If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Multiple vulnerabilities in Mozilla products
Multiple vulnerabilities in Mozilla products
Original release date: September 17, 2004 Last revised: -- Source: US-CERT Systems Affected Mozilla software, including the following: * Mozilla web browser, email and newsgroup client * Firefox web browser * Thunderbird email client Overview Several vulnerabilities exist in the Mozilla web browser and derived products, the most serious of which could allow a remote attacker to execute arbitrary code on an affected system. I. Description Several vulnerabilities have been reported in the Mozilla web browser and derived products. More detailed information is available in the individual vulnerability notes: VU#414240 - Mozilla Mail vulnerable to buffer overflow via writeGroup() function in nsVCardObj.cpp Mozilla Mail contains a stack overflow vulnerability in the display routines for VCards. By sending an email message with a crafted VCard, a remote attacker may be able to execute arbitrary code on the victim's machine with the privileges of the current user. This can be exploited in the preview mode as well. VU#847200 - Mozilla contains integer overflows in bitmap image decoder A vulnerability in the way Mozilla and its derived programs handle certain bitmap images could allow a remote attacker to execute arbitrary code on a vulnerable system. VU#808216 - Mozilla contains heap overflow in UTF8 conversion of hostname portion of URLs A vulnerability in the way Mozilla and its derived programs handle certain malformed URLs could allow a remote attacker to execute arbitrary code on a vulnerable system. VU#125776 - Multiple buffer overflows in Mozilla POP3 protocol handler There are multiple buffer overflow vulnerabilities in the Mozilla POP3 protocol handler that could allow a malicious POP3 server to execute arbitrary code on the affected system. VU#327560 - Mozilla "send page" feature contains a buffer overflow vulnerability There is a buffer overflow vulnerability in the Mozilla "send page" feature that could allow a remote attacker to execute arbitrary code. VU#651928 - Mozilla allows arbitrary code execution via link dragging A vulnerability affecting Mozilla web browsers may allow violation of cross-domain scripting policies and possibly execute code originating from a remote source. II. Impact These vulnerabilities could allow a remote attacker to execute arbitrary code with the privileges of the user running the affected application. VU#847200 could also allow a remote attacker to crash an affected application. III. Solution Upgrade to a patched version Mozilla has released versions of the affected software that contain patches for these issues: * Mozilla 1.7.3 * Firefox Preview Release * Thunderbird 0.8 Users are strongly encouraged to upgrade to one of these versions. Appendix A. References * Mozilla Security Advisory - http://www.mozilla.org/projects/security/known-vulnerabilities.html * Mozilla 1.7.2 non-ascii hostname heap overrun, Gaël Delalleau - http://www.zencomsec.com/advisories/mozilla-1.7.2-UTF8link.txt * Security Audit of Mozilla's .bmp image parsing, Gaël Delalleau - http://www.zencomsec.com/advisories/mozilla-1.7.2-BMP.txt * Security Audit of Mozilla's POP3 client protocol, Gaël Delalleau - http://www.zencomsec.com/advisories/mozilla-1.7.2-POP3.txt * US-CERT Vulnerability Note VU#414240 - http://www.kb.cert.org/vuls/id/414240 * US-CERT Vulnerability Note VU#847200 - http://www.kb.cert.org/vuls/id/847200 * US-CERT Vulnerability Note VU#808216 - http://www.kb.cert.org/vuls/id/808216 * US-CERT Vulnerability Note VU#125776 - http://www.kb.cert.org/vuls/id/125776 * US-CERT Vulnerability Note VU#327560 - http://www.kb.cert.org/vuls/id/327560 * US-CERT Vulnerability Note VU#651928 - http://www.kb.cert.org/vuls/id/651928 Mozilla has assigned credit for reporting of these issue to the following: * VU#414240: Georgi Guninski * VU#847200: Gaël Delalleau * VU#808216: Gaël Delalleau and Mats Palmgren * VU#125776: Gaël Delalleau * VU#327560: Georgi Guninski * VU#651928: Jesse Ruderman Feedback can be directed to the US-CERT Technical Staff. Copyright 2004 Carnegie Mellon University. Terms of use Revision History Sep 17, 2004: Initial release -- Jose Manuel Tella Llop MVP - Windows (quitar XXX) http://www.multingles.net/jmt.htm Este mensaje se proporciona "como está" sin garantías de ninguna clase, y no otorga ningún derecho. This posting is provided "AS IS" with no warranties, and confers no rights. You assume all risk for your use. |
Ads |
#2
|
|||
|
|||
Multiple vulnerabilities in Mozilla products
firefox and most Mozilla products become slow and useless when a new vertion
comes out. And regarding the vulnerabilities, mozilla had a download that stoped shell websites. Sadly you had to be given the link since it was almost impossible to find in the main website. And firefox is still a quick and good brwser. No offece for I-Explorer, but you should think of making a faster web browser and more secrue. Since firefox is not good to download win updates . |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Big hole?? | User1 | The Basics | 33 | November 18th 04 07:09 PM |
Big hole?? | User1 | Customizing Windows XP | 33 | November 18th 04 07:09 PM |
Big hole?? | User1 | General XP issues or comments | 53 | September 22nd 04 11:18 PM |
After SP2 software will not work | Zane | Windows Service Pack 2 | 26 | August 18th 04 01:26 AM |