 2010-56 / CVE-2010-3167: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that the implementation of XUL's content view contains a dangling pointer vulnerability. One of the content view's methods for accessing the internal structure of the tree could be manipulated into removing a node prior to accessing it, resulting in the accessing of deleted memory. If an attacker can control the contents of the deleted memory prior to its access they could use this vulnerability to run arbitrary code on a victim's machine. MFSA 2010-57 / CVE-2010-2766: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that code used to normalize a document contained a logical flaw that could be leveraged to run arbitrary code. When the normalization code ran, a static count of the document's child nodes was used in the traversal, so a page could be constructed that would remove DOM nodes during this normalization which could lead to the accessing of a deleted object and potentially the execution of attacker-controlled memory. MFSA 2010-58 / CVE-2010-2770: Security researcher Marc Schoenefeld reported that a specially crafted font could be applied to a document and cause a crash on Mac systems. The crash showed signs of memory corruption and presumably could be used by an attacker to execute arbitrary code on a victim's computer. This issue probably does not affect the Linux builds and so is listed for completeness. MFSA 2010-59 / CVE-2010-2762: Mozilla developer Blake Kaplan reported that the wrapper class XPCSafeJSObjectWrapper (SJOW), a security wrapper that allows content-defined objects to be safely accessed by privileged code, creates scope chains ending in outer objects. Users of SJOWs which expect the scope chain to end on an inner object may be handed a chrome privileged object which could be leveraged to run arbitrary JavaScript with chrome privileges. Michal Zalewski's recent contributions helped to identify this architectural weakness. MFSA 2010-60 / CVE-2010-2763: Mozilla security researcher mozbugr_a4 reported that the wrapper class XPCSafeJSObjectWrapper (SJOW) on the Mozilla 1.9.1 development branch has a logical error in its scripted function implementation that allows the caller to run the function within the context of another site. This is a violation of the same-origin policy and could be used to mount an XSS attack. MFSA 2010-61 / CVE-2010-2768: Security researchers David Huang and Collin Jackson of Carnegie Mellon University CyLab (Silicon Valley campus) reported that the type attribute of an tag can override the charset of a framed HTML document, even when the document is included across origins. A page could be constructed containing such an tag which sets the charset of the framed document to UTF-7. This could potentially allow an attacker to inject UTF-7 encoded JavaScript into a site, bypassing the site's XSS filters, and then executing the code using the above technique. MFSA 2010-62 / CVE-2010-2769: Security researcher Paul Stone reported that when an HTML selection containing JavaScript is copy-and-pasted or dropped onto a document with designMode enabled the JavaScript will be executed within the context of the site where the code was dropped. A malicious site could leverage this issue in an XSS attack by persuading a user into taking such an action and in the process running malicious JavaScript within the context of another site. MFSA 2010-63 / CVE-2010-2764: Matt Haggard reported that the statusText property of an XMLHttpRequest object is readable by the requestor even when the request is made across origins. This status information reveals the presence of a web server and could be used to gather information about servers on internal private networks. This issue was also independently reported to Mozilla by Nicholas Berthaume. MFSA 2010-64: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. References Paul Nickerson, Jesse Ruderman, Olli Pettay, Igor Bukanov and Josh Soref reported memory safety problems that affected Firefox 3.6 and Firefox 3.5. - Memory safety bugs - Firefox 3.6, Firefox 3.5 - CVE-2010-3176 Jesse Ruderman reported a crash which affected Firefox 3.5 only. - https://bugzilla.mozilla.org/show_bug.cgi?id=476547 - CVE-2010-3174 MFSA 2010-65 / CVE-2010-3179: Security researcher Alexander Miller reported that passing an excessively long string to document.write could cause text rendering routines to end up in an inconsistent state with sections of stack memory being overwritten with the string data. An attacker could use this flaw to crash a victim's browser and potentially run arbitrary code on their computer. MFSA 2010-66 / CVE-2010-3180: Security researcher Sergey Glazunov reported that it was possible to access the locationbar property of a window object after it had been closed. Since the closed window's memory could have been subsequently reused by the system it was possible that an attempt to access the locationbar property could result in the execution of attacker-controlled memory. MFSA 2010-67 / CVE-2010-3183: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that when window.__lookupGetter__ is called with no arguments the code assumes the top JavaScript stack value is a property name. Since there were no arguments passed into the function, the top value could represent uninitialized memory or a pointer to a previously freed JavaScript object. Under such circumstances the value is passed to another subroutine which calls through the dangling pointer, potentially executing attacker-controlled memory. MFSA 2010-68 / CVE-2010-3177: Google security researcher Robert Swiecki reported that functions used by the Gopher parser to convert text to HTML tags could be exploited to turn text into executable JavaScript. If an attacker could create a file or directory on a Gopher server with the encoded script as part of its name the script would then run in a victim's browser within the context of the site. MFSA 2010-69 / CVE-2010-3178: Security researcher Eduardo Vela Nava reported that if a web page opened a new window and used a javascript: URL to make a modal call, such as alert(), then subsequently navigated the page to a different domain, once the modal call returned the opener of the window could get access to objects in the navigated window. This is a violation of the same-origin policy and could be used by an attacker to steal information from another website. MFSA 2010-70 / CVE-2010-3170: Security researcher Richard Moore reported that when an SSL certificate was created with a common name containing a wildcard followed by a partial IP address a valid SSL connection could be established with a server whose IP address matched the wildcard range by browsing directly to the IP address. It is extremely unlikely that such a certificate would be issued by a Certificate Authority. MFSA 2010-71 / CVE-2010-3182: Dmitri Gribenko reported that the script used to launch Mozilla applications on Linux was effectively including the current working directory in the LD_LIBRARY_PATH environment variable. If an attacker was able to place into the current working directory a malicious shared library with the same name as a library that the bootstrapping script depends on the attacker could have their library loaded instead of the legitimate library.
    last seen 2019-02-21
    modified 2014-06-13
    plugin id 50366
    published 2010-10-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50366
    title openSUSE Security Update : MozillaThunderbird (MozillaThunderbird-3378)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2010-0782.NASL
    description From Red Hat Security Advisory 2010:0782 : Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Network Security Services (NSS) is a set of libraries designed to support the development of security-enabled client and server applications. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2010-3175, CVE-2010-3176, CVE-2010-3179, CVE-2010-3183, CVE-2010-3180) A flaw was found in the way the Gopher parser in Firefox converted text into HTML. A malformed file name on a Gopher server could, when accessed by a victim running Firefox, allow arbitrary JavaScript to be executed in the context of the Gopher domain. (CVE-2010-3177) A same-origin policy bypass flaw was found in Firefox. An attacker could create a malicious web page that, when viewed by a victim, could steal private data from a different website the victim has loaded with Firefox. (CVE-2010-3178) A flaw was found in the script that launches Firefox. The LD_LIBRARY_PATH variable was appending a '.' character, which could allow a local attacker to execute arbitrary code with the privileges of a different user running Firefox, if that user ran Firefox from within an attacker-controlled directory. (CVE-2010-3182) This update also provides NSS version 3.12.8 which is required by the updated Firefox version, fixing the following security issues : It was found that the SSL DHE (Diffie-Hellman Ephemeral) mode implementation for key exchanges in Firefox accepted DHE keys that were 256 bits in length. This update removes support for 256 bit DHE keys, as such keys are easily broken using modern hardware. (CVE-2010-3173) A flaw was found in the way NSS matched SSL certificates when the certificates had a Common Name containing a wildcard and a partial IP address. NSS incorrectly accepted connections to IP addresses that fell within the SSL certificate's wildcard range as valid SSL connections, possibly allowing an attacker to conduct a man-in-the-middle attack. (CVE-2010-3170) For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.6.11. You can find a link to the Mozilla advisories in the References section of this erratum. All Firefox users should upgrade to these updated packages, which contain Firefox version 3.6.11, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 68121
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68121
    title Oracle Linux 4 / 5 : firefox (ELSA-2010-0782)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20101117_THUNDERBIRD_ON_SL6_X.NASL
    description A race condition flaw was found in the way Thunderbird handled Document Object Model (DOM) element properties. An HTML mail message containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2010-3765) Several flaws were found in the processing of malformed HTML mail content. An HTML mail message containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2010-3175, CVE-2010-3176, CVE-2010-3179, CVE-2010-3180, CVE-2010-3183) A same-origin policy bypass flaw was found in Thunderbird. Remote HTML content could steal private data from different remote HTML content Thunderbird had loaded. (CVE-2010-3178) Note: JavaScript support is disabled by default in Thunderbird. The above issues are not exploitable unless JavaScript is enabled. A flaw was found in the script that launches Thunderbird. The LD_LIBRARY_PATH variable was appending a '.' character, which could allow a local attacker to execute arbitrary code with the privileges of a different user running Thunderbird, if that user ran Thunderbird from within an attacker-controlled directory. (CVE-2010-3182) All running instances of Thunderbird must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 60905
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60905
    title Scientific Linux Security Update : thunderbird on SL6.x i386/x86_64
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_3_MOZILLATHUNDERBIRD-101021.NASL
