Dirty dozen: Mozilla patches critical flaws

Patches have been issued for remotely and locally exploitable flaws in Thunderbird, Mozilla Suite and Firefox.

The Mozilla Foundation recommends users upgrade to eliminate a dozen critical flaws in Thunderbird, Mozilla Suite and Firefox that could allow malicious Web sites to launch arbitrary commands or conduct spoofing and cross site scripting attacks.

Mozilla Firefox 1.0.4 and prior, Mozilla Suite 1.7.8 and prior and Thunderbird 1.0.2 and prior are vulnerable to locally and remotely exploitable flaws. Mozilla suggests upgrading to Firefox 1.0.5 or Mozilla Suite 1.7.9.

Mozilla offered these details on each of the flaws:

MFSA 2005-56
Code execution through shared function objects
Severity: Critical
Products: Firefox, Mozilla Suite
Improper cloning of base objects allows Web content scripts to walk up the prototype chain to get to a privileged object. This could be used to execute code with enhanced privileges.

MFSA 2005-55
XHTML node spoofing
Severity: High
Products: Firefox, Mozilla Suite
An XHTML document could be used to create fake IMG elements, for example, with content-defined properties that the browser would access as if they were the trusted built-in properties of the expected HTML elements. The vulnerability could result in executing user-supplied script with elevated "chrome" privileges. This could be used to install malicious software on the victim's machine.

MFSA 2005-54
Javascript prompt origin spoofing
Severity: Low
Products: Firefox, Mozilla Suite
Alerts and prompts created by scripts in web pages are presented with the generic title [JavaScript Application], which sometimes makes it difficult to know which site created them. A malicious page could attempt to cause a prompt to appear in front of a trusted site in an attempt to extract information such as passwords from the user.

MFSA 2005-53
Standalone applications can run arbitrary code through the browser
Severity: Critical
Products: Firefox
Several media players support scripted content with the ability to open URLs in the default browser. By default, Firefox replaced the currently open browser window's content with the externally opened content. If the external URL was a javascript: URL it would run as if it came from the site that served the previous content, which could be used to steal sensitive information such as login cookies or passwords. If the media player content first caused a privileged chrome: URL to load then the subsequent javascript: URL could execute arbitrary code.

MFSA 2005-52
Same origin violation: frame calling top.focus()
Severity: Moderate
Products: Firefox, Mozilla Suite
A child frame can call top.focus() even if the framing page comes from a different origin and has overridden the focus() routine. The call is made in the context of the child frame. The attacker would look for a target site with a framed page that makes this call but doesn't verify that its parent comes from the same site. The attacker could steal cookies and passwords from the framed page, or take actions on behalf of a signed-in user.

MFSA 2005-51
The return of frame-injection spoofing
Severity: Moderate
Products: Firefox 1.0.3, Mozilla Suite 1.7.7
The original frame-injection spoofing bug was fixed in the Mozilla Suite 1.7 and Firefox 0.9 releases. This protection was accidentally bypassed by one of the fixes in the Firefox 1.0.3 and Mozilla Suite 1.7.7 releases.

MFSA 2005-50
Possibly exploitable crash in InstallVersion.compareTo
Severity: Moderate
Products: Firefox, Mozilla Suite
When InstallVersion.compareTo() is passed an object rather than a string it assumed the object was another InstallVersion without verifying it. When passed a different kind of object the browser would generally crash with an access violation.

MFSA 2005-49
Script injection from Firefox sidebar panel using data
Severity: High
Products: Firefox
Sites can use the _search target to open links in the Firefox sidebar. A missing security check allows the sidebar to inject data: URLs containing scripts into any page open in the browser. This could be used to steal cookies, passwords or other sensitive data.

MFSA 2005-48
Same-origin violation with InstallTrigger callback
Severity: Low [High for Mozilla Suite]
Products: Firefox, Mozilla Suite
The InstallTrigger.install() method for launching an install accepts a callback function that will be called with the final success or error status. By forcing a page navigation immediately after calling the install method this callback function can end up running in the context of the new page selected by the attacker. This callback script can steal data from the new page such as cookies or passwords, or perform actions on the user's behalf such as make a purchase if the user is already logged into the target site.

MFSA 2005-47
Code execution via "Set as Wallpaper"
Severity: High
Products: Firefox 1.0.3
If an attacker can convince a victim to use the "Set As Wallpaper" context menu item on a specially crafted image then he can run arbitary code on the user's computer. The image "source" must be a javascript: URL containing an eval() statement and such an image would get the "broken image" icon, but with CSS it could be made transparent and placed on top of a real image.

MFSA 2005-46
XBL scripts ran even when Javascript disabled
Severity: Low
Products: Firefox, Thunderbird, Mozilla Suite
Scripts in XBL controls from Web content continue to be run even when Javascript is disabled. By itself this causes no harm, but it could be combined with most script-based exploits to attack users running vulnerable versions who thought disabling javascript would protect them.

MFSA 2005-45
Content-generated event vulnerabilities
Severity: High
Products: Firefox, Mozilla Suite
In several places the browser UI did not correctly distinguish between true user events, such as mouse clicks or keystrokes, and synthetic events generated by Web content. The problems ranged from minor annoyances like switching tabs or entering full-screen mode, to a variant on MFSA 2005-34

Dig deeper on Security Resources

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close