    description This update brings Mozilla Thunderbird to version 3.0.9, fixing various bugs and security issues. The following security issues were fixed: MFSA 2010-49 / CVE-2010-3169: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. MFSA 2010-50 / CVE-2010-2765: Security researcher Chris Rohlf of Matasano Security reported that the implementation of the HTML frameset element contained an integer overflow vulnerability. The code responsible for parsing the frameset columns used an 8-byte counter for the column numbers, so when a very large number of columns was passed in the counter would overflow. When this counter was subsequently used to allocate memory for the frameset, the memory buffer would be too small, potentially resulting in a heap buffer overflow and execution of attacker-controlled memory. MFSA 2010-51 / CVE-2010-2767: Security researcher Sergey Glazunov reported a dangling pointer vulnerability in the implementation of navigator.plugins in which the navigator object could retain a pointer to the plugins array even after it had been destroyed. An attacker could potentially use this issue to crash the browser and run arbitrary code on a victim's computer. MFSA 2010-52 / CVE-2010-3131: Security researcher Haifei Li of FortiGuard Labs reported that Firefox could be used to load a malicious code library that had been planted on a victim's computer. Firefox attempts to load dwmapi.dll upon startup as part of its platform detection, so on systems that don't have this library, such as Windows XP, Firefox will subsequently attempt to load the library from the current working directory. An attacker could use this vulnerability to trick a user into downloading a HTML file and a malicious copy of dwmapi.dll into the same directory on their computer and opening the HTML file with Firefox, thus causing the malicious code to be executed. If the attacker was on the same network as the victim, the malicious DLL could also be loaded via a UNC path. The attack also requires that Firefox not currently be running when it is asked to open the HTML file and accompanying DLL. As this is a Windows only problem, it does not affect the Linux version. It is listed for completeness only. MFSA 2010-53 / CVE-2010-3166: Security researcher wushi of team509 reported a heap buffer overflow in code routines responsible for transforming text runs. A page could be constructed with a bidirectional text run which upon reflow could result in an incorrect length being calculated for the run of text. When this value is subsequently used to allocate memory for the text too small a buffer may be created potentially resulting in a buffer overflow and the execution of attacker controlled memory. MFSA 2010-54 / CVE-2010-2760: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that there was a remaining dangling pointer issue leftover from the fix to CVE-2010-2753. Under certain circumstances one of the pointers held by a XUL tree selection could be freed and then later reused, potentially resulting in the execution of attacker-controlled memory. MFSA 2010-55 / CVE-2010-3168: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that XUL objects could be manipulated such that the setting of certain properties on the object would trigger the removal of the tree from the DOM and cause certain sections of deleted memory to be accessed. In products based on Gecko version 1.9.2 (Firefox 3.6, Thunderbird 3.1) and newer this memory has been overwritten by a value that will cause an unexploitable crash. In products based on Gecko version 1.9.1 (Firefox 3.5, Thunderbird 3.0, and SeaMonkey 2.0) and older an attacker could potentially use this vulnerability to crash a victim's browser and run arbitrary code on their computer. MFSA 2010-56 / CVE-2010-3167: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that the implementation of XUL's content view contains a dangling pointer vulnerability. One of the content view's methods for accessing the internal structure of the tree could be manipulated into removing a node prior to accessing it, resulting in the accessing of deleted memory. If an attacker can control the contents of the deleted memory prior to its access they could use this vulnerability to run arbitrary code on a victim's machine. MFSA 2010-57 / CVE-2010-2766: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that code used to normalize a document contained a logical flaw that could be leveraged to run arbitrary code. When the normalization code ran, a static count of the document's child nodes was used in the traversal, so a page could be constructed that would remove DOM nodes during this normalization which could lead to the accessing of a deleted object and potentially the execution of attacker-controlled memory. MFSA 2010-58 / CVE-2010-2770: Security researcher Marc Schoenefeld reported that a specially crafted font could be applied to a document and cause a crash on Mac systems. The crash showed signs of memory corruption and presumably could be used by an attacker to execute arbitrary code on a victim's computer. This issue probably does not affect the Linux builds and so is listed for completeness. MFSA 2010-59 / CVE-2010-2762: Mozilla developer Blake Kaplan reported that the wrapper class XPCSafeJSObjectWrapper (SJOW), a security wrapper that allows content-defined objects to be safely accessed by privileged code, creates scope chains ending in outer objects. Users of SJOWs which expect the scope chain to end on an inner object may be handed a chrome privileged object which could be leveraged to run arbitrary JavaScript with chrome privileges. Michal Zalewski's recent contributions helped to identify this architectural weakness. MFSA 2010-60 / CVE-2010-2763: Mozilla security researcher mozbugr_a4 reported that the wrapper class XPCSafeJSObjectWrapper (SJOW) on the Mozilla 1.9.1 development branch has a logical error in its scripted function implementation that allows the caller to run the function within the context of another site. This is a violation of the same-origin policy and could be used to mount an XSS attack. MFSA 2010-61 / CVE-2010-2768: Security researchers David Huang and Collin Jackson of Carnegie Mellon University CyLab (Silicon Valley campus) reported that the type attribute of an tag can override the charset of a framed HTML document, even when the document is included across origins. A page could be constructed containing such an tag which sets the charset of the framed document to UTF-7. This could potentially allow an attacker to inject UTF-7 encoded JavaScript into a site, bypassing the site's XSS filters, and then executing the code using the above technique. MFSA 2010-62 / CVE-2010-2769: Security researcher Paul Stone reported that when an HTML selection containing JavaScript is copy-and-pasted or dropped onto a document with designMode enabled the JavaScript will be executed within the context of the site where the code was dropped. A malicious site could leverage this issue in an XSS attack by persuading a user into taking such an action and in the process running malicious JavaScript within the context of another site. MFSA 2010-63 / CVE-2010-2764: Matt Haggard reported that the statusText property of an XMLHttpRequest object is readable by the requestor even when the request is made across origins. This status information reveals the presence of a web server and could be used to gather information about servers on internal private networks. This issue was also independently reported to Mozilla by Nicholas Berthaume. MFSA 2010-64: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. References Paul Nickerson, Jesse Ruderman, Olli Pettay, Igor Bukanov and Josh Soref reported memory safety problems that affected Firefox 3.6 and Firefox 3.5. - Memory safety bugs - Firefox 3.6, Firefox 3.5 - CVE-2010-3176 Jesse Ruderman reported a crash which affected Firefox 3.5 only. - https://bugzilla.mozilla.org/show_bug.cgi?id=476547 - CVE-2010-3174 MFSA 2010-65 / CVE-2010-3179: Security researcher Alexander Miller reported that passing an excessively long string to document.write could cause text rendering routines to end up in an inconsistent state with sections of stack memory being overwritten with the string data. An attacker could use this flaw to crash a victim's browser and potentially run arbitrary code on their computer. MFSA 2010-66 / CVE-2010-3180: Security researcher Sergey Glazunov reported that it was possible to access the locationbar property of a window object after it had been closed. Since the closed window's memory could have been subsequently reused by the system it was possible that an attempt to access the locationbar property could result in the execution of attacker-controlled memory. MFSA 2010-67 / CVE-2010-3183: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that when window.__lookupGetter__ is called with no arguments the code assumes the top JavaScript stack value is a property name. Since there were no arguments passed into the function, the top value could represent uninitialized memory or a pointer to a previously freed JavaScript object. Under such circumstances the value is passed to another subroutine which calls through the dangling pointer, potentially executing attacker-controlled memory. MFSA 2010-68 / CVE-2010-3177: Google security researcher Robert Swiecki reported that functions used by the Gopher parser to convert text to HTML tags could be exploited to turn text into executable JavaScript. If an attacker could create a file or directory on a Gopher server with the encoded script as part of its name the script would then run in a victim's browser within the context of the site. MFSA 2010-69 / CVE-2010-3178: Security researcher Eduardo Vela Nava reported that if a web page opened a new window and used a javascript: URL to make a modal call, such as alert(), then subsequently navigated the page to a different domain, once the modal call returned the opener of the window could get access to objects in the navigated window. This is a violation of the same-origin policy and could be used by an attacker to steal information from another website. MFSA 2010-70 / CVE-2010-3170: Security researcher Richard Moore reported that when an SSL certificate was created with a common name containing a wildcard followed by a partial IP address a valid SSL connection could be established with a server whose IP address matched the wildcard range by browsing directly to the IP address. It is extremely unlikely that such a certificate would be issued by a Certificate Authority. MFSA 2010-71 / CVE-2010-3182: Dmitri Gribenko reported that the script used to launch Mozilla applications on Linux was effectively including the current working directory in the LD_LIBRARY_PATH environment variable. If an attacker was able to place into the current working directory a malicious shared library with the same name as a library that the bootstrapping script depends on the attacker could have their library loaded instead of the legitimate library.
    last seen 2019-02-21
    modified 2014-06-13
    plugin id 75660
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75660
    title openSUSE Security Update : MozillaThunderbird (MozillaThunderbird-3378)
  • NASL family Windows
    NASL id MOZILLA_THUNDERBIRD_315.NASL
    description The installed version of Thunderbird 3.1 is earlier than 3.1.5. Such versions are potentially affected by the following security issues : - Multiple memory safety bugs could lead to memory corruption, potentially resulting in arbitrary code execution. (MFSA 2010-64) - By passing an excessively long string to 'document.write', it may be possible to trigger a buffer overflow condition resulting in arbitrary code execution on the remote system. (MFSA 2010-65) - A use-after-free error in nsBarProp could allow arbitrary code execution on the remote system. (MFSA 2010-66) - A dangling pointer vulnerability in LookupGetterOrSetter could allow arbitrary code execution. (MFSA 2010-67) - It is possible to steal information from a site in a different domain using modal calls. (MFSA 2010-69) - It is possible to establish a valid SSL connection to a remote host, provided the SSL certificate was created with a common name containing a wild card followed by partial IP address of the remote host. (MFSA 2010-70) - A function used to load external libraries on Windows platform could allow loading of unsafe DLLs thus allowing binary planting attacks. (MFSA 2010-71) - The SSL implementation allows servers to use Diffie-Hellman Ephemeral mode (DHE) with a very short key length. Such key lengths could be easily breakable with modern hardware. (MFSA 2010-72)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 50087
    published 2010-10-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50087
    title Mozilla Thunderbird 3.1 < 3.1.5 Multiple Vulnerabilities
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2010-210.NASL
    description Security issues were identified and fixed in firefox : Mozilla Firefox before 3.5.14 and 3.6.x before 3.6.11, Thunderbird before 3.0.9 and 3.1.x before 3.1.5, and SeaMonkey before 2.0.9 recognize a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority (CVE-2010-3170). The SSL implementation in Mozilla Firefox before 3.5.14 and 3.6.x before 3.6.11, Thunderbird before 3.0.9 and 3.1.x before 3.1.5, and SeaMonkey before 2.0.9 does not properly set the minimum key length for Diffie-Hellman Ephemeral (DHE) mode, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack (CVE-2010-3173). Unspecified vulnerability in the browser engine in Mozilla Firefox 3.5.x before 3.5.14, Thunderbird before 3.0.9, and SeaMonkey before 2.0.9 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors (CVE-2010-3174, CVE-2010-3175, CVE-2010-3176). Multiple cross-site scripting (XSS) vulnerabilities in the Gopher parser in Mozilla Firefox before 3.5.14 and 3.6.x before 3.6.11, and SeaMonkey before 2.0.9, allow remote attackers to inject arbitrary web script or HTML via a crafted name of a (1) file or (2) directory on a Gopher server (CVE-2010-3177). Mozilla Firefox before 3.5.14 and 3.6.x before 3.6.11, Thunderbird before 3.0.9 and 3.1.x before 3.1.5, and SeaMonkey before 2.0.9 do not properly handle certain modal calls made by javascript: URLs in circumstances related to opening a new window and performing cross-domain navigation, which allows remote attackers to bypass the Same Origin Policy via a crafted HTML document (CVE-2010-3178). Stack-based buffer overflow in the text-rendering functionality in Mozilla Firefox before 3.5.14 and 3.6.x before 3.6.11, Thunderbird before 3.0.9 and 3.1.x before 3.1.5, and SeaMonkey before 2.0.9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a long argument to the document.write method (CVE-2010-3179). Use-after-free vulnerability in the nsBarProp function in Mozilla Firefox before 3.5.14 and 3.6.x before 3.6.11, Thunderbird before 3.0.9 and 3.1.x before 3.1.5, and SeaMonkey before 2.0.9 allows remote attackers to execute arbitrary code by accessing the locationbar property of a closed window (CVE-2010-3180). A certain application-launch script in Mozilla Firefox before 3.5.14 and 3.6.x before 3.6.11, Thunderbird before 3.0.9 and 3.1.x before 3.1.5, and SeaMonkey before 2.0.9 on Linux places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse shared library in the current working directory (CVE-2010-3182). The LookupGetterOrSetter function in Mozilla Firefox before 3.5.14 and 3.6.x before 3.6.11, Thunderbird before 3.0.9 and 3.1.x before 3.1.5, and SeaMonkey before 2.0.9 does not properly support window.__lookupGetter__ function calls that lack arguments, which allows remote attackers to execute arbitrary code or cause a denial of service (incorrect pointer dereference and application crash) via a crafted HTML document (CVE-2010-3183). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&products_id=4 90 Additionally, some packages which require so, have been rebuilt and are being provided as updates. The NSS and SQLite3 packages has been upgraded to the latest versions.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 50314
    published 2010-10-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50314
    title Mandriva Linux Security Advisory : firefox (MDVSA-2010:210)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_MOZILLA-XULRUNNER191-101118.NASL
    description This update brings the Mozilla XULRunner engine to version 1.9.1.15, fixing various bugs and security issues. The following security issues were fixed : - Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. References. (MFSA 2010-64) Paul Nickerson, Jesse Ruderman, Olli Pettay, Igor Bukanov and Josh Soref reported memory safety problems that affected Firefox 3.6 and Firefox 3.5. - Memory safety bugs - Firefox 3.6, Firefox 3.5 - Gary Kwong, Martijn Wargers and Siddharth Agarwal reported memory safety problems that affected Firefox 3.6 only. (CVE-2010-3176) - Memory safety bugs - Firefox 3.6 - CVE-2010-3175 - Security researcher Alexander Miller reported that passing an excessively long string to document.write could cause text rendering routines to end up in an inconsistent state with sections of stack memory being overwritten with the string data. An attacker could use this flaw to crash a victim's browser and potentially run arbitrary code on their computer. (MFSA 2010-65 / CVE-2010-3179) - Security researcher Sergey Glazunov reported that it was possible to access the locationbar property of a window object after it had been closed. Since the closed window's memory could have been subsequently reused by the system it was possible that an attempt to access the locationbar property could result in the execution of attacker-controlled memory. (MFSA 2010-66 / CVE-2010-3180) - Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that when window.__lookupGetter__ is called with no arguments the code assumes the top JavaScript stack value is a property name. Since there were no arguments passed into the function, the top value could represent uninitialized memory or a pointer to a previously freed JavaScript object. Under such circumstances the value is passed to another subroutine which calls through the dangling pointer, potentially executing attacker-controlled memory. (MFSA 2010-67 / CVE-2010-3183) - Google security researcher Robert Swiecki reported that functions used by the Gopher parser to convert text to HTML tags could be exploited to turn text into executable JavaScript. If an attacker could create a file or directory on a Gopher server with the encoded script as part of its name the script would then run in a victim's browser within the context of the site. (MFSA 2010-68 / CVE-2010-3177) - Security researcher Eduardo Vela Nava reported that if a web page opened a new window and used a javascript: URL to make a modal call, such as alert(), then subsequently navigated the page to a different domain, once the modal call returned the opener of the window could get access to objects in the navigated window. This is a violation of the same-origin policy and could be used by an attacker to steal information from another web site. (MFSA 2010-69 / CVE-2010-3178) - Security researcher Richard Moore reported that when an SSL certificate was created with a common name containing a wildcard followed by a partial IP address a valid SSL connection could be established with a server whose IP address matched the wildcard range by browsing directly to the IP address. It is extremely unlikely that such a certificate would be issued by a Certificate Authority. (MFSA 2010-70 / CVE-2010-3170) - Dmitri Gribenko reported that the script used to launch Mozilla applications on Linux was effectively including the current working directory in the LD_LIBRARY_PATH environment variable. If an attacker was able to place into the current working directory a malicious shared library with the same name as a library that the bootstrapping script depends on the attacker could have their library loaded instead of the legitimate library. (MFSA 2010-71 / CVE-2010-3182) - Morten Kråkvik of Telenor SOC reported an exploit targeting particular versions of Firefox 3.6 on Windows XP that Telenor found while investigating an intrusion attempt on a customer network. The underlying vulnerability, however, was present on both the Firefox 3.5 and Firefox 3.6 development branches and affected all supported platforms. (MFSA 2010-73 / CVE-2010-3765)
    last seen 2019-02-21
    modified 2013-11-27
    plugin id 50952
    published 2010-12-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50952
    title SuSE 11 / 11.1 Security Update : Mozilla XULrunner (SAT Patch Numbers 3557 / 3558)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-998-1.NASL
    description Paul Nickerson, Jesse Ruderman, Olli Pettay, Igor Bukanov, Josh Soref, Gary Kwong, Martijn Wargers, Siddharth Agarwal and Michal Zalewski discovered various flaws in the browser engine. An attacker could exploit this to crash Thunderbird or possibly run arbitrary code as the user invoking the program. (CVE-2010-3175, CVE-2010-3176) Alexander Miller, Sergey Glazunov, and others discovered several flaws in the JavaScript engine. If JavaScript were enabled, an attacker could exploit this to crash Thunderbird or possibly run arbitrary code as the user invoking the program. (CVE-2010-3179, CVE-2010-3180, CVE-2010-3183) Eduardo Vela Nava discovered that Thunderbird could be made to violate the same-origin policy by using modal calls with JavaScript. If JavaScript were enabled, an attacker could exploit this to steal information from another site. (CVE-2010-3178) Dmitri GribenkoDmitri Gribenko discovered that Thunderbird did not properly setup the LD_LIBRARY_PATH environment variable. A local attacker could exploit this to execute arbitrary code as the user invoking the program. (CVE-2010-3182). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 50083
    published 2010-10-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50083
    title Ubuntu 10.04 LTS / 10.10 : thunderbird vulnerabilities (USN-998-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_3_MOZILLAFIREFOX-101029.NASL
    description This update brings Mozilla Firefox to version 3.6.12, fixing various bugs and security issues. The following security issues were fixed: MFSA 2010-64: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. References Paul Nickerson, Jesse Ruderman, Olli Pettay, Igor Bukanov and Josh Soref reported memory safety problems that affected Firefox 3.6 and Firefox 3.5. - Memory safety bugs - Firefox 3.6, Firefox 3.5 - CVE-2010-3176 Gary Kwong, Martijn Wargers and Siddharth Agarwal reported memory safety problems that affected Firefox 3.6 only. - Memory safety bugs - Firefox 3.6 - CVE-2010-3175 MFSA 2010-65 / CVE-2010-3179: Security researcher Alexander Miller reported that passing an excessively long string to document.write could cause text rendering routines to end up in an inconsistent state with sections of stack memory being overwritten with the string data. An attacker could use this flaw to crash a victim's browser and potentially run arbitrary code on their computer. MFSA 2010-66 / CVE-2010-3180: Security researcher Sergey Glazunov reported that it was possible to access the locationbar property of a window object after it had been closed. Since the closed window's memory could have been subsequently reused by the system it was possible that an attempt to access the locationbar property could result in the execution of attacker-controlled memory. MFSA 2010-67 / CVE-2010-3183: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that when window.__lookupGetter__ is called with no arguments the code assumes the top JavaScript stack value is a property name. Since there were no arguments passed into the function, the top value could represent uninitialized memory or a pointer to a previously freed JavaScript object. Under such circumstances the value is passed to another subroutine which calls through the dangling pointer, potentially executing attacker-controlled memory. MFSA 2010-68 / CVE-2010-3177: Google security researcher Robert Swiecki reported that functions used by the Gopher parser to convert text to HTML tags could be exploited to turn text into executable JavaScript. If an attacker could create a file or directory on a Gopher server with the encoded script as part of its name the script would then run in a victim's browser within the context of the site. MFSA 2010-69 / CVE-2010-3178: Security researcher Eduardo Vela Nava reported that if a web page opened a new window and used a javascript: URL to make a modal call, such as alert(), then subsequently navigated the page to a different domain, once the modal call returned the opener of the window could get access to objects in the navigated window. This is a violation of the same-origin policy and could be used by an attacker to steal information from another website. MFSA 2010-70 / CVE-2010-3170: Security researcher Richard Moore reported that when an SSL certificate was created with a common name containing a wildcard followed by a partial IP address a valid SSL connection could be established with a server whose IP address matched the wildcard range by browsing directly to the IP address. It is extremely unlikely that such a certificate would be issued by a Certificate Authority. MFSA 2010-71 / CVE-2010-3182: Dmitri Gribenko reported that the script used to launch Mozilla applications on Linux was effectively including the current working directory in the LD_LIBRARY_PATH environment variable. If an attacker was able to place into the current working directory a malicious shared library with the same name as a library that the bootstrapping script depends on the attacker could have their library loaded instead of the legitimate library. MFSA 2010-73 / CVE-2010-3765: Morten Kråkvik of Telenor SOC reported an exploit targeting particular versions of Firefox 3.6 on Windows XP that Telenor found while investigating an intrusion attempt on a customer network. The underlying vulnerability, however, was present on both the Firefox 3.5 and Firefox 3.6 development branches and affected all supported platforms.
    last seen 2019-02-21
    modified 2014-06-13
    plugin id 75648
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75648
    title openSUSE Security Update : MozillaFirefox (MozillaFirefox-3422)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20101019_FIREFOX_ON_SL4_X.NASL
    description Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2010-3175, CVE-2010-3176, CVE-2010-3179, CVE-2010-3183, CVE-2010-3180) A flaw was found in the way the Gopher parser in Firefox converted text into HTML. A malformed file name on a Gopher server could, when accessed by a victim running Firefox, allow arbitrary JavaScript to be executed in the context of the Gopher domain. (CVE-2010-3177) A same-origin policy bypass flaw was found in Firefox. An attacker could create a malicious web page that, when viewed by a victim, could steal private data from a different website the victim has loaded with Firefox. (CVE-2010-3178) A flaw was found in the script that launches Firefox. The LD_LIBRARY_PATH variable was appending a '.' character, which could allow a local attacker to execute arbitrary code with the privileges of a different user running Firefox, if that user ran Firefox from within an attacker-controlled directory. (CVE-2010-3182) This update also provides NSS version 3.12.8 which is required by the updated Firefox version, fixing the following security issues : It was found that the SSL DHE (Diffie-Hellman Ephemeral) mode implementation for key exchanges in Firefox accepted DHE keys that were 256 bits in length. This update removes support for 256 bit DHE keys, as such keys are easily broken using modern hardware. (CVE-2010-3173) A flaw was found in the way NSS matched SSL certificates when the certificates had a Common Name containing a wildcard and a partial IP address. NSS incorrectly accepted connections to IP addresses that fell within the SSL certificate's wildcard range as valid SSL connections, possibly allowing an attacker to conduct a man-in-the-middle attack. (CVE-2010-3170) After installing the update, Firefox must be restarted for the changes to take effect.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 60870
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60870
    title Scientific Linux Security Update : firefox on SL4.x, SL5.x i386/x86_64
  • NASL family Windows
    NASL id MOZILLA_FIREFOX_3611.NASL
    description The installed version of Firefox 3.6 is earlier than 3.6.11. Such versions are potentially affected by the following security issues : - Multiple memory safety bugs could lead to memory corruption, potentially resulting in arbitrary code execution. (MFSA 2010-64) - By passing an excessively long string to 'document.write', it may be possible to trigger a buffer overflow condition resulting in arbitrary code execution on the remote system. (MFSA 2010-65) - A use-after-free error in nsBarProp could allow arbitrary code execution on the remote system. (MFSA 2010-66) - A dangling pointer vulnerability in LookupGetterOrSetter could allow arbitrary code execution. (MFSA 2010-67) - The Gopher parser is affected by a cross-site scripting vulnerability. (MFSA 2010-68) - It is possible to steal information from a site in a different domain using modal calls. (MFSA 2010-69) - It is possible to establish a valid SSL connection to a remote host, provided the SSL certificate was created with a common name containing a wild card followed by partial IP address of the remote host. (MFSA 2010-70) - A function used to load external libraries on Windows platform could allow loading of unsafe DLLs thus allowing binary planting attacks. (MFSA 2010-71) - The SSL implementation allows servers to use Diffie-Hellman Ephemeral mode (DHE) with a very short key length. Such key lengths could be easily breakable with modern hardware. (MFSA 2010-72)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 50085
    published 2010-10-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50085
    title Firefox 3.6 < 3.6.11 Multiple Vulnerabilities
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2010-0782.NASL
    description Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Network Security Services (NSS) is a set of libraries designed to support the development of security-enabled client and server applications. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2010-3175, CVE-2010-3176, CVE-2010-3179, CVE-2010-3183, CVE-2010-3180) A flaw was found in the way the Gopher parser in Firefox converted text into HTML. A malformed file name on a Gopher server could, when accessed by a victim running Firefox, allow arbitrary JavaScript to be executed in the context of the Gopher domain. (CVE-2010-3177) A same-origin policy bypass flaw was found in Firefox. An attacker could create a malicious web page that, when viewed by a victim, could steal private data from a different website the victim has loaded with Firefox. (CVE-2010-3178) A flaw was found in the script that launches Firefox. The LD_LIBRARY_PATH variable was appending a '.' character, which could allow a local attacker to execute arbitrary code with the privileges of a different user running Firefox, if that user ran Firefox from within an attacker-controlled directory. (CVE-2010-3182) This update also provides NSS version 3.12.8 which is required by the updated Firefox version, fixing the following security issues : It was found that the SSL DHE (Diffie-Hellman Ephemeral) mode implementation for key exchanges in Firefox accepted DHE keys that were 256 bits in length. This update removes support for 256 bit DHE keys, as such keys are easily broken using modern hardware. (CVE-2010-3173) A flaw was found in the way NSS matched SSL certificates when the certificates had a Common Name containing a wildcard and a partial IP address. NSS incorrectly accepted connections to IP addresses that fell within the SSL certificate's wildcard range as valid SSL connections, possibly allowing an attacker to conduct a man-in-the-middle attack. (CVE-2010-3170) For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.6.11. You can find a link to the Mozilla advisories in the References section of this erratum. All Firefox users should upgrade to these updated packages, which contain Firefox version 3.6.11, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 50040
    published 2010-10-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50040
    title RHEL 4 / 5 : firefox (RHSA-2010:0782)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_2_MOZILLA-XULRUNNER191-101028.NASL
    description This update brings Mozilla XULRunner to version 1.9.1.15, fixing various bugs and security issues. The following security issues were fixed: MFSA 2010-49 / CVE-2010-3169: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. MFSA 2010-50 / CVE-2010-2765: Security researcher Chris Rohlf of Matasano Security reported that the implementation of the HTML frameset element contained an integer overflow vulnerability. The code responsible for parsing the frameset columns used an 8-byte counter for the column numbers, so when a very large number of columns was passed in the counter would overflow. When this counter was subsequently used to allocate memory for the frameset, the memory buffer would be too small, potentially resulting in a heap buffer overflow and execution of attacker-controlled memory. MFSA 2010-51 / CVE-2010-2767: Security researcher Sergey Glazunov reported a dangling pointer vulnerability in the implementation of navigator.plugins in which the navigator object could retain a pointer to the plugins array even after it had been destroyed. An attacker could potentially use this issue to crash the browser and run arbitrary code on a victim's computer. MFSA 2010-52 / CVE-2010-3131: Security researcher Haifei Li of FortiGuard Labs reported that Firefox could be used to load a malicious code library that had been planted on a victim's computer. Firefox attempts to load dwmapi.dll upon startup as part of its platform detection, so on systems that don't have this library, such as Windows XP, Firefox will subsequently attempt to load the library from the current working directory. An attacker could use this vulnerability to trick a user into downloading a HTML file and a malicious copy of dwmapi.dll into the same directory on their computer and opening the HTML file with Firefox, thus causing the malicious code to be executed. If the attacker was on the same network as the victim, the malicious DLL could also be loaded via a UNC path. The attack also requires that Firefox not currently be running when it is asked to open the HTML file and accompanying DLL. As this is a Windows only problem, it does not affect the Linux version. It is listed for completeness only. MFSA 2010-53 / CVE-2010-3166: Security researcher wushi of team509 reported a heap buffer overflow in code routines responsible for transforming text runs. A page could be constructed with a bidirectional text run which upon reflow could result in an incorrect length being calculated for the run of text. When this value is subsequently used to allocate memory for the text too small a buffer may be created potentially resulting in a buffer overflow and the execution of attacker controlled memory. MFSA 2010-54 / CVE-2010-2760: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that there was a remaining dangling pointer issue leftover from the fix to CVE-2010-2753. Under certain circumstances one of the pointers held by a XUL tree selection could be freed and then later reused, potentially resulting in the execution of attacker-controlled memory. MFSA 2010-55 / CVE-2010-3168: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that XUL objects could be manipulated such that the setting of certain properties on the object would trigger the removal of the tree from the DOM and cause certain sections of deleted memory to be accessed. In products based on Gecko version 1.9.2 (Firefox 3.6, Thunderbird 3.1) and newer this memory has been overwritten by a value that will cause an unexploitable crash. In products based on Gecko version 1.9.1 (Firefox 3.5, Thunderbird 3.0, and SeaMonkey 2.0) and older an attacker could potentially use this vulnerability to crash a victim's browser and run arbitrary code on their computer. MFSA 2010-56 / CVE-2010-3167: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that the implementation of XUL's content view contains a dangling pointer vulnerability. One of the content view's methods for accessing the internal structure of the tree could be manipulated into removing a node prior to accessing it, resulting in the accessing of deleted memory. If an attacker can control the contents of the deleted memory prior to its access they could use this vulnerability to run arbitrary code on a victim's machine. MFSA 2010-57 / CVE-2010-2766: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that code used to normalize a document contained a logical flaw that could be leveraged to run arbitrary code. When the normalization code ran, a static count of the document's child nodes was used in the traversal, so a page could be constructed that would remove DOM nodes during this normalization which could lead to the accessing of a deleted object and potentially the execution of attacker-controlled memory. MFSA 2010-58 / CVE-2010-2770: Security researcher Marc Schoenefeld reported that a specially crafted font could be applied to a document and cause a crash on Mac systems. The crash showed signs of memory corruption and presumably could be used by an attacker to execute arbitrary code on a victim's computer. This issue probably does not affect the Linux builds and so is listed for completeness. MFSA 2010-59 / CVE-2010-2762: Mozilla developer Blake Kaplan reported that the wrapper class XPCSafeJSObjectWrapper (SJOW), a security wrapper that allows content-defined objects to be safely accessed by privileged code, creates scope chains ending in outer objects. Users of SJOWs which expect the scope chain to end on an inner object may be handed a chrome privileged object which could be leveraged to run arbitrary JavaScript with chrome privileges. Michal Zalewski's recent contributions helped to identify this architectural weakness. MFSA 2010-60 / CVE-2010-2763: Mozilla security researcher mozbugr_a4 reported that the wrapper class XPCSafeJSObjectWrapper (SJOW) on the Mozilla 1.9.1 development branch has a logical error in its scripted function implementation that allows the caller to run the function within the context of another site. This is a violation of the same-origin policy and could be used to mount an XSS attack. MFSA 2010-61 / CVE-2010-2768: Security researchers David Huang and Collin Jackson of Carnegie Mellon University CyLab (Silicon Valley campus) reported that the type attribute of an tag can override the charset of a framed HTML document, even when the document is included across origins. A page could be constructed containing such an tag which sets the charset of the framed document to UTF-7. This could potentially allow an attacker to inject UTF-7 encoded JavaScript into a site, bypassing the site's XSS filters, and then executing the code using the above technique. MFSA 2010-62 / CVE-2010-2769: Security researcher Paul Stone reported that when an HTML selection containing JavaScript is copy-and-pasted or dropped onto a document with designMode enabled the JavaScript will be executed within the context of the site where the code was dropped. A malicious site could leverage this issue in an XSS attack by persuading a user into taking such an action and in the process running malicious JavaScript within the context of another site. MFSA 2010-63 / CVE-2010-2764: Matt Haggard reported that the statusText property of an XMLHttpRequest object is readable by the requestor even when the request is made across origins. This status information reveals the presence of a web server and could be used to gather information about servers on internal private networks. This issue was also independently reported to Mozilla by Nicholas Berthaume. MFSA 2010-64: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. References Paul Nickerson, Jesse Ruderman, Olli Pettay, Igor Bukanov and Josh Soref reported memory safety problems that affected Firefox 3.6 and Firefox 3.5. - Memory safety bugs - Firefox 3.6, Firefox 3.5 - CVE-2010-3176 Jesse Ruderman reported a crash which affected Firefox 3.5 only. - https://bugzilla.mozilla.org/show_bug.cgi?id=476547 - CVE-2010-3174 MFSA 2010-65 / CVE-2010-3179: Security researcher Alexander Miller reported that passing an excessively long string to document.write could cause text rendering routines to end up in an inconsistent state with sections of stack memory being overwritten with the string data. An attacker could use this flaw to crash a victim's browser and potentially run arbitrary code on their computer. MFSA 2010-66 / CVE-2010-3180: Security researcher Sergey Glazunov reported that it was possible to access the locationbar property of a window object after it had been closed. Since the closed window's memory could have been subsequently reused by the system it was possible that an attempt to access the locationbar property could result in the execution of attacker-controlled memory. MFSA 2010-67 / CVE-2010-3183: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that when window.__lookupGetter__ is called with no arguments the code assumes the top JavaScript stack value is a property name. Since there were no arguments passed into the function, the top value could represent uninitialized memory or a pointer to a previously freed JavaScript object. Under such circumstances the value is passed to another subroutine which calls through the dangling pointer, potentially executing attacker-controlled memory. MFSA 2010-68 / CVE-2010-3177: Google security researcher Robert Swiecki reported that functions used by the Gopher parser to convert text to HTML tags could be exploited to turn text into executable JavaScript. If an attacker could create a file or directory on a Gopher server with the encoded script as part of its name the script would then run in a victim's browser within the context of the site. MFSA 2010-69 / CVE-2010-3178: Security researcher Eduardo Vela Nava reported that if a web page opened a new window and used a javascript: URL to make a modal call, such as alert(), then subsequently navigated the page to a different domain, once the modal call returned the opener of the window could get access to objects in the navigated window. This is a violation of the same-origin policy and could be used by an attacker to steal information from another website. MFSA 2010-70 / CVE-2010-3170: Security researcher Richard Moore reported that when an SSL certificate was created with a common name containing a wildcard followed by a partial IP address a valid SSL connection could be established with a server whose IP address matched the wildcard range by browsing directly to the IP address. It is extremely unlikely that such a certificate would be issued by a Certificate Authority. MFSA 2010-71 / CVE-2010-3182: Dmitri Gribenko reported that the script used to launch Mozilla applications on Linux was effectively including the current working directory in the LD_LIBRARY_PATH environment variable. If an attacker was able to place into the current working directory a malicious shared library with the same name as a library that the bootstrapping script depends on the attacker could have their library loaded instead of the legitimate library. MFSA 2010-73 / CVE-2010-3765: Morten Kråkvik of Telenor SOC reported an exploit targeting particular versions of Firefox 3.6 on Windows XP that Telenor found while investigating an intrusion attempt on a customer network. The underlying vulnerability, however, was present on both the Firefox 3.5 and Firefox 3.6 development branches and affected all supported platforms.
    last seen 2019-02-21
    modified 2014-06-13
    plugin id 50466
    published 2010-11-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50466
    title openSUSE Security Update : mozilla-xulrunner191 (mozilla-xulrunner191-3421)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2010-0896.NASL
    description An updated thunderbird package that fixes several security issues is now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Mozilla Thunderbird is a standalone mail and newsgroup client. A race condition flaw was found in the way Thunderbird handled Document Object Model (DOM) element properties. An HTML mail message containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2010-3765) Several flaws were found in the processing of malformed HTML mail content. An HTML mail message containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2010-3175, CVE-2010-3176, CVE-2010-3179, CVE-2010-3180, CVE-2010-3183) A same-origin policy bypass flaw was found in Thunderbird. Remote HTML content could steal private data from different remote HTML content Thunderbird had loaded. (CVE-2010-3178) Note: JavaScript support is disabled by default in Thunderbird. The above issues are not exploitable unless JavaScript is enabled. A flaw was found in the script that launches Thunderbird. The LD_LIBRARY_PATH variable was appending a '.' character, which could allow a local attacker to execute arbitrary code with the privileges of a different user running Thunderbird, if that user ran Thunderbird from within an attacker-controlled directory. (CVE-2010-3182) All Thunderbird users should upgrade to this updated package, which resolves these issues. All running instances of Thunderbird must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 50648
    published 2010-11-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50648
    title RHEL 6 : thunderbird (RHSA-2010:0896)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_MOZILLA-XULRUNNER191-101028.NASL
    description This update brings Mozilla XULRunner to version 1.9.1.14, fixing various bugs and security issues. The following security issues were fixed : - Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. (MFSA 2010-49 / CVE-2010-3169) - Security researcher Chris Rohlf of Matasano Security reported that the implementation of the HTML frameset element contained an integer overflow vulnerability. The code responsible for parsing the frameset columns used an 8-byte counter for the column numbers, so when a very large number of columns was passed in the counter would overflow. When this counter was subsequently used to allocate memory for the frameset, the memory buffer would be too small, potentially resulting in a heap buffer overflow and execution of attacker-controlled memory. (MFSA 2010-50 / CVE-2010-2765) - Security researcher Sergey Glazunov reported a dangling pointer vulnerability in the implementation of navigator.plugins in which the navigator object could retain a pointer to the plugins array even after it had been destroyed. An attacker could potentially use this issue to crash the browser and run arbitrary code on a victim's computer. (MFSA 2010-51 / CVE-2010-2767) - Security researcher Haifei Li of FortiGuard Labs reported that Firefox could be used to load a malicious code library that had been planted on a victim's computer. Firefox attempts to load dwmapi.dll upon startup as part of its platform detection, so on systems that don't have this library, such as Windows XP, Firefox will subsequently attempt to load the library from the current working directory. An attacker could use this vulnerability to trick a user into downloading a HTML file and a malicious copy of dwmapi.dll into the same directory on their computer and opening the HTML file with Firefox, thus causing the malicious code to be executed. If the attacker was on the same network as the victim, the malicious DLL could also be loaded via a UNC path. The attack also requires that Firefox not currently be running when it is asked to open the HTML file and accompanying DLL. As this is a Windows only problem, it does not affect the Linux version. It is listed for completeness only. (MFSA 2010-52 / CVE-2010-3131) - Security researcher wushi of team509 reported a heap buffer overflow in code routines responsible for transforming text runs. A page could be constructed with a bidirectional text run which upon reflow could result in an incorrect length being calculated for the run of text. When this value is subsequently used to allocate memory for the text too small a buffer may be created potentially resulting in a buffer overflow and the execution of attacker controlled memory. (MFSA 2010-53 / CVE-2010-3166) - Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that there was a remaining dangling pointer issue leftover from the fix to CVE-2010-2753. Under certain circumstances one of the pointers held by a XUL tree selection could be freed and then later reused, potentially resulting in the execution of attacker-controlled memory. (MFSA 2010-54 / CVE-2010-2760) - Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that XUL objects could be manipulated such that the setting of certain properties on the object would trigger the removal of the tree from the DOM and cause certain sections of deleted memory to be accessed. In products based on Gecko version 1.9.2 (Firefox 3.6, Thunderbird 3.1) and newer this memory has been overwritten by a value that will cause an unexploitable crash. In products based on Gecko version 1.9.1 (Firefox 3.5, Thunderbird 3.0, and SeaMonkey 2.0) and older an attacker could potentially use this vulnerability to crash a victim's browser and run arbitrary code on their computer. (MFSA 2010-55 / CVE-2010-3168) - Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that the implementation of XUL's content view contains a dangling pointer vulnerability. One of the content view's methods for accessing the internal structure of the tree could be manipulated into removing a node prior to accessing it, resulting in the accessing of deleted memory. If an attacker can control the contents of the deleted memory prior to its access they could use this vulnerability to run arbitrary code on a victim's machine. (MFSA 2010-56 / CVE-2010-3167) - Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that code used to normalize a document contained a logical flaw that could be leveraged to run arbitrary code. When the normalization code ran, a static count of the document's child nodes was used in the traversal, so a page could be constructed that would remove DOM nodes during this normalization which could lead to the accessing of a deleted object and potentially the execution of attacker-controlled memory. (MFSA 2010-57 / CVE-2010-2766) - Security researcher Marc Schoenefeld reported that a specially crafted font could be applied to a document and cause a crash on Mac systems. The crash showed signs of memory corruption and presumably could be used by an attacker to execute arbitrary code on a victim's computer. This issue probably does not affect the Linux builds and so is listed for completeness. (MFSA 2010-58 / CVE-2010-2770) - Mozilla developer Blake Kaplan reported that the wrapper class XPCSafeJSObjectWrapper (SJOW), a security wrapper that allows content-defined objects to be safely accessed by privileged code, creates scope chains ending in outer objects. Users of SJOWs which expect the scope chain to end on an inner object may be handed a chrome privileged object which could be leveraged to run arbitrary JavaScript with chrome privileges. Michal Zalewski's recent contributions helped to identify this architectural weakness. (MFSA 2010-59 / CVE-2010-2762) - Mozilla security researcher mozbugr_a4 reported that the wrapper class XPCSafeJSObjectWrapper (SJOW) on the Mozilla 1.9.1 development branch has a logical error in its scripted function implementation that allows the caller to run the function within the context of another site. This is a violation of the same-origin policy and could be used to mount an XSS attack. (MFSA 2010-60 / CVE-2010-2763) - Security researchers David Huang and Collin Jackson of Carnegie Mellon University CyLab (Silicon Valley campus) reported that the type attribute of an tag can override the charset of a framed HTML document, even when the document is included across origins. A page could be constructed containing such an tag which sets the charset of the framed document to UTF-7. This could potentially allow an attacker to inject UTF-7 encoded JavaScript into a site, bypassing the site's XSS filters, and then executing the code using the above technique. (MFSA 2010-61 / CVE-2010-2768) - Security researcher Paul Stone reported that when an HTML selection containing JavaScript is copy-and-pasted or dropped onto a document with designMode enabled the JavaScript will be executed within the context of the site where the code was dropped. A malicious site could leverage this issue in an XSS attack by persuading a user into taking such an action and in the process running malicious JavaScript within the context of another site. (MFSA 2010-62 / CVE-2010-2769) - Matt Haggard reported that the statusText property of an XMLHttpRequest object is readable by the requestor even when the request is made across origins. This status information reveals the presence of a web server and could be used to gather information about servers on internal private networks. This issue was also independently reported to Mozilla by Nicholas Berthaume. (MFSA 2010-63 / CVE-2010-2764) - Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. References. (MFSA 2010-64) Paul Nickerson, Jesse Ruderman, Olli Pettay, Igor Bukanov and Josh Soref reported memory safety problems that affected Firefox 3.6 and Firefox 3.5. - Memory safety bugs - Firefox 3.6, Firefox 3.5 - Jesse Ruderman reported a crash which affected Firefox 3.5 only. (CVE-2010-3176) - https://bugzilla.mozilla.org/show_bug.cgi?id=476547 - CVE-2010-3174 - Security researcher Alexander Miller reported that passing an excessively long string to document.write could cause text rendering routines to end up in an inconsistent state with sections of stack memory being overwritten with the string data. An attacker could use this flaw to crash a victim's browser and potentially run arbitrary code on their computer. (MFSA 2010-65 / CVE-2010-3179) - Security researcher Sergey Glazunov reported that it was possible to access the locationbar property of a window object after it had been closed. Since the closed window's memory could have been subsequently reused by the system it was possible that an attempt to access the locationbar property could result in the execution of attacker-controlled memory. (MFSA 2010-66 / CVE-2010-3180) - Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that when window.__lookupGetter__ is called with no arguments the code assumes the top JavaScript stack value is a property name. Since there were no arguments passed into the function, the top value could represent uninitialized memory or a pointer to a previously freed JavaScript object. Under such circumstances the value is passed to another subroutine which calls through the dangling pointer, potentially executing attacker-controlled memory. (MFSA 2010-67 / CVE-2010-3183) - Google security researcher Robert Swiecki reported that functions used by the Gopher parser to convert text to HTML tags could be exploited to turn text into executable JavaScript. If an attacker could create a file or directory on a Gopher server with the encoded script as part of its name the script would then run in a victim's browser within the context of the site. (MFSA 2010-68 / CVE-2010-3177) - Security researcher Eduardo Vela Nava reported that if a web page opened a new window and used a javascript: URL to make a modal call, such as alert(), then subsequently navigated the page to a different domain, once the modal call returned the opener of the window could get access to objects in the navigated window. This is a violation of the same-origin policy and could be used by an attacker to steal information from another web site. (MFSA 2010-69 / CVE-2010-3178) - Security researcher Richard Moore reported that when an SSL certificate was created with a common name containing a wildcard followed by a partial IP address a valid SSL connection could be established with a server whose IP address matched the wildcard range by browsing directly to the IP address. It is extremely unlikely that such a certificate would be issued by a Certificate Authority. (MFSA 2010-70 / CVE-2010-3170) - Dmitri Gribenko reported that the script used to launch Mozilla applications on Linux was effectively including the current working directory in the LD_LIBRARY_PATH environment variable. If an attacker was able to place into the current working directory a malicious shared library with the same name as a library that the bootstrapping script depends on the attacker could have their library loaded instead of the legitimate library. (MFSA 2010-71 / CVE-2010-3182)
    last seen 2019-02-21
    modified 2013-10-25
    plugin id 50951
    published 2010-12-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50951
    title SuSE 11 / 11.1 Security Update : Mozilla (SAT Patch Numbers 3417 / 3419)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-997-1.NASL
    description Paul Nickerson, Jesse Ruderman, Olli Pettay, Igor Bukanov, Josh Soref, Gary Kwong, Martijn Wargers, Siddharth Agarwal and Michal Zalewski discovered various flaws in the browser engine. An attacker could exploit this to crash the browser or possibly run arbitrary code as the user invoking the program. (CVE-2010-3175, CVE-2010-3176) Alexander Miller, Sergey Glazunov, and others discovered several flaws in the JavaScript engine. An attacker could exploit this to crash the browser or possibly run arbitrary code as the user invoking the program. (CVE-2010-3179, CVE-2010-3180, CVE-2010-3183) Robert Swiecki discovered that Firefox did not properly validate Gopher URLs. If a user were tricked into opening a crafted file via Gopher, an attacker could possibly run arbitrary JavaScript. (CVE-2010-3177) Eduardo Vela Nava discovered that Firefox could be made to violate the same-origin policy by using modal calls with JavaScript. An attacker could exploit this to steal information from another site. (CVE-2010-3178) Dmitri GribenkoDmitri Gribenko discovered that Firefox did not properly setup the LD_LIBRARY_PATH environment variable. A local attacker could exploit this to execute arbitrary code as the user invoking the program. (CVE-2010-3182). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 50082
    published 2010-10-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50082
    title Ubuntu 8.04 LTS / 9.04 / 9.10 / 10.04 LTS / 10.10 : firefox, firefox-3.0, firefox-3.5, xulrunner-1.9.1, xulrunner-1.9.2 vulnerabilities (USN-997-1)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20101110_FIREFOX_ON_SL6_X.NASL
    description A race condition flaw was found in the way Firefox handled Document Object Model (DOM) element properties. Malicious HTML content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2010-3765) Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2010-3175, CVE-2010-3176, CVE-2010-3179, CVE-2010-3183, CVE-2010-3180) A flaw was found in the way the Gopher parser in Firefox converted text into HTML. A malformed file name on a Gopher server could, when accessed by a victim running Firefox, allow arbitrary JavaScript to be executed in the context of the Gopher domain. (CVE-2010-3177) A same-origin policy bypass flaw was found in Firefox. An attacker could create a malicious web page that, when viewed by a victim, could steal private data from a different website the victim had loaded with Firefox. (CVE-2010-3178) A flaw was found in the script that launches Firefox. The LD_LIBRARY_PATH variable was appending a '.' character, which could allow a local attacker to execute arbitrary code with the privileges of a different user running Firefox, if that user ran Firefox from within an attacker-controlled directory. (CVE-2010-3182) For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.6.11 and 3.6.12. After installing the update, Firefox must be restarted for the changes to take effect.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 60889
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60889
    title Scientific Linux Security Update : firefox on SL6.x i386/x86_64
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_3_SEAMONKEY-101021.NASL
    description This update brings Mozilla SeaMonkey to version 2.0.9, fixing various bugs and security issues. The following security issues were fixed: MFSA 2010-49 / CVE-2010-3169: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. MFSA 2010-50 / CVE-2010-2765: Security researcher Chris Rohlf of Matasano Security reported that the implementation of the HTML frameset element contained an integer overflow vulnerability. The code responsible for parsing the frameset columns used an 8-byte counter for the column numbers, so when a very large number of columns was passed in the counter would overflow. When this counter was subsequently used to allocate memory for the frameset, the memory buffer would be too small, potentially resulting in a heap buffer overflow and execution of attacker-controlled memory. MFSA 2010-51 / CVE-2010-2767: Security researcher Sergey Glazunov reported a dangling pointer vulnerability in the implementation of navigator.plugins in which the navigator object could retain a pointer to the plugins array even after it had been destroyed. An attacker could potentially use this issue to crash the browser and run arbitrary code on a victim's computer. MFSA 2010-52 / CVE-2010-3131: Security researcher Haifei Li of FortiGuard Labs reported that Firefox could be used to load a malicious code library that had been planted on a victim's computer. Firefox attempts to load dwmapi.dll upon startup as part of its platform detection, so on systems that don't have this library, such as Windows XP, Firefox will subsequently attempt to load the library from the current working directory. An attacker could use this vulnerability to trick a user into downloading a HTML file and a malicious copy of dwmapi.dll into the same directory on their computer and opening the HTML file with Firefox, thus causing the malicious code to be executed. If the attacker was on the same network as the victim, the malicious DLL could also be loaded via a UNC path. The attack also requires that Firefox not currently be running when it is asked to open the HTML file and accompanying DLL. As this is a Windows only problem, it does not affect the Linux version. It is listed for completeness only. MFSA 2010-53 / CVE-2010-3166: Security researcher wushi of team509 reported a heap buffer overflow in code routines responsible for transforming text runs. A page could be constructed with a bidirectional text run which upon reflow could result in an incorrect length being calculated for the run of text. When this value is subsequently used to allocate memory for the text too small a buffer may be created potentially resulting in a buffer overflow and the execution of attacker controlled memory. MFSA 2010-54 / CVE-2010-2760: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that there was a remaining dangling pointer issue leftover from the fix to CVE-2010-2753. Under certain circumstances one of the pointers held by a XUL tree selection could be freed and then later reused, potentially resulting in the execution of attacker-controlled memory. MFSA 2010-55 / CVE-2010-3168: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that XUL objects could be manipulated such that the setting of certain properties on the object would trigger the removal of the tree from the DOM and cause certain sections of deleted memory to be accessed. In products based on Gecko version 1.9.2 (Firefox 3.6, Thunderbird 3.1) and newer this memory has been overwritten by a value that will cause an unexploitable crash. In products based on Gecko version 1.9.1 (Firefox 3.5, Thunderbird 3.0, and SeaMonkey 2.0) and older an attacker could potentially use this vulnerability to crash a victim's browser and run arbitrary code on their computer. MFSA 2010-56 / CVE-2010-3167: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that the implementation of XUL's content view contains a dangling pointer vulnerability. One of the content view's methods for accessing the internal structure of the tree could be manipulated into removing a node prior to accessing it, resulting in the accessing of deleted memory. If an attacker can control the contents of the deleted memory prior to its access they could use this vulnerability to run arbitrary code on a victim's machine. MFSA 2010-57 / CVE-2010-2766: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that code used to normalize a document contained a logical flaw that could be leveraged to run arbitrary code. When the normalization code ran, a static count of the document's child nodes was used in the traversal, so a page could be constructed that would remove DOM nodes during this normalization which could lead to the accessing of a deleted object and potentially the execution of attacker-controlled memory. MFSA 2010-58 / CVE-2010-2770: Security researcher Marc Schoenefeld reported that a specially crafted font could be applied to a document and cause a crash on Mac systems. The crash showed signs of memory corruption and presumably could be used by an attacker to execute arbitrary code on a victim's computer. This issue probably does not affect the Linux builds and so is listed for completeness. MFSA 2010-59 / CVE-2010-2762: Mozilla developer Blake Kaplan reported that the wrapper class XPCSafeJSObjectWrapper (SJOW), a security wrapper that allows content-defined objects to be safely accessed by privileged code, creates scope chains ending in outer objects. Users of SJOWs which expect the scope chain to end on an inner object may be handed a chrome privileged object which could be leveraged to run arbitrary JavaScript with chrome privileges. Michal Zalewski's recent contributions helped to identify this architectural weakness. MFSA 2010-60 / CVE-2010-2763: Mozilla security researcher mozbugr_a4 reported that the wrapper class XPCSafeJSObjectWrapper (SJOW) on the Mozilla 1.9.1 development branch has a logical error in its scripted function implementation that allows the caller to run the function within the context of another site. This is a violation of the same-origin policy and could be used to mount an XSS attack. MFSA 2010-61 / CVE-2010-2768: Security researchers David Huang and Collin Jackson of Carnegie Mellon University CyLab (Silicon Valley campus) reported that the type attribute of an tag can override the charset of a framed HTML document, even when the document is included across origins. A page could be constructed containing such an tag which sets the charset of the framed document to UTF-7. This could potentially allow an attacker to inject UTF-7 encoded JavaScript into a site, bypassing the site's XSS filters, and then executing the code using the above technique. MFSA 2010-62 / CVE-2010-2769: Security researcher Paul Stone reported that when an HTML selection containing JavaScript is copy-and-pasted or dropped onto a document with designMode enabled the JavaScript will be executed within the context of the site where the code was dropped. A malicious site could leverage this issue in an XSS attack by persuading a user into taking such an action and in the process running malicious JavaScript within the context of another site. MFSA 2010-63 / CVE-2010-2764: Matt Haggard reported that the statusText property of an XMLHttpRequest object is readable by the requestor even when the request is made across origins. This status information reveals the presence of a web server and could be used to gather information about servers on internal private networks. This issue was also independently reported to Mozilla by Nicholas Berthaume. MFSA 2010-64: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. References Paul Nickerson, Jesse Ruderman, Olli Pettay, Igor Bukanov and Josh Soref reported memory safety problems that affected Firefox 3.6 and Firefox 3.5. - Memory safety bugs - Firefox 3.6, Firefox 3.5 - CVE-2010-3176 Jesse Ruderman reported a crash which affected Firefox 3.5 only. - https://bugzilla.mozilla.org/show_bug.cgi?id=476547 - CVE-2010-3174 MFSA 2010-65 / CVE-2010-3179: Security researcher Alexander Miller reported that passing an excessively long string to document.write could cause text rendering routines to end up in an inconsistent state with sections of stack memory being overwritten with the string data. An attacker could use this flaw to crash a victim's browser and potentially run arbitrary code on their computer. MFSA 2010-66 / CVE-2010-3180: Security researcher Sergey Glazunov reported that it was possible to access the locationbar property of a window object after it had been closed. Since the closed window's memory could have been subsequently reused by the system it was possible that an attempt to access the locationbar property could result in the execution of attacker-controlled memory. MFSA 2010-67 / CVE-2010-3183: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that when window.__lookupGetter__ is called with no arguments the code assumes the top JavaScript stack value is a property name. Since there were no arguments passed into the function, the top value could represent uninitialized memory or a pointer to a previously freed JavaScript object. Under such circumstances the value is passed to another subroutine which calls through the dangling pointer, potentially executing attacker-controlled memory. MFSA 2010-68 / CVE-2010-3177: Google security researcher Robert Swiecki reported that functions used by the Gopher parser to convert text to HTML tags could be exploited to turn text into executable JavaScript. If an attacker could create a file or directory on a Gopher server with the encoded script as part of its name the script would then run in a victim's browser within the context of the site. MFSA 2010-69 / CVE-2010-3178: Security researcher Eduardo Vela Nava reported that if a web page opened a new window and used a javascript: URL to make a modal call, such as alert(), then subsequently navigated the page to a different domain, once the modal call returned the opener of the window could get access to objects in the navigated window. This is a violation of the same-origin policy and could be used by an attacker to steal information from another website. MFSA 2010-70 / CVE-2010-3170: Security researcher Richard Moore reported that when an SSL certificate was created with a common name containing a wildcard followed by a partial IP address a valid SSL connection could be established with a server whose IP address matched the wildcard range by browsing directly to the IP address. It is extremely unlikely that such a certificate would be issued by a Certificate Authority. MFSA 2010-71 / CVE-2010-3182: Dmitri Gribenko reported that the script used to launch Mozilla applications on Linux was effectively including the current working directory in the LD_LIBRARY_PATH environment variable. If an attacker was able to place into the current working directory a malicious shared library with the same name as a library that the bootstrapping script depends on the attacker could have their library loaded instead of the legitimate library.
    last seen 2019-02-21
    modified 2014-08-21
    plugin id 75733
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75733
    title openSUSE Security Update : seamonkey (seamonkey-3372)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2010-16593.NASL
    description Update to new upstream Firefox version 3.6.11, fixing multiple security issues detailed in the upstream advisories : http://www.mozilla.org/security/known-vulnerabilities/firefox36.html#f irefox3.6.11 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-20
    plugin id 50356
    published 2010-10-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50356
    title Fedora 13 : firefox-3.6.11-1.fc13 / galeon-2.0.7-34.fc13 / gnome-python2-extras-2.25.3-23.fc13 / etc (2010-16593)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2010-16897.NASL
    description Update to new upstream Firefox version 3.6.12, fixing multiple security issues detailed in the upstream advisories : - http://www.mozilla.org/security/known-vulnerabilities/fi refox36.html#firefox3.6.11 - http://www.mozilla.org/security/known-vulnerabilities/ firefox36.html#firefox3.6.12 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-05-20
    plugin id 50403
    published 2010-10-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50403
    title Fedora 14 : firefox-3.6.12-1.fc14 / galeon-2.0.7-35.fc14.1 / gnome-python2-extras-2.25.3-25.fc14.1 / etc (2010-16897)
  • NASL family Windows
    NASL id MOZILLA_FIREFOX_3514.NASL
    description The installed version of Firefox is earlier than 3.5.14. Such versions are potentially affected by the following security issues : - Multiple memory safety bugs could lead to memory corruption, potentially resulting in arbitrary code execution. (MFSA 2010-64) - By passing an excessively long string to 'document.write', it may be possible to trigger a buffer overflow condition resulting in arbitrary code execution on the remote system. (MFSA 2010-65) - A use-after-free error in nsBarProp could allow arbitrary code execution on the remote system. (MFSA 2010-66) - A dangling pointer vulnerability in LookupGetterOrSetter could allow arbitrary code execution. (MFSA 2010-67) - The Gopher parser is affected by a cross-site scripting vulnerability. (MFSA 2010-68) - It is possible to steal information from a site in a different domain using modal calls. (MFSA 2010-69) - It is possible to establish a valid SSL connection to a remote host, provided the SSL certificate was created with a common name containing a wild card followed by partial IP address of the remote host. (MFSA 2010-70) - A function used to load external libraries on Windows platform could allow loading of unsafe DLLs thus allowing binary planting attacks. (MFSA 2010-71) - The SSL implementation allows servers to use Diffie-Hellman Ephemeral mode (DHE) with a very short key length. Such key lengths could be easily breakable with modern hardware. (MFSA 2010-72)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 50084
    published 2010-10-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50084
    title Firefox < 3.5.14 Multiple Vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_MOZILLAFIREFOX-101103.NASL
    description This update brings Mozilla Firefox to version 3.6.12, fixing various bugs and security issues. The following security issues were fixed : - Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. References. (MFSA 2010-64) Paul Nickerson, Jesse Ruderman, Olli Pettay, Igor Bukanov and Josh Soref reported memory safety problems that affected Firefox 3.6 and Firefox 3.5. - Memory safety bugs - Firefox 3.6, Firefox 3.5 - Gary Kwong, Martijn Wargers and Siddharth Agarwal reported memory safety problems that affected Firefox 3.6 only. (CVE-2010-3176) - Memory safety bugs - Firefox 3.6 - CVE-2010-3175 - Security researcher Alexander Miller reported that passing an excessively long string to document.write could cause text rendering routines to end up in an inconsistent state with sections of stack memory being overwritten with the string data. An attacker could use this flaw to crash a victim's browser and potentially run arbitrary code on their computer. (MFSA 2010-65 / CVE-2010-3179) - Security researcher Sergey Glazunov reported that it was possible to access the locationbar property of a window object after it had been closed. Since the closed window's memory could have been subsequently reused by the system it was possible that an attempt to access the locationbar property could result in the execution of attacker-controlled memory. (MFSA 2010-66 / CVE-2010-3180) - Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that when window.lookupGetter is called with no arguments the code assumes the top JavaScript stack value is a property name. Since there were no arguments passed into the function, the top value could represent uninitialized memory or a pointer to a previously freed JavaScript object. Under such circumstances the value is passed to another subroutine which calls through the dangling pointer, potentially executing attacker-controlled memory. (MFSA 2010-67 / CVE-2010-3183) - Google security researcher Robert Swiecki reported that functions used by the Gopher parser to convert text to HTML tags could be exploited to turn text into executable JavaScript. If an attacker could create a file or directory on a Gopher server with the encoded script as part of its name the script would then run in a victim's browser within the context of the site. (MFSA 2010-68 / CVE-2010-3177) - Security researcher Eduardo Vela Nava reported that if a web page opened a new window and used a javascript: URL to make a modal call, such as alert(), then subsequently navigated the page to a different domain, once the modal call returned the opener of the window could get access to objects in the navigated window. This is a violation of the same-origin policy and could be used by an attacker to steal information from another web site. (MFSA 2010-69 / CVE-2010-3178) - Security researcher Richard Moore reported that when an SSL certificate was created with a common name containing a wildcard followed by a partial IP address a valid SSL connection could be established with a server whose IP address matched the wildcard range by browsing directly to the IP address. It is extremely unlikely that such a certificate would be issued by a Certificate Authority. (MFSA 2010-70 / CVE-2010-3170) - Dmitri Gribenko reported that the script used to launch Mozilla applications on Linux was effectively including the current working directory in the LDLIBRARYPATH environment variable. If an attacker was able to place into the current working directory a malicious shared library with the same name as a library that the bootstrapping script depends on the attacker could have their library loaded instead of the legitimate library. (MFSA 2010-71 / CVE-2010-3182) - Morten Krokvik of Telenor SOC reported an exploit targeting particular versions of Firefox 3.6 on Windows XP that Telenor found while investigating an intrusion attempt on a customer network. The underlying vulnerability, however, was present on both the Firefox 3.5 and Firefox 3.6 development branches and affected all supported platforms. (MFSA 2010-73 / CVE-2010-3765)
    last seen 2019-02-21
    modified 2013-11-27
    plugin id 50876
    published 2010-12-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50876
    title SuSE 11 / 11.1 Security Update : Mozilla Firefox (SAT Patch Numbers 3455 / 3456)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_2_MOZILLATHUNDERBIRD-101022.NASL
    description This update brings Mozilla Thunderbird to version 3.0.9, fixing various bugs and security issues. The following security issues were fixed: MFSA 2010-49 / CVE-2010-3169: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. MFSA 2010-50 / CVE-2010-2765: Security researcher Chris Rohlf of Matasano Security reported that the implementation of the HTML frameset element contained an integer overflow vulnerability. The code responsible for parsing the frameset columns used an 8-byte counter for the column numbers, so when a very large number of columns was passed in the counter would overflow. When this counter was subsequently used to allocate memory for the frameset, the memory buffer would be too small, potentially resulting in a heap buffer overflow and execution of attacker-controlled memory. MFSA 2010-51 / CVE-2010-2767: Security researcher Sergey Glazunov reported a dangling pointer vulnerability in the implementation of navigator.plugins in which the navigator object could retain a pointer to the plugins array even after it had been destroyed. An attacker could potentially use this issue to crash the browser and run arbitrary code on a victim's computer. MFSA 2010-52 / CVE-2010-3131: Security researcher Haifei Li of FortiGuard Labs reported that Firefox could be used to load a malicious code library that had been planted on a victim's computer. Firefox attempts to load dwmapi.dll upon startup as part of its platform detection, so on systems that don't have this library, such as Windows XP, Firefox will subsequently attempt to load the library from the current working directory. An attacker could use this vulnerability to trick a user into downloading a HTML file and a malicious copy of dwmapi.dll into the same directory on their computer and opening the HTML file with Firefox, thus causing the malicious code to be executed. If the attacker was on the same network as the victim, the malicious DLL could also be loaded via a UNC path. The attack also requires that Firefox not currently be running when it is asked to open the HTML file and accompanying DLL. As this is a Windows only problem, it does not affect the Linux version. It is listed for completeness only. MFSA 2010-53 / CVE-2010-3166: Security researcher wushi of team509 reported a heap buffer overflow in code routines responsible for transforming text runs. A page could be constructed with a bidirectional text run which upon reflow could result in an incorrect length being calculated for the run of text. When this value is subsequently used to allocate memory for the text too small a buffer may be created potentially resulting in a buffer overflow and the execution of attacker controlled memory. MFSA 2010-54 / CVE-2010-2760: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that there was a remaining dangling pointer issue leftover from the fix to CVE-2010-2753. Under certain circumstances one of the pointers held by a XUL tree selection could be freed and then later reused, potentially resulting in the execution of attacker-controlled memory. MFSA 2010-55 / CVE-2010-3168: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that XUL objects could be manipulated such that the setting of certain properties on the object would trigger the removal of the tree from the DOM and cause certain sections of deleted memory to be accessed. In products based on Gecko version 1.9.2 (Firefox 3.6, Thunderbird 3.1) and newer this memory has been overwritten by a value that will cause an unexploitable crash. In products based on Gecko version 1.9.1 (Firefox 3.5, Thunderbird 3.0, and SeaMonkey 2.0) and older an attacker could potentially use this vulnerability to crash a victim's browser and run arbitrary code on their computer. MFSA 2010-56 / CVE-2010-3167: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that the implementation of XUL's content view contains a dangling pointer vulnerability. One of the content view's methods for accessing the internal structure of the tree could be manipulated into removing a node prior to accessing it, resulting in the accessing of deleted memory. If an attacker can control the contents of the deleted memory prior to its access they could use this vulnerability to run arbitrary code on a victim's machine. MFSA 2010-57 / CVE-2010-2766: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that code used to normalize a document contained a logical flaw that could be leveraged to run arbitrary code. When the normalization code ran, a static count of the document's child nodes was used in the traversal, so a page could be constructed that would remove DOM nodes during this normalization which could lead to the accessing of a deleted object and potentially the execution of attacker-controlled memory. MFSA 2010-58 / CVE-2010-2770: Security researcher Marc Schoenefeld reported that a specially crafted font could be applied to a document and cause a crash on Mac systems. The crash showed signs of memory corruption and presumably could be used by an attacker to execute arbitrary code on a victim's computer. This issue probably does not affect the Linux builds and so is listed for completeness. MFSA 2010-59 / CVE-2010-2762: Mozilla developer Blake Kaplan reported that the wrapper class XPCSafeJSObjectWrapper (SJOW), a security wrapper that allows content-defined objects to be safely accessed by privileged code, creates scope chains ending in outer objects. Users of SJOWs which expect the scope chain to end on an inner object may be handed a chrome privileged object which could be leveraged to run arbitrary JavaScript with chrome privileges. Michal Zalewski's recent contributions helped to identify this architectural weakness. MFSA 2010-60 / CVE-2010-2763: Mozilla security researcher mozbugr_a4 reported that the wrapper class XPCSafeJSObjectWrapper (SJOW) on the Mozilla 1.9.1 development branch has a logical error in its scripted function implementation that allows the caller to run the function within the context of another site. This is a violation of the same-origin policy and could be used to mount an XSS attack. MFSA 2010-61 / CVE-2010-2768: Security researchers David Huang and Collin Jackson of Carnegie Mellon University CyLab (Silicon Valley campus) reported that the type attribute of an tag can override the charset of a framed HTML document, even when the document is included across origins. A page could be constructed containing such an tag which sets the charset of the framed document to UTF-7. This could potentially allow an attacker to inject UTF-7 encoded JavaScript into a site, bypassing the site's XSS filters, and then executing the code using the above technique. MFSA 2010-62 / CVE-2010-2769: Security researcher Paul Stone reported that when an HTML selection containing JavaScript is copy-and-pasted or dropped onto a document with designMode enabled the JavaScript will be executed within the context of the site where the code was dropped. A malicious site could leverage this issue in an XSS attack by persuading a user into taking such an action and in the process running malicious JavaScript within the context of another site. MFSA 2010-63 / CVE-2010-2764: Matt Haggard reported that the statusText property of an XMLHttpRequest object is readable by the requestor even when the request is made across origins. This status information reveals the presence of a web server and could be used to gather information about servers on internal private networks. This issue was also independently reported to Mozilla by Nicholas Berthaume. MFSA 2010-64: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. References Paul Nickerson, Jesse Ruderman, Olli Pettay, Igor Bukanov and Josh Soref reported memory safety problems that affected Firefox 3.6 and Firefox 3.5. - Memory safety bugs - Firefox 3.6, Firefox 3.5 - CVE-2010-3176 Jesse Ruderman reported a crash which affected Firefox 3.5 only. - https://bugzilla.mozilla.org/show_bug.cgi?id=476547 - CVE-2010-3174 MFSA 2010-65 / CVE-2010-3179: Security researcher Alexander Miller reported that passing an excessively long string to document.write could cause text rendering routines to end up in an inconsistent state with sections of stack memory being overwritten with the string data. An attacker could use this flaw to crash a victim's browser and potentially run arbitrary code on their computer. MFSA 2010-66 / CVE-2010-3180: Security researcher Sergey Glazunov reported that it was possible to access the locationbar property of a window object after it had been closed. Since the closed window's memory could have been subsequently reused by the system it was possible that an attempt to access the locationbar property could result in the execution of attacker-controlled memory. MFSA 2010-67 / CVE-2010-3183: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that when window.__lookupGetter__ is called with no arguments the code assumes the top JavaScript stack value is a property name. Since there were no arguments passed into the function, the top value could represent uninitialized memory or a pointer to a previously freed JavaScript object. Under such circumstances the value is passed to another subroutine which calls through the dangling pointer, potentially executing attacker-controlled memory. MFSA 2010-68 / CVE-2010-3177: Google security researcher Robert Swiecki reported that functions used by the Gopher parser to convert text to HTML tags could be exploited to turn text into executable JavaScript. If an attacker could create a file or directory on a Gopher server with the encoded script as part of its name the script would then run in a victim's browser within the context of the site. MFSA 2010-69 / CVE-2010-3178: Security researcher Eduardo Vela Nava reported that if a web page opened a new window and used a javascript: URL to make a modal call, such as alert(), then subsequently navigated the page to a different domain, once the modal call returned the opener of the window could get access to objects in the navigated window. This is a violation of the same-origin policy and could be used by an attacker to steal information from another website. MFSA 2010-70 / CVE-2010-3170: Security researcher Richard Moore reported that when an SSL certificate was created with a common name containing a wildcard followed by a partial IP address a valid SSL connection could be established with a server whose IP address matched the wildcard range by browsing directly to the IP address. It is extremely unlikely that such a certificate would be issued by a Certificate Authority. MFSA 2010-71 / CVE-2010-3182: Dmitri Gribenko reported that the script used to launch Mozilla applications on Linux was effectively including the current working directory in the LD_LIBRARY_PATH environment variable. If an attacker was able to place into the current working directory a malicious shared library with the same name as a library that the bootstrapping script depends on the attacker could have their library loaded instead of the legitimate library.
    last seen 2019-02-21
    modified 2014-06-13
    plugin id 50372
    published 2010-10-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50372
    title openSUSE Security Update : MozillaThunderbird (MozillaThunderbird-3378)
oval via4
accepted 2014-10-06T04:00:26.381-04:00
class vulnerability
contributors
  • name SecPod Team
    organization SecPod Technologies
  • name Sergey Artykhov
    organization ALTX-SOFT
  • name Sergey Artykhov
    organization ALTX-SOFT
  • name Maria Kedovskaya
    organization ALTX-SOFT
  • name Shane Shaffer
    organization G2, Inc.
  • name Maria Kedovskaya
    organization ALTX-SOFT
  • name Maria Kedovskaya
    organization ALTX-SOFT
  • name Richard Helbing
    organization baramundi software
  • name Evgeniy Pavlov
    organization ALTX-SOFT
  • name Evgeniy Pavlov
    organization ALTX-SOFT
  • name Evgeniy Pavlov
    organization ALTX-SOFT
  • name Evgeniy Pavlov
    organization ALTX-SOFT
  • name Evgeniy Pavlov
    organization ALTX-SOFT
  • name Evgeniy Pavlov
    organization ALTX-SOFT
definition_extensions
  • comment Mozilla Firefox Mainline release is installed
    oval oval:org.mitre.oval:def:22259
  • comment Mozilla Thunderbird Mainline release is installed
    oval oval:org.mitre.oval:def:22093
  • comment Mozilla Seamonkey is installed
    oval oval:org.mitre.oval:def:6372
description The LookupGetterOrSetter function in js3250.dll in Mozilla Firefox before 3.5.14 and 3.6.x before 3.6.11, Thunderbird before 3.0.9 and 3.1.x before 3.1.5, and SeaMonkey before 2.0.9 does not properly support window.__lookupGetter__ function calls that lack arguments, which allows remote attackers to execute arbitrary code or cause a denial of service (incorrect pointer dereference and application crash) via vectors involving a "dangling pointer" and the JS_ValueToId function.
family windows
id oval:org.mitre.oval:def:11891
status accepted
submitted 2010-10-26T10:19:56
title Vulnerability in the LookupGetterOrSetter function in Mozilla Firefox before 3.5.14 and 3.6.x before 3.6.11, Thunderbird before 3.0.9 and 3.1.x before 3.1.5, and SeaMonkey before 2.0.9
version 38
redhat via4
advisories
  • bugzilla
    id 642302
    title CVE-2010-3173 NSS: insecure Diffie-Hellman key exchange
    oval
    OR
    • AND
      • comment Red Hat Enterprise Linux 4 is installed
        oval oval:com.redhat.rhsa:tst:20060016001
      • OR
        • AND
          • comment firefox is earlier than 0:3.6.11-2.el4
            oval oval:com.redhat.rhsa:tst:20100782002
          • comment firefox is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060733003
        • AND
          • comment nss is earlier than 0:3.12.8-1.el4
            oval oval:com.redhat.rhsa:tst:20100782004
          • comment nss is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20080978005
        • AND
          • comment nss-devel is earlier than 0:3.12.8-1.el4
            oval oval:com.redhat.rhsa:tst:20100782008
          • comment nss-devel is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20080978007
        • AND
          • comment nss-tools is earlier than 0:3.12.8-1.el4
            oval oval:com.redhat.rhsa:tst:20100782006
          • comment nss-tools is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20090256009
    • AND
      • comment Red Hat Enterprise Linux 5 is installed
        oval oval:com.redhat.rhsa:tst:20070055001
      • OR
        • AND
          • comment xulrunner is earlier than 0:1.9.2.11-2.el5
            oval oval:com.redhat.rhsa:tst:20100782011
          • comment xulrunner is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20080569003
        • AND
          • comment xulrunner-devel is earlier than 0:1.9.2.11-2.el5
            oval oval:com.redhat.rhsa:tst:20100782013
          • comment xulrunner-devel is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20080569005
        • AND
          • comment firefox is earlier than 0:3.6.11-2.el5
            oval oval:com.redhat.rhsa:tst:20100782015
          • comment firefox is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070097009
        • AND
          • comment nss is earlier than 0:3.12.8-1.el5
            oval oval:com.redhat.rhsa:tst:20100782017
          • comment nss is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20080879012
        • AND
          • comment nss-devel is earlier than 0:3.12.8-1.el5
            oval oval:com.redhat.rhsa:tst:20100782019
          • comment nss-devel is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20080879016
        • AND
          • comment nss-pkcs11-devel is earlier than 0:3.12.8-1.el5
            oval oval:com.redhat.rhsa:tst:20100782023
          • comment nss-pkcs11-devel is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20080879014
        • AND
          • comment nss-tools is earlier than 0:3.12.8-1.el5
            oval oval:com.redhat.rhsa:tst:20100782021
          • comment nss-tools is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20080879018
    rhsa
    id RHSA-2010:0782
    released 2010-10-19
    severity Critical
    title RHSA-2010:0782: firefox security update (Critical)
  • rhsa
    id RHSA-2010:0861
  • rhsa
    id RHSA-2010:0896
rpms
  • firefox-0:3.6.11-2.el4
  • nss-0:3.12.8-1.el4
  • nss-devel-0:3.12.8-1.el4
  • nss-tools-0:3.12.8-1.el4
  • xulrunner-0:1.9.2.11-2.el5
  • xulrunner-devel-0:1.9.2.11-2.el5
  • firefox-0:3.6.11-2.el5
  • nss-0:3.12.8-1.el5
  • nss-devel-0:3.12.8-1.el5
  • nss-pkcs11-devel-0:3.12.8-1.el5
  • nss-tools-0:3.12.8-1.el5
  • xulrunner-0:1.9.2.12-1.el6_0
  • xulrunner-devel-0:1.9.2.12-1.el6_0
  • firefox-0:3.6.12-1.el6_0
  • thunderbird-0:3.1.6-1.el6_0
refmap via4
bid 44249
confirm
debian DSA-2124
fedora
  • FEDORA-2010-16885
  • FEDORA-2010-16897
mandriva
  • MDVSA-2010:210
  • MDVSA-2010:211
misc http://www.zerodayinitiative.com/advisories/ZDI-10-219/
secunia 42867
ubuntu
  • USN-997-1
  • USN-998-1
vupen ADV-2011-0061
Last major update 18-07-2011 - 22:39
Published 21-10-2010 - 15:00
Last modified 18-09-2017 - 21:31
Back to Top